InfoSec KPIs: How to measure your information security

‘You can’t improve what you don’t measure’ – so goes the theory, at least. This quote is attributed to the US economist Peter Drucker, who was convinced that target agreements are a crucial foundation of successful business management. 

It’s the same in information security (InfoSec), where a few well-established KPIs (an acronym standing for key performance indicators) are the name of the game – KPIs such as the time between incidents, the time it takes to recover from incidents, and average cost per security incident. 
In general, the measurement of KPIs helps companies set and reach their strategic goals.  

Companies often simply measure the end results of their information security strategy, neglecting its drivers – that is, the metrics that reflect the progress of the company’s information security management system (ISMS). This article outlines how you can do things better. 

The facts in a nutshell 

  • KPIs should be specific and measurable in addition to impacting the success of overall business objectives.  
  • Mapping KPIs in a chart known as a ‘balanced scorecard’ allows you to look at InfoSec success from different perspectives. 
  • KPIs can help determine which information security investments are financially worthwhile.  

A definition of meaningful KPIs in information security 

KPIs should be specific and measurable in addition to impacting the success of overall business objectives 

This means: If your current technical set-up does not allow you to measure a specific KPI, chuck it out as a possible KPI. Other KPIs you can eliminate are those without any real significance.  

Instead, focus on several KPIs that you can explain to colleagues outside your department in a few simple words. After all, one central advantage of KPIs lies in their ability to communicate successes or challenges to management and other departments.  

Often, a KPI will give rise to further questions. Assume for example that the number of reported IT security incidents fell sharply in the last quarter. The question then becomes: Why is this? Other KPIs can provide answers, such as the number of security updates performed or the percentage of employees who received training.  

InfoSec KPIs in a balanced scorecard 

The strategy performance management tool known as a balanced scorecard (BSC) lets you map the (financial) results of a business unit alongside other values such as internal process effectiveness and customer satisfaction. In information security, this approach can yield a number of perspectives, such as the following:  

  • Financial KPIs   
  • Security level data  
  • ISMS metrics 
  • External KPIs 

You can define the perspectives that your balanced scorecard yields yourself so they suit your company’s specific requirements. Traditionally, a BSC reflects the financial perspective, the process perspective, the customer perspective, and the development perspective. However, when it comes to information security, these categories aren’t necessarily a perfect fit.  

No matter the perspectives you choose, it’s important to keep in mind that different KPIs represent different perspectives. Another aspect worth bearing in mind is how the different perspectives influence each other. The ISMS influences the level of security, which in turn influences audit results and financial metrics ...  

KPI examples in information security  

As mentioned earlier, when you’re defining your InfoSec KPIs, you should be guided by ...  

  • Which KPIs reflect your business goals 
  • Or help you explain / better understand other KPIs.  

Here is a list of possible InfoSec KPIs:  

 

Financial KPIs   

Level of security  

 

ISMS metrics 

External assessment 

 

Core questions 

What costs do security breaches entail? 

What form do the information security attacks take?  

How well do we respond to the attacks?  

What are the drivers of our successes/failures? 

How does our InfoSec perform in terms of external impact? 

KPIs 

Financial losses due to data breaches 

 

Costs per incident 

Number of reported security incidents  

 

Time between incidents (average) 

 

Mean time to detect (MTTD) 

 

Mean time to acknowledge (MTTA) 

 

Mean time to contain (MTTC) 

 

Mean time to resolve (MTTR) 

 

Mean time to recover (MTTR) 

 

% of phishing emails opened by end users 

 

 

% of systems protected by anti-malware software 

 

Number of employees responsible for InfoSec 

 

% of checks performed to ensure compliance with firewall policy 

 

% of employees who have not yet received InfoSec training 

 

Number of improvements identified 

 

Number of nonconformities identified 

 

Number of management reviews performed 

Number of nonconformities in ISO 27001 audit 

 

Number of new certifications 

 

Incidents that had to be reported to customers  

 

When it comes to KPIs, the sky’s the limit – as long as you keep track of them. But if a KPI doesn’t help in decision-making, and you’re just aimlessly tracking it, you’re better off leaving it out. 

Monitoring and measuring InfoSec KPIs 

For companies, the challenge is to define a monitoring and measurement system that provides the answers you want without making data collection and analysis an administrative headache. 

For each KPI, you should therefore define the following: 

- What to monitor and measure (see above). 

- When and how to measure 

- When and how to analyse and evaluate the results 

- Who will perform the individual steps 

- What records of monitoring and measurement results to keep  

Analysis and evaluation 

When it comes to analysing and evaluating the results of the KPIs described in the table above, make sure the right people are involved so a correct interpretation of the data can be made. In most cases, the most appropriate forum for this is a management review meeting held at least once a year. Who participates in this meeting might vary depending on the information being analysed and evaluated. 

Don’t forget to record the conclusions you draw from analysis and evaluation as well as log any measures for improvement. If necessary, refer any urgent issues to the Executive Management Team who can free up the resources necessary to address them. 

Also, the meeting is an opportunity to define other KPIs that might help clarify the root causes of problems in specific areas.  

How InfoSec KPIs impact corporate strategy 

Information security and building an ISMS is not necessarily about ensuring a 100% level of protection. Instead, an ISMS allows an organisation to achieve the desired level of information security that suits its requirements. 

And KPIs can help with the trade-off: Are certain investments in implementing and operating solutions worthwhile compared to the damage that security weak points might cause or perhaps already have caused in the past? Which investments have already paid off? 

Based on KPIs, management can decide to what extent risks can and should be reduced by adopting further information security measures. So ultimately, KPIs are an instrument of financial risk management. 

Conclusion: KPIs make information security measurable  

By looking at the various perspectives offered by KPIs in a balanced scorecard, management can get an overall picture of a company’s InfoSec situation. The success of your InfoSec measures can be evaluated in terms of financial results and the level of protection. Meaningful data can also explain any problems you might be facing. 

This allows decisions about the future allocation of resources to be made at the management level.

Discover DataGuard's customised corporate solutions for streamlined compliance and enhanced information security management.

Need help navigating the world of information security? Get in touch with one of our experts today:

Book an appointment

 

 

About the author

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk