# Security Metrics, KPIs, and KRIs Backlink: [[Domain 1 - Index]] **Definition:** Measures of performance (KPIs) and indicators of potential risk (KRIs) to guide decisions and oversight. ## Key Facts - KPIs: control performance (patch SLA %, MFA coverage). - KRIs: risk levels (phish click rate, critical vuln backlog). - Qualities: relevant, repeatable, reliable, time-bound, actionable. - Use thresholds (green/amber/red) aligned to appetite; dashboards vary by audience. - Validate data quality; automate where possible. - **Verify:** check official (ISC)² CBK and current exam outline. >[!tip] **Exam Relevance** - Choose metrics for objectives - Interpret threshold breaches and actions >[!note] **Mnemonic** - “Key Performance; Key Risk.” ### Example Q: KRI turns red for privileged access growth. Action? A: Investigate cause; enforce least privilege/JML. ## Revision Checklist - [ ] Give 3 KPI and 3 KRI examples - [ ] Define good metric qualities - [ ] Set thresholds and escalation - [ ] Align metrics to policy goals ## Related [[Risk Appetite and Tolerance]] · [[Security Program Management (PDCA)]] · [[Security Control Types]] · [[Security Awareness and Training]] · [[Risk Management Process]] #cisSP #domain-1 #concept