16 At-a-Glance Cybersecurity KPIs to Add to Your Security Dashboard

Cybersecurity professionals are used to looking at real-time numbers from their SIEM software, security ratings platform, incident prevention system, and other tech solutions. These products each come with their own security dashboard, giving IT, risk, and security personnel quick (or not, depending on the UI) access to the information they need to do their jobs effectively.

However, the data displayed by security-specific tech solutions is sometimes very technical in nature, and doesn’t provide a complete picture of risk. With less-technically skilled individuals on the Board and in the C-suite taking on an increasingly significant role in cybersecurity oversight, it’s often useful to provide more straightforward, aggregated information. Numbers that are easy for everyone to understand and communicate the broad spectrum of cyber risk a company is facing help users save time and energy.

We’ve compiled 16 valuable, easy-to-understand cybersecurity and cyber risk KPIs that can be integrated into a security dashboard for any member of an organization who wants to become more aware of cyber risk. These metrics come from a variety of sources and indicate risks caused by technical issues, security diligence, human behavior, and more.

You’ll notice we’ve included a fair amount of KPIs that can be found on the BitSight Security Ratings Platform. Our platform is designed to help security and risk eaders quantify cyber risk, and therefore provides several metrics that are useful for the purposes laid out above. However, BitSight is by no means the only source of at-a-glance cyber risk data.

Easy-to-Understand Cybersecurity KPIs


01 Security Rating

A BitSight Security Rating is a metric for describing overall cybersecurity performance based on externally observable indicators that come from a variety of trustworthy sources. The rating is informed by data from over 120 sources on compromised systems, security diligence, user behavior, and data breaches.
BitSight Security Ratings Platform
The BitSight Security Rating for an organization, which is presented as a number from 250 to 900, indicates overall security performance. It also gives the user a sense of their likelihood of experiencing a data breach; companies with a BitSight Security Rating of 500 or lower are nearly five times more likely to experience a breach than those with a rating of 700 or higher.

02 Botnet Infection Grade

Any internet-connected device, like a PC, server, router, or even an IoT thermostat could be a part of a botnet — a collection of devices remotely controlled by cyber criminals or other threat actors. Botnets can be used to propagate email spam, execute DDoS attacks, exfiltrate sensitive data, or even install additional malware on a system.
BitSight Security Ratings Platform
The A-F letter grade for botnet infection on the BitSight platform is based on externally observable data and provide insight into a company’s performance relative to others. The grade takes into account the frequency, severity, and duration of botnet infections. Botnet infections don’t always lead to data breaches, but BitSight research has shown a strong correlation between the two. A grade of B or below could mean an organization is more than twice as likely as A-grade companies to fall victim to a data breach.

03 Peer-to-Peer File Sharing Grade

Peer-to-peer (P2P) file sharing involves the use of specialized software to share data across a network of end users, rather than relying on a central server. Peer-to-peer protocols like BitTorrent are often used to illegally download applications, games, music, and movies — however, many of these files also come with hidden malware.
BitSight Security Ratings Platform
The A-F letter grade for peer-to-peer file-sharing indicates how much P2P activity took place on a network within the last 60 days and compares that performance to other organizations. Since large portions of P2P files contain malware, poor performance in this area could expose an organization to increased cyber risk.

04 Open Port Grade

Ports are used to indicate to servers and other network devices what kind of traffic is trying to communicate with them. Email, FTP, and web traffic, for example, all use different ports, and ports can be opened or closed depending on what kinds of traffic an admin wants a server to accept. Some open ports can be exploited by hackers to gain access to sensitive systems and data.
BitSight Security Ratings Platform
The A-F letter grade for open ports shows users how well-sealed their network is by comparing the number of open ports to other organizations. BitSight research has shown that organizations with an F open port grade are more than twice as likely to experience a breach than companies with an A.

05 Average Vendor Security Rating over Time

BitSight Security Ratings indicate the overall security posture of an organization. Because they are calculated based on externally observable data, these ratings can also be used to continuously monitor the security of third parties.
BitSight Security Ratings Platform
Each vendor should be assessed using several methods as part of a comprehensive third-party risk management (TPRM) program, and their individual security ratings should be considered carefully. However, by averaging the security ratings of all vendors in a third-party network and tracking them over a period of months or years, users can see at-a-glance whether their TPRM program is getting results.

06 Average Industry Security Rating

In addition to giving users visibility into their own security ratings and those of third parties, BitSight provides average security ratings for entire industries.
BitSight Security Ratings Platform
Seeing the average security rating of one’s industry displayed alongside the organization’s security rating helps users contextualize their own cybersecurity performance. Doing much worse than the industry average is a sign that increased resources and attention need to be devoted to cybersecurity. Doing much better than the industry average is a sign of a mature cybersecurity program, and is a fact that can be leveraged as a competitive differentiator.

