A definition of meaningful KPIs in information security
KPIs should be specific and measurable in addition to impacting the success of overall business objectives.
This means: If your current technical set-up does not allow you to measure a specific KPI, chuck it out as a possible KPI. Other KPIs you can eliminate are those without any real significance.
Instead, focus on several KPIs that you can explain to colleagues outside your department in a few simple words. After all, one central advantage of KPIs lies in their ability to communicate successes or challenges to management and other departments.
Often, a KPI will give rise to further questions. Assume for example that the number of reported IT security incidents fell sharply in the last quarter. The question then becomes: Why is this? Other KPIs can provide answers, such as the number of security updates performed or the percentage of employees who received training.
InfoSec KPIs in a balanced scorecard
The strategy performance management tool known as a balanced scorecard (BSC) lets you map the (financial) results of a business unit alongside other values such as internal process effectiveness and customer satisfaction. In information security, this approach can yield a number of perspectives, such as the following:
- Financial KPIs
- Security level data
- ISMS metrics
- External KPIs
You can define the perspectives that your balanced scorecard yields yourself so they suit your company’s specific requirements. Traditionally, a BSC reflects the financial perspective, the process perspective, the customer perspective, and the development perspective. However, when it comes to information security, these categories aren’t necessarily a perfect fit.
No matter the perspectives you choose, it’s important to keep in mind that different KPIs represent different perspectives. Another aspect worth bearing in mind is how the different perspectives influence each other. The ISMS influences the level of security, which in turn influences audit results and financial metrics ...
KPI examples in information security
As mentioned earlier, when you’re defining your InfoSec KPIs, you should be guided by ...
- Which KPIs reflect your business goals
- Or help you explain / better understand other KPIs.
Here is a list of possible InfoSec KPIs:
|
|
Financial KPIs |
Level of security
|
ISMS metrics |
External assessment
|
|
Core questions |
What costs do security breaches entail? |
What form do the information security attacks take? How well do we respond to the attacks? |
What are the drivers of our successes/failures? |
How does our InfoSec perform in terms of external impact? |
|
KPIs |
Financial losses due to data breaches
Costs per incident |
Number of reported security incidents
Time between incidents (average)
Mean time to detect (MTTD)
Mean time to acknowledge (MTTA)
Mean time to contain (MTTC)
Mean time to resolve (MTTR)
Mean time to recover (MTTR)
% of phishing emails opened by end users
|
% of systems protected by anti-malware software
Number of employees responsible for InfoSec
% of checks performed to ensure compliance with firewall policy
% of employees who have not yet received InfoSec training
Number of improvements identified
Number of nonconformities identified
Number of management reviews performed |
Number of nonconformities in ISO 27001 audit
Number of new certifications
Incidents that had to be reported to customers
|
When it comes to KPIs, the sky’s the limit – as long as you keep track of them. But if a KPI doesn’t help in decision-making, and you’re just aimlessly tracking it, you’re better off leaving it out.
Monitoring and measuring InfoSec KPIs
For companies, the challenge is to define a monitoring and measurement system that provides the answers you want without making data collection and analysis an administrative headache.
For each KPI, you should therefore define the following:
- What to monitor and measure (see above).
- When and how to measure
- When and how to analyse and evaluate the results
- Who will perform the individual steps
- What records of monitoring and measurement results to keep
Analysis and evaluation
When it comes to analysing and evaluating the results of the KPIs described in the table above, make sure the right people are involved so a correct interpretation of the data can be made. In most cases, the most appropriate forum for this is a management review meeting held at least once a year. Who participates in this meeting might vary depending on the information being analysed and evaluated.
Don’t forget to record the conclusions you draw from analysis and evaluation as well as log any measures for improvement. If necessary, refer any urgent issues to the Executive Management Team who can free up the resources necessary to address them.
Also, the meeting is an opportunity to define other KPIs that might help clarify the root causes of problems in specific areas.
How InfoSec KPIs impact corporate strategy
Information security and building an ISMS is not necessarily about ensuring a 100% level of protection. Instead, an ISMS allows an organisation to achieve the desired level of information security that suits its requirements.
And KPIs can help with the trade-off: Are certain investments in implementing and operating solutions worthwhile compared to the damage that security weak points might cause or perhaps already have caused in the past? Which investments have already paid off?
Based on KPIs, management can decide to what extent risks can and should be reduced by adopting further information security measures. So ultimately, KPIs are an instrument of financial risk management.
Conclusion: KPIs make information security measurable
By looking at the various perspectives offered by KPIs in a balanced scorecard, management can get an overall picture of a company’s InfoSec situation. The success of your InfoSec measures can be evaluated in terms of financial results and the level of protection. Meaningful data can also explain any problems you might be facing.
This allows decisions about the future allocation of resources to be made at the management level.
Discover DataGuard's customised corporate solutions for streamlined compliance and enhanced information security management.
Need help navigating the world of information security? Get in touch with one of our experts today:
