Download our “CISO's Guide To Reporting To The Board” eBook to get the scoop on metrics that matter to the board.
16 Cybersecurity KPIs to Add to Your Security Dashboard
Cybersecurity professionals are used to looking at real-time numbers from their SIEM software, security ratings platform, incident prevention system, and other cyber risk solutions. These products each come with their own security dashboard, giving IT, risk, and security personnel quick (or not, depending on the UI) access to the information they need to do their jobs effectively.
However, the data displayed by security-specific solutions is sometimes very technical in nature, and doesn’t provide a complete picture of risk. With less-technically skilled individuals on the Board and in the C-suite taking on an increasingly significant role in cybersecurity oversight, it’s often useful to provide more straightforward, aggregated information in your security report to the board. Numbers that are easy for everyone to understand and communicate the broad spectrum of cyber risk a company is facing help users save time and energy.
We’ve compiled 16 valuable, easy-to-understand cybersecurity and cyber risk KPIs that can be integrated into a security dashboard for any member of an organization who wants to become more aware of cyber risk. These metrics come from a variety of sources and indicate risks caused by technical issues, security diligence, human behavior, and more.
You’ll notice we’ve included a fair amount of KPIs that can be found on the BitSight Security Ratings Platform. Our platform is designed to help security and risk eaders quantify cyber risk, and therefore provides several metrics that are useful for the purposes laid out above. However, BitSight is by no means the only source of at-a-glance cyber risk data.
Easy-to-Understand Cybersecurity KPIs
16
16 Number of Unidentified Devices on Network
What is it?
Thanks to network access
control
solutions,
many organizations are able to differentiate between devices that need
to be
connected
to a network, such as servers, routers, and PCs, and devices that
don’t, such as
employees’ personal cell phones, smart watches, and other IoT devices.
Where to find it
Network access control
software
What it shows you
Security professionals have
less
control
over unidentified devices than they do over company devices. A
malware-infected
personal laptop might act as the point of entry for a cyber attack that
goes on to
affect an entire network. Therefore, the number of unidentified devices
on a
network is
an indicator of cyber risk, and users seeing high number of
unidentified devices
should
consider policy changes or increased training.
01
01 Security Rating
What is it?
A BitSight Security Rating
is a metric
for
describing overall cybersecurity performance based on externally
observable
indicators
that come from a variety of trustworthy sources. The rating is informed
by data
from
over 120 sources on compromised systems, security diligence, user
behavior, and
data
breaches.
Where to find it
BitSight Security Ratings
Platform
What it shows you
The BitSight Security Rating
for an
organization, which is presented as a number from 250 to 900, indicates
overall
security performance. It also gives the user a sense of their
likelihood of
experiencing a data breach; companies with a BitSight Security Rating
of 500 or
lower
are nearly five times more likely to
experience a breach
than
those with a rating of 700 or higher.
02
02 Botnet Infection Grade
What is it?
Any internet-connected
device, like a
PC,
server, router, or even an IoT thermostat could be a part of a botnet —
a
collection of
devices remotely controlled by cyber criminals or other threat actors.
Botnets can
be
used to propagate email spam, execute DDoS attacks, exfiltrate
sensitive data, or
even
install additional malware on a system.
Where to find it
BitSight Security Ratings
Platform
What it shows you
The A-F letter grade for
botnet
infection on
the BitSight platform is based on externally observable data and
provide insight
into a
company’s performance relative to others. The grade takes into account
the
frequency,
severity, and duration of botnet infections. Botnet infections don’t
always lead to
data breaches, but BitSight research has
shown a strong correlation between the two. A grade of B or
below could
mean
an organization is more than twice as likely as A-grade companies to
fall victim to
a
data breach.
03
03 Peer-to-Peer File Sharing Grade
What is it?
Peer-to-peer (P2P) file
sharing involves
the
use of specialized software to share data across a network of end
users, rather
than
relying on a central server. Peer-to-peer protocols like BitTorrent are
often used
to
illegally download applications, games, music, and movies — however,
many of these
files also come with hidden malware.
Where to find it
BitSight Security Ratings
Platform
What it shows you
The A-F letter grade for
peer-to-peer file-sharing indicates how much P2P activity took place on a network within the
last 60
days and compares that performance to other organizations. Since large portions of P2P files contain malware, poor performance in this area could expose an organization to increased cyber risk.
