21 Cybersecurity Metrics & KPIs to Track in 2023

What are cybersecurity metrics?

Cybersecurity metrics help businesses understand how successful their cybersecurity strategy is, communicate effectively to business stakeholders, and help respond to risks in a cost-effective and efficient way. Simply put, you’ve invested in cybersecurity, but are you tracking your efforts? Are you tracking metrics and KPIs? If you’re not, you’re not alone.

What are information security metrics?

Information security metrics are tools used to assess and measure the performance and strength of organizations’ cybersecurity. These powerful metrics can provide businesses with crucial data points to help them strategize and prioritize areas where their existing cyber procedures are weak, and where they should allocate more time and spend to strengthen their cyber posture.

Why are cybersecurity metrics important?

You can’t manage what you can’t measure. With cyber threats constantly evolving and becoming harder to detect, you need to have measures in place to assess the effectiveness of your cybersecurity programs. Cybersecurity benchmarking is an important way of keeping tabs on your security efforts. You need to be tracking cybersecurity metrics for two important reasons:

1. Ability to make informed cybersecurity decisions

If you’re not tracking key performance indicators (KPIs) and key risk indicators (KRIs), you won’t be able to clearly understand how effective your cybersecurity efforts have been, or how they’ve improved (or declined) over time. Without solid historical data to rely on, you won’t be able to make informed cybersecurity decisions going forward. Instead, you’ll just be making decisions blindly.

2. Communicate with business stakeholders

Without good cybersecurity metrics, you won’t be able to make a case for your infosec efforts — or budget — when you report to your organization’s board members or leadership. By utilizing cybersecurity KPIs, your business can gain insight into your network infrastructure, enabling you to address performance-related questions during presentations.

You need cybersecurity benchmarking that tells a story, especially when you’re giving a report to your non-technical colleagues. The cybersecurity metrics and KPIs you choose should be clear, relevant, and give a full picture of your organization’s cybersecurity posture.

You may also need to choose benchmarks for your vendors and other third parties, who have access to your networks and can expose your organization to risk.

21 Cybersecurity metrics and KPIs to track

Below are some examples of clear cybersecurity metrics and KPIs you can easily track and present to your business stakeholders.

1. Level of preparedness

The degree of preparedness against cyberattacks within your organization plays a crucial role in assessing your security posture and the overall effectiveness of your cybersecurity program.

• How many devices on your network are fully patched and up to date?
• Are your devices and software continuously updated?
• How many high-risk vulnerabilities have been identified?

2. Unidentified devices on the internal network

Your employees bring their devices to work, and your organization may be using Internet of Things (IoT) devices that you’re unaware of. These are huge risks for your organization as these devices are probably not secure. 

• How many of these devices are on your network?
• Does your business have a log of the devices associated with your network?

3. Intrusion attempts

If cybercriminals are continuously attempting to gain unauthorized access to computer networks, systems, or data, this is something your business needs to take note of and measure.

• How many times have bad actors tried to breach your networks?
• What is the frequency of unauthorized attempts made by malicious actors to breach your network security?

4. Mean Time Between Failures (MTBF)

MTBF is a cybersecurity metric used to measure the average time elapsed between two consecutive failures or breakdowns of a system, component, or device within an organization. 

• How much time exists between system or product failures when looking to determine reliability?
• What is the frequency of product or system failure?

5. Mean Time to Detect (MTTD)

MTTD measures how long it takes for your team to become aware of a potential security incident.

• How long do security threats fly under the radar at your organization?
• What is the average MTTD for your business?

6. Mean Time to Acknowledge (MTTA)

MTTA is a cybersecurity metric that is used to measure the average time it takes for an organization to acknowledge a specific incident, request, or event.

• What is the average time it takes you to begin working on an issue after receiving an alert?
• How is MTTA documented within your business? Is it consistently followed?

7. Mean Time to Contain (MTTC)

Mean time to contain refers to the amount of time elapsed after discovering a threat, attack, or security incident.

• How long does it take to contain identified attack vectors?
• What steps or processes are followed when containing a security incident? 
• Are they well-documented and consistently followed?

8. Mean Time to Resolve (MTTR)

MTTR is the cybersecurity metric that tracks the amount of time it takes to respond and resolve a threat once your organization is made aware of the threat. 

• How long does it take your team to respond to a threat once your team is aware of it?
• What is the process of restoring networks, systems, and data following a cyber incident?

9. Mean Time to Recovery (MTTR)

MTTR is a cybersecurity KPI that is used to measure the average time spent to fully recover or restore to normal operations after a cyber breach, incident, or disruption. 

• How long does it take your organization to recover from a product or system failure?
• Is there historical data on the time it has taken to recover from previous incidents?

10. Days to patch

Cybercriminals often exploit lags between patch releases and implementation. Measuring this is a good way to understand the efficiency of your team post cyber breach. 

