You've invested in cybersecurity, but are you tracking your efforts? Are you tracking metrics and KPIs? If you're not, you're not alone.


A report by EY shows that 36% of organizations in the financial services sector are worried about "non-existent or very immature" metrics and reporting when it comes to cybersecurity efforts. These are organizations that, in some cases, have spent millions on compliance, but fail to maximize their infosec investment with actionable KPIs.

Below are some examples of clear cybersecurity KPIs you can track and easily present to your business stakeholders.

  1. Level of preparedness: How many devices on your network are fully patched and up to date?
  2. Total Unidentified BYOD and IoT devices on the internal network: These are huge risks for your organization as these devices are probably not secure.
  3. Intrusion attempts: Count the total attempts to breach your systems.
  4. Mean Time Between Failures (MTBF): How reliable are systems when/if they fail regularly?
  5. Mean Time to Detect (MTTD): How long does it take to become aware of a potential security incident?
  6. Mean Time to Acknowledge (MTTA): The average response time to begin working on an issue after receiving an alert.
  7. Mean Time to Contain (MTTC): How long does it take to contain identified attack vectors?
  8. Mean Time to Resolve (MTTR): How long does it take your team to respond to a threat?
  9. Mean Time to Recovery (MTTR): How long does it take your organization to recover from a failure?
  10. Days to patch: How long does it take your team to implement security patches?
  11. Cybersecurity awareness training results: Who has taken (and completed) training?
  12. Number of cybersecurity incidents reported: Are users reporting cybersecurity issues to your team?
  13. Security ratings: Often the easiest way to communicate metrics to non-technical colleagues is through an easy-to-understand score. Security ratings give your company an A-F letter grade on 10 security categories (network security, DNS health, patching cadence, cubit score, endpoint security, IP reputation, web application security, hacker chatter, leaked credentials, and social engineering).
  14. Access management: How many users have administrative access?
  15. Security Policy compliance: How well are you tracking and documenting exceptions, configurations, and compliance controls?
  16. Cybersecurity awareness training: How well do you maintain documentation for your cybersecurity awareness training for all employees?
  17. Non-human traffic (NHT): Are you seeing a normal amount of traffic on your website or is there an uptick that indicates a potential bot attack?
  18. Virus infection monitoring: How often does your antivirus software scan common applications such as email clients, web browsers, and instant messaging software?
  19. Phishing attack success: What is the percentage of phishing emails opened by end-users?
  20. Cost per incident: What are the total costs to respond to and resolve an attack?

Cybersecurity KPIs help tell a story, especially when you're giving a report to your non-technical colleagues. They should be clear, relevant, and give a full picture. More importantly, they should be automated and constantly monitored, with rules-based alerts and available in a single dashboard. Otherwise, you're still playing catch-up and "whack-a-mole" to plug holes.

Sustaining Partners