04
04 Open Port Grade
What is it?
Ports are used to indicate
to servers
and
other network devices what kind of traffic is trying to communicate
with them.
Email,
FTP, and web traffic, for example, all use different ports, and ports
can be opened
or
closed depending on what kinds of traffic an admin wants a server to
accept. Some
open
ports can be exploited by hackers to gain access to sensitive systems
and data.
Where to find it
BitSight Security Ratings
Platform
What it shows you
The A-F letter grade for
open ports
shows
users how well-sealed their network is by comparing the number of open
ports to
other
organizations. BitSight research has shown that organizations with an
F
open port grade are more than twice as likely to experience a
breach than
companies with an A.
05
05 Average Vendor Security Rating over Time
What is it?
BitSight Security Ratings
indicate the
overall security posture of an organization. Because they are
calculated based on
externally observable data, these ratings can also be used to
continuously monitor
the
security of third parties.
Where to find it
BitSight Security Ratings
Platform
What it shows you
Each vendor should be
assessed using
several
methods as part of a comprehensive third-party risk management (TPRM)
program, and
their individual security ratings should be considered carefully.
However, by
averaging
the security ratings of all vendors in a third-party network and
tracking them over
a
period of months or years, users can see at-a-glance whether their TPRM
program is
getting results.
06
06 Average Industry Security Rating
What is it?
In addition to giving users
visibility
into
their own security ratings and those of third parties, BitSight
provides average
security ratings for entire industries.
Where to find it
BitSight Security Ratings
Platform
What it shows you
Seeing the average security
rating of
one’s
industry displayed alongside the organization’s security rating helps
users
contextualize their own cybersecurity performance. Doing much worse
than the
industry
average is a sign that increased resources and attention need to be
devoted to
cybersecurity. Doing much better than the industry average is a sign of
a mature
cybersecurity program, and is a fact that can be leveraged as a
competitive
differentiator.
07
07 Intrusion Attempts within a Given Period
What is it?
Intrusion attempts are just
as they
sound —
unauthorized efforts to access a network, as identified by software
systems.
Where to find it
Intrusion
detection/prevention system
What it shows you
Depending on where the data
comes from,
this
KPI could either show the user how many intrusion attempts were
detected, or how
many
were blocked. Either way, this metric gives the user a strong idea of
the true risk
their systems and data face on a daily basis.
08
08 Patching Cadence Grade
What is it?
Software manufacturers and device manufacturers often release critical security patches to combat recently discovered vulnerabilities or new threat vectors. In many cases, organizations must apply these patches manually. Patching cadence measures how quickly critical security patches are being applied.
Where to find it
BitSight
Security Ratings Platform
What it shows you
The A-F grade for patching cadence indicates how long it takes security or IT teams to apply critical security patches on average, as compared to other organizations. Slow patching cadence indicates either a lack of diligence or a lack of resources for these teams, and is a problem that must be resolved as soon as possible. Organizations that fail to apply critical security patches in a timely manner open themselves up to avoidable and potentially dangerous cyber risks.
09
09 Mean Time to Detect
What is it?
In a security context, mean
time to
detect
(MTTD) is a measurement of how long it takes the cybersecurity team or
security
operations center to become aware of a potential security incident (on
average).
Where to find it
Security incident and event
management
(SIEM) platform
What it shows you
MTTD shows the user how long
security
threats are going unnoticed within the organization’s systems. The
longer this
timeframe, the more likely it is that threat actors can access
sensitive data and
systems. Measuring MTTD over time can be a good indicator of the
effectiveness of a
security operations center.
10
10 Mean Time to Resolve
What is it?
Like MTTD, mean time to
resolve (MTTR)
in a
security context is a measurement of how long it takes the
cybersecurity team or
security operations center to remediate a threat after it has been
discovered.
Where to find it
Security incident and event
management
(SIEM) platform
What it shows you
MTTR shows the user how
quickly their
security technicians are stopping cyber threats in their system.
Increasing MTTR
could
indicate that more resources need to be allocated to the security
operations
center.
11
11 Backup Frequency
What is it?
Sensitive data stored
on-premise or in
the
cloud must be backed up in additional secure locations. Backup
frequency measures
how
often these backups are performed.
