github icon
tag icon
star icon
fork icon

Top Security KPIs Every Team Needs to Measure

Everything in business is measurable. 

Website visits to conversions. Acquisition costs. Time to resolve support tickets. Project burn rates. If there are bytes associated with it, it can be measured. These often factor into what is known as Key Performance Indicators, or KPIs. KPIs are used to translate business goals into measurable results. KPIs are used for two things:

First, ensuring everyone has an actionable plan for helping the company reach overall company goals.

Second, measuring individual team and employee contributions to overall company goals.

Whether increasing revenue by 30%, reducing customer churn by 20%, retaining 12% of new hires or converting 10% more visitors a year, each can be a KPI. In turn, each KPI can be broken down into specific tasks for team members to do to achieve the KPI and, as a result, overall company goals. 

Take increasing revenue by 30% as an example. This KPI can apply to sales, marketing, and even customer service, as retention can increase revenue if clients are inclined to purchase additional products or services. It’s generally more profitable to keep clients than constantly acquire new ones. The sales team may set a goal of closing deals with more upmarket clients, while the marketing team may set a goal of converting more webinar attendees to paying clients. Customer service may set a goal of helping to upsell a product or add-on that helps clients solve a problem.

Cyber security is no different. Any breach costs a company money and potentially hurts its reputation and share price. 

Why do you establish cyber security KPIs? 

Creating, following, and monitoring cyber security KPIs is a way for IT departments to help meet company goals while demonstrating a duty of care to regulators, board members, leadership, shareholders, and the general public. Good cyber security practices and demonstrating a duty of care can set you apart in a competitive market, helping you achieve such goals as client retention and increasing revenue by saving on incident costs.

IT research and consultancy firm Gartner thinks that “80% of fines imposed by regulators after a cybersecurity breach will be attributable to failures to prove the duty of due care was met” within the next three years. If this prediction is correct, cyber security KPIs are going to be more important than ever.

Breaking Down Critical Cyber Security KPIs

Cyber security is more ethereal than website visits or support tickets. Sometimes it isn’t obvious there’s an issue until there’s been a breach. Then there is the software supply chain to consider. It doesn’t take long for the idea of cyber security KPIs to sound overwhelming. 

Since the purpose of KPIs is to have an actionable plan and measure that plan against company goals, it makes sense that the first thing to do is a Google search. Googling “KPIs for cyber security” or “cyber security KPIs” gets you more than 11 million results. That’s a lot of information to sift through. The following is a list of KPIs every security team should be tracking.


Non-human traffic (NHT)

Why measure it?

An increase in normal website traffic or a sudden spike in traffic unrelated to a promotion, press release, or other business-related reason may signal a potential bot attack.

Unidentified devices on the internal network

The number of “unnamed” devices connected to your network. While they could be employee devices, they could also be bad actors. Ideally you want 0 unidentified devices.

Intrusion attempts

The number of times malicious actors have tried to gain access to your networks.

Mean Time Between Failures (MTBF)

Determines the reliability of your systems during normal business operations. The greater the time between failures, the more reliable the systems.

Mean Time to Detect (MTTD)

Determines the length of time it takes to discover potential security threats. Less than five hours is generally considered a good MTTD.

Mean Time to Acknowledge (MTTA)

Determines how long it takes you to start working on an issue once it has been identified.

Mean Time to Contain (MTTC)

Measures how long it takes you to contain threats.

Mean Time to Resolve (MTTR)

Measures how long it takes your company to return to normal business operations from a threat, product, or system failure. Under five hours is considered good.

Mean Time to Recovery (MTTR)

Tracks compliance controls, configurations, and exceptions, as well as Service Level Agreements (SLA).

Security Policy Compliance

The number of “unnamed” devices connected to your network. While they could be employee devices, they could also be bad actors. Ideally you want 0 unidentified devices.

Days to patch

Length of time it takes you to patch security holes

Cybersecurity awareness training

Tracks such things as how often cyber security training materials are updated, if new hires receive cyber security training, how often existing employees receive training, and employee knowledge retention.

Number of cyber security incidents reported

Tracks how often, or if, employees and users are reporting issues. For example, how many employees forward phishing emails to IT? How often are such emails forwarded to IT?

Security ratings or Security score

Generally used by underwriters to understand a company’s cyber security risk. It is also a way to see how your company ranks relative to others in your industry, and how your suppliers and vendors compare.

Access management

Used to keep tabs on the number of people who have administrative rights to networks and applications. Does everyone on the list require administrative access?

Phishing attack success

Tracks how many phishing emails employees open. You can separate it into spoof phishing emails your department sends as tests vs ones most likely from malicious actors.

Virus infection monitoring

Tracks how often your antivirus software scans applications for malware.

Cost per incident

Measures the amount of money spent to respond and resolve an attack, including things like employee over time, investigative costs, fines, and ransomware payments. May also include lost productivity and potentially lost sales due to downtime from an attack.

Knowing your security risks and vulnerabilities is the bedrock for building a mature and effective software supply chain security program. Measuring your mean times, days to patch, various types of network traffic, intrusions, and paying attention to security ratings, compliance, application, and network access provides a baseline of expectations and what normal for your company looks like.

Like it? Let’s share!

Susbscribe for updates

Related content