07 Intrusion Attempts within a Given Period

Intrusion attempts are just as they sound — unauthorized efforts to access a network, as identified by software systems.
Intrusion detection/prevention system
Depending on where the data comes from, this KPI could either show the user how many intrusion attempts were detected, or how many were blocked. Either way, this metric gives the user a strong idea of the true risk their systems and data face on a daily basis.

08 Patching Cadence Grade

Software manufacturers and device manufacturers often release critical security patches to combat recently discovered vulnerabilities or new threat vectors. In many cases, organizations must apply these patches manually. Patching cadence measures how quickly critical security patches are being applied.
BitSight Security Ratings Platform
The A-F grade for patching cadence indicates how long it takes security or IT teams to apply critical security patches on average, as compared to other organizations. Slow patching cadence indicates either a lack of diligence or a lack of resources for these teams, and is a problem that must be resolved as soon as possible. Organizations that fail to apply critical security patches in a timely manner open themselves up to avoidable and potentially dangerous cyber risks.

09 Mean Time to Detect

In a security context, mean time to detect (MTTD) is a measurement of how long it takes the cybersecurity team or security operations center to become aware of a potential security incident (on average).
Security incident and event management (SIEM) platform
MTTD shows the user how long security threats are going unnoticed within the organization’s systems. The longer this timeframe, the more likely it is that threat actors can access sensitive data and systems. Measuring MTTD over time can be a good indicator of the effectiveness of a security operations center.

10 Mean Time to Resolve

Like MTTD, mean time to resolve (MTTR) in a security context is a measurement of how long it takes the cybersecurity team or security operations center to remediate a threat after it has been discovered.
Security incident and event management (SIEM) platform
MTTR shows the user how quickly their security technicians are stopping cyber threats in their system. Increasing MTTR could indicate that more resources need to be allocated to the security operations center.

11 Backup Frequency

Sensitive data stored on-premise or in the cloud must be backed up in additional secure locations. Backup frequency measures how often these backups are performed.
Remote monitoring and management system or custom input
Backup frequency is a measure of preparedness. Certain kinds of cyber attacks (including major malware attacks like NotPetya) are designed to destroy data, which can have major consequences for unprepared businesses. Frequent backups help ensure that even if an attack like this did occur, the interruption to business would be minimal.

12 Phishing Test Success Rate

Many organizations conduct (or hire third parties to conduct) phishing tests in which fraudulent emails or other messages are sent to employees. Users who give up personal information or click suspicious links are flagged as failing the test.
Custom input
Phishing was the third most common action variety in data breaches in 2017. It’s a tried and true cyber crime method that doesn’t require breaking through advanced firewalls and other technical defenses. An indicator of what percentage of an employee population is falling for phishing attempts gives the user a sense of the human-related risk their organization faces, as well as the urgency of security awareness initiatives.

13 Security Awareness Training Completion Rate

Security awareness training is necessary to teach employees and other users how to identify phishing attempts, set strong passwords, and otherwise safely navigate the internet and other systems without exposing the organization to cyber risk. However, this training can be time-consuming and tedious, so it’s often put off.
Training platform or custom input
The best security awareness training in the world won’t be effective if employees don’t actually participate in it. A measurement of the percentage of employees that have successfully completed security awareness training indicates to the user how much human-related risk their organization faces on any given day.

14 Average Security Awareness Training Score

Some security awareness training programs include scored assessments to determine how much of the training has been understood by the participant.
Training platform or custom input
Security awareness training requires a significant investment of time and money. Viewing the average organizational score on security awareness assessments will help users determine whether or not their employees are actually prepared to drive down cyber risk. Consistently low scores may also indicate that the training itself needs to be improved.

15 Average Password Strength

While some organizations have moved to two-factor authentication and other advanced login protocols, many systems still require a simple username/password combination to access. Password strength is determined based on length, use of special characters, and other factors.
Password manager
The average password strength of an organization can be a simple indicator of risk, and low average password strength is a problem that’s relatively easily resolved. Users who see low average password strength should take steps to resolve the issue with some measure of required/incentivized account maintenance and security awareness training.

16 Number of Unidentified Devices on Network

Thanks to network access control solutions, many organizations are able to differentiate between devices that need to be connected to a network, such as servers, routers, and PCs, and devices that don’t, such as employees’ personal cell phones, smart watches, and other IoT devices.
Network access control software
Security professionals have less control over unidentified devices than they do over company devices. A malware-infected personal laptop might act as the point of entry for a cyber attack that goes on to affect an entire network. Therefore, the number of unidentified devices on a network is an indicator of cyber risk, and users seeing high number of unidentified devices should consider policy changes or increased training.