How are other organizations using KRIs to help evaluate the efficacy of their security programs?

185 views11 Comments

Chair and Professor, Startup CTO in Education, 5,001 - 10,000 employees
I am not very familiar with this. 
Sr. Director of Engineering in Software, 51 - 200 employees
We are using following indicators to check the effectiveness of our security paradigm:
1. Service Desk Utilisation 
2. Percentage of downtime
3. Network Availability
4. System availabilty
5. Mean time for detection, action and recovery 
6. Systems running without critical patches or updates. 
Director of Engineering in Healthcare and Biotech, 501 - 1,000 employees
We use mean time to responses and remediate as well as network availability and help desk usage. 
Co-founder & CTO in Finance (non-banking), 51 - 200 employees
Organizations use something called Key Risk Indicators (KRIs) to check if their security programs are working well. It's like a special tool to see if everything is safe and protected. Here are some ways they use it:

Finding Bad Things: KRIs help them find when something bad happens, like when someone tries to break into their computer systems. They can see how many bad things happen and how quickly they can stop them.

Fixing Problems: KRIs also help them know if there are any problems with their security that need to be fixed. They can see how many weak spots they have and how fast they can fix them to make everything stronger.

Following Rules: Organizations have rules to keep everything safe. KRIs help them check if they are following these rules. They can see if they are doing things the right way to protect information and follow the laws.

Teaching People: Organizations teach people how to be safe online. KRIs help them know if people are learning and being careful. They can see if people are doing well in their training and if they know how to spot bad things like fake emails.

Checking for Problems: KRIs help them see if there are any problems in their security teams. They can see if the teams are doing their job well, finding and fixing problems quickly.

Checking Controls: Organizations use special things to stay safe, like filters on emails or software to protect computers. KRIs help them check if these things are working well. They can see if these special things are doing their job to keep everything safe.

Checking Others: Sometimes, organizations work with other companies. KRIs help them see if these companies are safe too. They can check if these companies are doing things the right way to protect information and keep everyone safe.

By using KRIs, organizations can make sure they are doing a good job in keeping everything safe. They can see if there are any problems and fix them to make everything even safer.
1 Reply
Solutions Architect in Software, 501 - 1,000 employees

wow, ChatGPT does a fantastic job indeed!

Director of Engineering in Software, 10,001+ employees
MTR, other data analytic parameters, training outcomes, mock drills to test etc. 
CTO in Education, 51 - 200 employees
Organizations employ KRIs to track and monitor key indicators related to security incidents. This can include metrics such as the number of security incidents detected, average time to detect and respond to incidents, incident severity levels, and the effectiveness of incident response processes.  KRIs play a crucial role in assessing the effectiveness of vulnerability management programs. KRIs are valuable in evaluating an organization's compliance with security standards, regulations, and industry best practices.
Senior Vice President, Engineering in Software, 1,001 - 5,000 employees
Here are some common KRIs which I have seen organizations using in the past:

- Number of security incidents reported in a quarter
- Time to detect and respond to security incidents
- Cost of security breaches (monetary, IP-wise)
- Number of security vulnerabilities
- Time to patch security vulnerabilities
- Number of security training sessions attended by employees
- Number of security awareness quizzes completed by employees
Manager in Manufacturing, 10,001+ employees
they are using them to define the objectives that need to be achieved.
Director of Engineering in Media, 10,001+ employees
Key risk indicators for security program can include scope of surface attacks and malware, third party risk, and misconfigured systems 
Chief Information Security Officer in Healthcare and Biotech, 1,001 - 5,000 employees
Organizations are increasingly utilizing Key Risk Indicators (KRIs) as part of their security programs to assess and measure the effectiveness of their security controls and identify potential risks. Here are some ways in which organizations are using KRIs:

Incident Metrics: Organizations track key security incident metrics, such as the number and severity of security incidents, response times, and resolution rates. These metrics provide insights into the overall security posture and help evaluate the effectiveness of incident management processes.

Vulnerability Management: KRIs can be used to monitor and measure the performance of vulnerability management programs. Metrics such as the number of open vulnerabilities, time to patch, and patching success rates help identify areas that require improvement and assess the organization's ability to mitigate vulnerabilities effectively.

Compliance Monitoring: KRIs play a crucial role in evaluating an organization's compliance with security standards, regulations, and policies. Tracking compliance metrics, such as the percentage of systems audited, control effectiveness rates, and policy violation incidents, helps ensure adherence to security requirements and identify potential compliance gaps.

Security Awareness and Training: Organizations can utilize KRIs to measure the effectiveness of security awareness and training initiatives. Metrics like the completion rate of training programs, user-reported security incidents, and improvements in employee behavior and knowledge can help gauge the impact of training efforts on reducing human-related security risks.

Security Controls Performance: KRIs can be used to assess the performance and effectiveness of specific security controls. Metrics such as firewall rule compliance, intrusion detection system alerts, and access control violations provide insights into the efficacy of implemented controls and help identify areas for improvement.

Security Metrics Dashboards: KRIs are often aggregated into security metrics dashboards to provide a holistic view of the organization's security posture. These dashboards can include a range of metrics, such as incident trends, vulnerability trends, compliance rates, and control effectiveness, providing management with a consolidated overview of security program efficacy.

Benchmarking and Trend Analysis: KRIs enable organizations to establish benchmarks and track trends over time. By comparing KRI metrics against industry standards or historical data, organizations can identify areas of improvement, measure progress, and proactively address emerging security risks.

It's important for organizations to align their KRIs with their specific security objectives and risk appetite. Regularly reviewing and updating KRIs based on evolving threats and organizational priorities ensures the continued effectiveness of security programs and the ability to respond to emerging risks.

Content you might like





What security budget?2%


2.3k views4 Upvotes

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
43.5k views132 Upvotes319 Comments

Yes – very optimistic!31%

Yes – mildly optimistic.56%


I’m not sure5%


2.3k views1 Upvote