cybersecurity kpi

Being a CyberSec specialist is frustrating. It often seems like a new cybersecurity key performance indicator (KPI) is invented every week. However, there are some good reasons for this.

A main source of frustration is the need for cybersecurity teams to constantly justify the cost of their department against other business expenditures. One of the easiest ways of doing this is to present management with hard data about cyber risk.

Unfortunately, this leads to inventing KPIs that are somewhat detached from their original purpose: to monitor and improve cybersecurity performance. All KPIs should have an intended purpose that can be quantified. Even if the underlying achievement isn’t specific, the metrics that measure the initiative should be.

Further, reporting a KPI is only half the battle. Following the identification of an issue, it is the responsibility of management to observe the results, translate what the calculation means, and deliver action to make changes.

This means that soft measures like Employee Perception of Risk aren’t meaningful KPIs at all because they’re subjective. There’s no quantitative way of gauging perception.

So, today we’re going to break it down and talk about the 7 cybersecurity KPIs that should be at the heart of your security protocols. These are, in my view, the basic factors that your cybersecurity KPIs should cover.

1. Large Increases (or Decreases) in Reported Incidents

At the core of your cybersecurity KPIs should be a measure of the threat environment you face and whether the number of incidents reported is going up or down. As teams become more aware and deploy more advanced detection tools, it’s likely that you’ll find an increase in reporting.

This is the most basic cybersecurity KPI there is because tracking the number of incidents is the ultimate measure of whether the rest of your security protocols are effective. It will also help you to justify spending on cybersecurity within your organization.

However, you have to do more than just track incidents. Using third-party tools allows you to gain deeper insight into incidents by monitoring all systems and tracking when and where incidents are on the rise or are decreasing. This allows you to put human and financial resources where they’ll do the most good. Using automation, you can detect blind spots, gaps, and hidden vulnerabilities that human oversight will miss.

2. Total Number of Security Incidents

This KPI is the complement to the one above. It measures the raw number of security incidents over a given period. At a basic level, this KPI will output just a single number. However, when collecting data on the number of security incidents you face, there are a couple of things to keep in mind.

First of all, you need to pay attention to all parts of your systems. The media and most enterprises tend to focus on phishing and MitM attacks at the expense of some other points of attack. What about the security of your public-facing web portals and cloud security? These systems typically face a constant bombardment of small threats rather than a huge exploit. This makes it easy to overlook them.

3. Cost Per Incident

The next most important KPI is the cost of each incident. This can be a tricky KPI to measure because it should include all of the resources – both human and technical – that were required to hunt down threats and address each incident, as well as an estimate of the lost revenue caused by them.

If measured correctly, though, this KPI is perhaps the most effective when it comes to justifying the cost of extra cybersecurity measures. If you can show, for instance, that the time spent in vulnerability scanning far outweighs the cost of addressing vulnerabilities after they are exploited, you can make a watertight business case for increased vulnerability vigilance.

How do you calculate the cost of an incident in concrete, quantifiable terms?

It can be broken down into three categories:

  1. Direct costs: These are tangible numbers that you can compile to provide the first factor in the equation. They should include forensic and investigation costs, fines, customer compensation, and other direct expenses related to the incident.
  2. Indirect costs: This category of expense is a little more difficult to measure. It involves calculating response and recovery time, communications related to the loss, the cost of issuing new credentials and opening new accounts, and downtime.
  3. The cost of lost opportunity: This can put the biggest dent in a company’s bottom line. In fact, it can cripple a business. It’s also the most difficult to measure. Lost opportunity relates to reputation management, negative press, and the cost of attracting new business.

Other factors include the location of your business or where it’s incorporated, the size of the breach, and the type of data accessed. Once you get concrete numbers along with a realistic estimate of intangibles, you can plug them into a formula to determine the total cost of data loss.

4. Time to Resolve

Mean Time To Identify (MTTI) and Mean Time To Contain (MTTC) are also KPIs that have been around since the birth of cybersecurity. Unfortunately, however, recent data suggest that both are still worryingly slow. The MTTC for US companies in 2017, for instance, was 208 days, and the MTTI 52 days.

The underlying reasons for slow responses to incidents may be complex, involving scarce resources at either a human or technical level or poor management structures. It may be as simple as lack of awareness; some threats run undetected in the background until they create a problem that’s too big to ignore.

However, this is another KPI that can help to identify lapses in security management and help to justify the cost of deploying extra resources such as AI cybersecurity tools that can automatically identify incidents.

Incident logging is one way to track response. However, proper threat detection, reporting, and mitigation, in conjunction with a comprehensive strategy, should reduce response times.

Your response plan should look something like this:

  1. Create a dedicated incident response team.
  2. Determine the source and extent of the breach.
  3. Contain the breach and recover systems or services.
  4. Assess the damage and severity of the incident.
  5. Start the notification process to all affected parties.
  6. Construct a plan to prevent a similar incident in the future.

5. Uptime

Uptime is another KPI that appears to present a pretty basic number but that actually tells you a lot about how well your cybersecurity is working. In addition, uptime is a measure that is implied in many of the other KPIs on this list. If your website goes down as the result of a security incident, this can seriously increase not just the cost of the incident but also its impact on your customers.

An analysis of the reasons behind downtime can also highlight areas of concern. Downtime can be an indication that you need to step up your web security to guard against hacks. It may also be that poor uptime is the fault of your web host, and this should also be a cause for concern.

Gary Stevens, Director of Research of community-funded IT research group studied the uptimes of leading web hosting providers and found a remarkable difference of 99.993% on the upper end to 97.643% on the lower. Stevens also offered his opinion that no business should stay with a host that can’t hit at least 99.99% uptime and that hosting providers with poor uptime are more prone to vulnerabilities.

However, the real factor that can hurt you is downtime, so you should know that as well. Each minute of downtime cost the average business just over $5,600. Every network is going to have some amount of downtime. It’s unavoidable. The trick is to limit downtime and keep it to planned maintenance periods that occur at times when your traffic is expected to be lowest.

6. Regulatory Requirements

Beyond the technical KPIs we’ve covered above, there are also a number of softer measures that are useful. One of these is how compliant your current systems are against industry standards.

This KPI is typically measured on a much slower timescale than those above because improving this measure often involves long-term work in improving the security of systems. That doesn’t mean, though, that it should be ignored. Equally, it need not be hard to measure: there are plenty of tools, such as Acunetix in the case of web security, that will automatically generate technical and regulatory reports that will feed directly into this KPI.

7. Customer Impact

Last, but definitely not least, it is worth measuring the customer impact of security incidents via a KPI. This can be a difficult thing to do because this impact can come in many forms and across many channels. For that reason, is often worth designing this KPI in consultation with management and customer-facing staff in order to trace the impact of data breaches and other incidents. If done correctly, though, this KPI is the ultimate measure of your cybersecurity.

Adapt and Learn

The way in which you measure these KPIs will depend on the precise nature of your business and the complexity of the systems you employ. In addition, follow what is applicable to your business, and be prepared to change the goal based on what is going on in the company.

That said, if your existing KPIs do not cover at least these aspects of cybersecurity, then you need to re-think them. Designing your own, complex KPIs for cybersecurity can be extremely useful, but you need to make sure you are doing the basics first.

Samuel Bocetta
Retired Research Engineer and Freelance Journalist
Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography. Currently working as part-time cybersecurity coordinator.