# Security Metrics, KPIs, KRIs One-sentence definition: Quantitative/qualitative measures to track performance (KPIs) and risk exposure (KRIs) for decision-making. ## Key Facts - KPIs: control/process performance (patch SLA met %, phishing fail rate). - KRIs: leading indicators of risk (critical vuln exposure days, MFA coverage). - Characteristics: relevant, reliable, repeatable, actionable. - Dashboarding for governance; thresholds tied to tolerance. - Avoid vanity metrics; include context and trends. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose meaningful metric for a given objective. **Mnemonic:** “Measurable → Manageable.” ## Mini Scenario Q: Execs want “# of alerts”—better metric? A: Mean time to detect/contain; % critical alerts triaged < SLA. ## Revision Checklist - Define KPI vs KRI with examples. - Name three quality criteria of a metric. - Link a metric to a risk tolerance. ## Related [[Risk Appetite, Tolerance, Capacity]] · [[Risk Register and Reporting]] · [[COBIT Governance]] · [[COSO ERM]] · [[Security Strategy and Roadmap]] · [[Domain 1 - Index]]