Where to find it
Remote monitoring and
management system
or
custom input
What it shows you
Backup frequency is a
measure of
preparedness. Certain kinds of cyber attacks (including major malware
attacks like NotPetya) are designed to destroy data, which
can have major
consequences for unprepared businesses. Frequent backups help ensure
that even if
an
attack like this did occur, the interruption to business would be
minimal.
12
12 Phishing Test Success Rate
What is it?
Many organizations conduct
(or hire
third
parties to conduct) phishing tests in which fraudulent emails or other
messages are
sent to employees. Users who give up personal information or click
suspicious links
are
flagged as failing the test.
Where to find it
Custom input
What it shows you
Phishing was the third
most common action variety in data breaches in 2017. It’s a
tried and
true
cyber crime method that doesn’t require breaking through advanced
firewalls and
other
technical defenses. An indicator of what percentage of an employee
population is
falling for phishing attempts gives the user a sense of the
human-related risk
their
organization faces, as well as the urgency of security awareness
initiatives.
13
13 Security Awareness Training Completion Rate
What is it?
Security awareness training
is necessary
to
teach employees and other users how to identify phishing attempts, set
strong
passwords, and otherwise safely navigate the internet and other systems
without
exposing the organization to cyber risk. However, this training can be
time-consuming
and tedious, so it’s often put off.
Where to find it
Training platform or custom
input
What it shows you
The
best security awareness training in the world won’t be
effective if
employees
don’t actually participate in it. A measurement of the percentage of
employees that
have successfully completed security awareness training indicates to
the user how
much
human-related risk their organization faces on any given day.
14
14 Average Security Awareness Training Score
What is it?
Some security awareness
training
programs
include scored assessments to determine how much of the training has
been
understood by
the participant.
Where to find it
Training platform or custom
input
What it shows you
Security awareness training
requires a
significant investment of time and money. Viewing the average
organizational score
on
security awareness assessments will help users determine whether or not
their
employees
are actually prepared to drive down cyber risk. Consistently low scores
may also
indicate that the training itself needs to be improved.
15
15 Average Password Strength
What is it?
While some organizations
have moved to
two-factor authentication and other advanced login protocols, many
systems still
require a simple username/password combination to access. Password
strength is
determined based on length, use of special characters, and other
factors.
Where to find it
Password manager
What it shows you
The average password
strength of an
organization can be a simple indicator of risk, and low average
password strength
is a
problem that’s relatively easily resolved. Users who see low average
password
strength
should take steps to resolve the issue with some measure of
required/incentivized
account maintenance and security awareness training.
16
16 Number of Unidentified Devices on Network
What is it?
Thanks to network access
control
solutions,
many organizations are able to differentiate between devices that need
to be
connected
to a network, such as servers, routers, and PCs, and devices that
don’t, such as
employees’ personal cell phones, smart watches, and other IoT devices.
Where to find it
Network access control
software
What it shows you
Security professionals have
less
control
over unidentified devices than they do over company devices. A
malware-infected
personal laptop might act as the point of entry for a cyber attack that
goes on to
affect an entire network. Therefore, the number of unidentified devices
on a
network is
an indicator of cyber risk, and users seeing high number of
unidentified devices
should
consider policy changes or increased training.
01
01 Security Rating
What is it?
A BitSight Security Rating
is a metric
for
describing overall cybersecurity performance based on externally
observable
indicators
that come from a variety of trustworthy sources. The rating is informed
by data
from
over 120 sources on compromised systems, security diligence, user
behavior, and
data
breaches.
Where to find it
BitSight Security Ratings
Platform
What it shows you
The BitSight Security Rating
for an
organization, which is presented as a number from 250 to 900, indicates
overall
security performance. It also gives the user a sense of their
likelihood of
experiencing a data breach; companies with a BitSight Security Rating
of 500 or
lower
are nearly five times more likely to
experience a breach
than
those with a rating of 700 or higher.
02
02 Botnet Infection Grade
What is it?
Any internet-connected
device, like a
PC,
server, router, or even an IoT thermostat could be a part of a botnet —
a
collection of
devices remotely controlled by cyber criminals or other threat actors.
Botnets can
be
used to propagate email spam, execute DDoS attacks, exfiltrate
sensitive data, or
even
install additional malware on a system.
