7.4.1. Key Performance and Risk Indicators
💡 First Principle: Security metrics must be selected for their ability to drive decisions, not their ease of collection. The best metric is one that, when it changes, triggers a specific action. "Number of firewall rules" is easy to measure but drives no action. "Percentage of critical vulnerabilities remediated within SLA" directly measures program effectiveness and triggers investigation when it drops.
Metric categories and examples:
| Category | Metric | What It Tells You | Decision It Drives |
|---|---|---|---|
| Posture | % systems fully patched to current baseline | Current vulnerability exposure | Patch management resource allocation |
| Speed | Mean Time to Detect (MTTD) | How quickly threats are identified | SOC staffing and tooling investment |
| Speed | Mean Time to Respond (MTTR) | How quickly confirmed incidents are contained | IR process improvement; automation ROI |
| Coverage | % endpoints with EDR deployed and reporting | Security tool deployment completeness | Gap remediation; procurement decisions |
| Effectiveness | Phishing simulation click rate over 12 months | Awareness program impact trend | Training content and frequency adjustment |
| Risk | # critical vulns beyond SLA on internet-facing assets | Current high-priority risk exposure | Executive escalation; emergency patching |
| Compliance | % controls passing audit criteria | Regulatory readiness | Audit remediation planning |
KPIs vs. KRIs — the critical distinction:
| Dimension | KPI | KRI |
|---|---|---|
| Measures | Process execution efficiency | Risk exposure and trends |
| Answers | "Are we doing things right?" | "Are we exposed to bad outcomes?" |
| Example | Patch deployment within 72 hours: 94% | # internet-facing systems with critical unpatched vulns: 7 |
| Audience | Operations managers; technical leads | CISOs; risk committee; board |
| Action trigger | Process adjustment | Risk response decision |
Account management and access review data:
Identity and access management generates critical security process data that must be collected and reported:
- Orphaned accounts — Accounts belonging to terminated employees that remain active. Count should trend toward zero; any non-zero count beyond the deprovisioning SLA is a control failure.
- Privileged account inventory — Total count of admin-level accounts, tracked against the authorized baseline. Growth without corresponding business justification indicates privilege creep.
- Access review completion rate — Percentage of required access reviews completed on schedule. Incomplete reviews leave stale entitlements that violate least privilege.
- Failed authentication trends — Sudden spikes in failed logins may indicate brute force attacks or credential stuffing. Distributed low-and-slow patterns suggest password spraying.
Reporting to leadership — translating technical metrics to business language:
Raw metrics are meaningless to non-technical executives. Effective reporting translates operational data into business impact:
- Don't say: "We have 47 critical vulnerabilities with CVSS ≥ 9.0 on 12 servers."
- Do say: "12 servers processing customer payment data have exploitable vulnerabilities that could enable data exfiltration. Estimated remediation: 3 weeks with 2 engineers. Estimated breach cost if exploited: $2.4M based on industry benchmarks."
⚠️ Exam Trap: Activity metrics (events processed, scans completed, tickets closed) measure effort, not outcomes. A SOC that processes 10,000 alerts per day but has a 280-day average dwell time for confirmed intrusions is busy but ineffective. The exam tests whether you can distinguish between metrics that measure activity and metrics that measure security outcomes.
Reflection Question: A CISO presents the following metrics to the board: "Our SOC processed 1.2 million security events last month, our firewall blocked 340,000 connection attempts, and our IDS generated 2,400 alerts." The board chair asks, "So are we secure?" Why are these metrics inadequate for answering the board's question, and what metrics should the CISO present instead?