• How long does it take your team to implement security patches?
• How is the “days to patch” cybersecurity metric defined and measured within your organization?

 11. Cybersecurity awareness training

Cybersecurity awareness training provides educational programs, lessons, and activities designed to help improve employees’ understanding of cyber threats, best practices to prevent them, and their role in protecting organizational assets.

• How well are you maintaining documentation for your cybersecurity awareness training? 
• Are you including all members of your organization, including senior executives?

12. Cybersecurity awareness training results

This metric refers to the effectiveness of the cybersecurity awareness training programs implemented and conducted within an organization.

• Who has taken (and completed) training? Did they understand the material?
• Does your organization offer recurring employee cybersecurity training? 
• Are employees tested on the material they learn from their cybersecurity awareness training?

13. Number of cybersecurity incidents reported

Reporting incidents demonstrates that your employees and other stakeholders recognize issues within your network and take action to try and resolve these issues. It also means your training is working.

• Are users reporting cybersecurity issues to your team? How does the number of reported cybersecurity incidents compare to industry benchmarks or previous years?

14. Security ratings

Often the easiest way to communicate metrics to non-technical colleagues is through an easy-to-understand score. SecurityScorecard’s security ratings give your company an A-F letter grade on 10 security categories (network security, DNS health, patching cadence, cubit score, endpoint security, IP reputation, web application security, hacker chatter, leaked credentials, and social engineering). Based on these 10 factors, you’re then assigned an overall grade, so you and your colleagues can see at a glance how secure your company is relative to the rest of your industry.

• What is the security rating of your organization?
• How does your security rating compare against competitors?

15. Access management

Access management as a cybersecurity metric relates to the controls, practices, and processes created and implemented by an organization to manage the control of user access to systems and networks. 

• How many users have administrative access?
• How is user access managed within the organization’s systems and networks?

16. Security Policy compliance

Security policy compliance refers to the organization’s ability to align security practices, procedures, and controls with established security policies and standards.

• How well are you tracking and documenting exceptions, configurations, and compliance controls?
• Is there a process in place to track and monitor employee compliance with security policies?

17. Non-human traffic (NHT)

Ensuring that your business is not tracking bot traffic as a metric is key to understanding the success of business operations and efforts. Non-human traffic is a cybersecurity metric that refers to the portion of network or web traffic that originates from automated sources rather than human users. 

• Are you seeing a normal amount of traffic on your website or is there an uptick that indicates a potential bot attack?
• What percentage of your overall web traffic is categorized as non-human?

18. Virus infection monitoring

Continuously monitoring virus infections is a cybersecurity KPI that refers to ongoing surveillance of applications, systems, and endpoints to monitor for the presence of viruses, malware, or malicious code.

• How often does your antivirus software scan common applications such as email clients, web browsers, and instant messaging software for known malware?
• What actions are taken once a virus infection is identified
• How is it contained and remediated?

19. Phishing attack success

Phishing attack success refers to the success rate of cybercriminals or threat actors achieving their malicious objectives in deceiving users via phishing attempts.

• What is the percentage of phishing emails opened by end-users?
• Are there any specific types or variations of phishing attacks that have been successful?

20. Cost per incident

Cost per incident in cybersecurity metrics refers to the amount of money and financial impact associated with each security incident on an organization. 

• How much does it cost to respond to and resolve an attack? 
• How much money are you spending on staff overtime, investigation costs, employee productivity loss, and communication with customers?

21. Security audit compliance

A security audit compliance will help your business to highlight areas where you may be lacking in terms of effectiveness with the software you are currently using. 

• What is the effectiveness of tools, technologies, and procedures your business is currently using?
• What is the current process for updating existing softwares and programs?

What are the best cybersecurity metrics to measure for an organization?

There is no hard and fast list of the cybersecurity metrics, KPIs, and KRIs that all businesses should be tracking. The metrics you choose will depend, in large part, on your organization’s needs and its appetite for risk. That said, you will want to choose KPIs that are clear to anyone who looks at your reporting, even non-technical stakeholders. A good rule of thumb is this: your non-technical colleagues should be able to understand them without having to call you for an explanation. So, you’ll want to avoid squishy KPIs — metrics that might have a large margin for error — or esoteric metrics that don’t make sense to your business-side colleagues.

Industry benchmarks and comparisons are an effective way to make complex metrics even more understandable. In addition, the most important metric is cost. Make sure when presenting to the executive team and board that your report is able to convey how cybersecurity is saving the organization money or generating revenue.

How to simplify cybersecurity reporting

SecurityScorecard offers easy-to-read A-F security ratings across ten groups of risk factors so you can provide at-a-glance visibility into your continuous cybersecurity monitoring. Instead of giving long technical details that are difficult to understand, you can provide consistent ratings across all factors and a brief explanation of how those ratings apply to business initiatives.

Cybersecurity metrics and KPI FAQS