Where to find it
BitSight Security Ratings
Platform
What it shows you
The A-F letter grade for
botnet
infection on
the BitSight platform is based on externally observable data and
provide insight
into a
company’s performance relative to others. The grade takes into account
the
frequency,
severity, and duration of botnet infections. Botnet infections don’t
always lead to
data breaches, but BitSight research has
shown a strong correlation between the two. A grade of B or
below could
mean
an organization is more than twice as likely as A-grade companies to
fall victim to
a
data breach.
03
03 Peer-to-Peer File Sharing Grade
What is it?
Peer-to-peer (P2P) file
sharing involves
the
use of specialized software to share data across a network of end
users, rather
than
relying on a central server. Peer-to-peer protocols like BitTorrent are
often used
to
illegally download applications, games, music, and movies — however,
many of these
files also come with hidden malware.
Where to find it
BitSight Security Ratings
Platform
What it shows you
The A-F letter grade for
peer-to-peer file-sharing indicates how much P2P activity took place on a network within the
last 60
days and compares that performance to other organizations. Since large portions of P2P files contain malware, poor performance in this area could expose an organization to increased cyber risk.
04
04 Open Port Grade
What is it?
Ports are used to indicate
to servers
and
other network devices what kind of traffic is trying to communicate
with them.
Email,
FTP, and web traffic, for example, all use different ports, and ports
can be opened
or
closed depending on what kinds of traffic an admin wants a server to
accept. Some
open
ports can be exploited by hackers to gain access to sensitive systems
and data.
Where to find it
BitSight Security Ratings
Platform
What it shows you
The A-F letter grade for
open ports
shows
users how well-sealed their network is by comparing the number of open
ports to
other
organizations. BitSight research has shown that organizations with an
F
open port grade are more than twice as likely to experience a
breach than
companies with an A.
05
05 Average Vendor Security Rating over Time
What is it?
BitSight Security Ratings
indicate the
overall security posture of an organization. Because they are
calculated based on
externally observable data, these ratings can also be used to
continuously monitor
the
security of third parties.
Where to find it
BitSight Security Ratings
Platform
What it shows you
Each vendor should be
assessed using
several
methods as part of a comprehensive third-party risk management (TPRM)
program, and
their individual security ratings should be considered carefully.
However, by
averaging
the security ratings of all vendors in a third-party network and
tracking them over
a
period of months or years, users can see at-a-glance whether their TPRM
program is
getting results.
06
06 Average Industry Security Rating
What is it?
In addition to giving users
visibility
into
their own security ratings and those of third parties, BitSight
provides average
security ratings for entire industries.
Where to find it
BitSight Security Ratings
Platform
What it shows you
Seeing the average security
rating of
one’s
industry displayed alongside the organization’s security rating helps
users
contextualize their own cybersecurity performance. Doing much worse
than the
industry
average is a sign that increased resources and attention need to be
devoted to
cybersecurity. Doing much better than the industry average is a sign of
a mature
cybersecurity program, and is a fact that can be leveraged as a
competitive
differentiator.
07
07 Intrusion Attempts within a Given Period
What is it?
Intrusion attempts are just
as they
sound —
unauthorized efforts to access a network, as identified by software
systems.
Where to find it
Intrusion
detection/prevention system
What it shows you
Depending on where the data
comes from,
this
KPI could either show the user how many intrusion attempts were
detected, or how
many
were blocked. Either way, this metric gives the user a strong idea of
the true risk
their systems and data face on a daily basis.
08
08 Patching Cadence Grade
What is it?
Software manufacturers and device manufacturers often release critical security patches to combat recently discovered vulnerabilities or new threat vectors. In many cases, organizations must apply these patches manually. Patching cadence measures how quickly critical security patches are being applied.
Where to find it
BitSight
Security Ratings Platform
What it shows you
The A-F grade for patching cadence indicates how long it takes security or IT teams to apply critical security patches on average, as compared to other organizations. Slow patching cadence indicates either a lack of diligence or a lack of resources for these teams, and is a problem that must be resolved as soon as possible. Organizations that fail to apply critical security patches in a timely manner open themselves up to avoidable and potentially dangerous cyber risks.
09
09 Mean Time to Detect
What is it?
In a security context, mean
time to
detect
(MTTD) is a measurement of how long it takes the cybersecurity team or
security
operations center to become aware of a potential security incident (on
average).
Where to find it
Security incident and event
management
(SIEM) platform
What it shows you
MTTD shows the user how long
security
threats are going unnoticed within the organization’s systems. The
longer this
timeframe, the more likely it is that threat actors can access
sensitive data and
systems. Measuring MTTD over time can be a good indicator of the
effectiveness of a
security operations center.
10
10 Mean Time to Resolve
What is it?
Like MTTD, mean time to
resolve (MTTR)
in a
security context is a measurement of how long it takes the
cybersecurity team or
security operations center to remediate a threat after it has been
discovered.
Where to find it
Security incident and event
management
(SIEM) platform
What it shows you
MTTR shows the user how
quickly their
security technicians are stopping cyber threats in their system.
Increasing MTTR
could
indicate that more resources need to be allocated to the security
operations
center.
11
11 Backup Frequency
What is it?
Sensitive data stored
on-premise or in
the
cloud must be backed up in additional secure locations. Backup
frequency measures
how
often these backups are performed.
Where to find it
Remote monitoring and
management system
or
custom input
What it shows you
Backup frequency is a
measure of
preparedness. Certain kinds of cyber attacks (including major malware
attacks like NotPetya) are designed to destroy data, which
can have major
consequences for unprepared businesses. Frequent backups help ensure
that even if
an
attack like this did occur, the interruption to business would be
minimal.
12
12 Phishing Test Success Rate
What is it?
Many organizations conduct
(or hire
third
parties to conduct) phishing tests in which fraudulent emails or other
messages are
sent to employees. Users who give up personal information or click
suspicious links
are
flagged as failing the test.
Where to find it
Custom input
What it shows you
Phishing was the third
most common action variety in data breaches in 2017. It’s a
tried and
true
cyber crime method that doesn’t require breaking through advanced
firewalls and
other
technical defenses. An indicator of what percentage of an employee
population is
falling for phishing attempts gives the user a sense of the
human-related risk
their
organization faces, as well as the urgency of security awareness
initiatives.
13
13 Security Awareness Training Completion Rate
What is it?
Security awareness training
is necessary
to
teach employees and other users how to identify phishing attempts, set
strong
passwords, and otherwise safely navigate the internet and other systems
without
exposing the organization to cyber risk. However, this training can be
time-consuming
and tedious, so it’s often put off.
Where to find it
Training platform or custom
input
What it shows you
The
best security awareness training in the world won’t be
effective if
employees
don’t actually participate in it. A measurement of the percentage of
employees that
have successfully completed security awareness training indicates to
the user how
much
human-related risk their organization faces on any given day.
14
14 Average Security Awareness Training Score
What is it?
Some security awareness
training
programs
include scored assessments to determine how much of the training has
been
understood by
the participant.
Where to find it
Training platform or custom
input
What it shows you
Security awareness training
requires a
significant investment of time and money. Viewing the average
organizational score
on
security awareness assessments will help users determine whether or not
their
employees
are actually prepared to drive down cyber risk. Consistently low scores
may also
indicate that the training itself needs to be improved.
15
15 Average Password Strength
What is it?
While some organizations
have moved to
two-factor authentication and other advanced login protocols, many
systems still
require a simple username/password combination to access. Password
strength is
determined based on length, use of special characters, and other
factors.
Where to find it
Password manager
What it shows you
The average password
strength of an
organization can be a simple indicator of risk, and low average
password strength
is a
problem that’s relatively easily resolved. Users who see low average
password
strength
should take steps to resolve the issue with some measure of
required/incentivized
account maintenance and security awareness training.
16
16 Number of Unidentified Devices on Network
What is it?
Thanks to network access
control
solutions,
many organizations are able to differentiate between devices that need
to be
connected
to a network, such as servers, routers, and PCs, and devices that
don’t, such as
employees’ personal cell phones, smart watches, and other IoT devices.
Where to find it
Network access control
software
What it shows you
Security professionals have
less
control
over unidentified devices than they do over company devices. A
malware-infected
personal laptop might act as the point of entry for a cyber attack that
goes on to
affect an entire network. Therefore, the number of unidentified devices
on a
network is
an indicator of cyber risk, and users seeing high number of
unidentified devices
should
consider policy changes or increased training.
