Information Security Indicators

This post is about information security key indicators and measures.

Concepts about Information Security Indicators

Good metric are SMART:

  • Specific: based on a cleary understood goal; clear and concise
  • Measurable: able to be measured, quantifiable and objective
  • Attainable: realistic, based on important goals and values
  • Relevant: direclty related to a specific activity or goal
  • Timely: grounded in a specific time frame

Indicators featured on this post:

  • Key Risk Indicator (KRI)
  • Key Performance Indicator (KPI)
  • Key Goal Indicator (KGI)
  • Key Control Indicator (KCI)
  • Indicator of Compromise (IoC)

Key Risk Indicator (KRI) is a metric used to assess and measure a possible risk.

Key Performance Indicator (KPI) is a metric that measures how well a process is performing.

Key Goal Indicator (KGI) is a metric to measure whether an important, long-term business goal has been achieved.

Key Control Indicator (KCI) indicates the effectiveness of a particular control at a particular point in time.

Indicator of Compromise (IoC) is a metric that can be used as evidence that someone may have breach the organization’s system.

A KRI should trigger an alarm when it is HIGHER than a given value (that differs on each organization, depending on risk appetite, etc.). On the other hand, the rest of indicators featured on this post (KCI, KPI, KGI) shoudl trigger the alarm when they the indicator is LOWER than a given value.

KRI examples:

  • Number of open vulnerabilities
  • Time to resolve vulnerabilities
  • Vulnerability/defect recurrence
  • Number of compromised accounts
  • Number of software flaws detected in preproduction scanning
  • Repeat audit findings
  • User attempts to visit known malicious sites

Key indicators that are relevant for the organization must be identified.

Once the key indicators have been chosen, they should be displayed on a dashboard that allows monitoring them.

Information Security Indicator Standards

Information security indicator standards featured on this post:

  • ISO 27004
  • CCN-STIC 815

ISO/IEC 27004

ISO/IEC 27004 is about information security indicators.

As of 2025, latest version is ISO/IEC 27004:2016. You can find this external link about ISO/IEC 27004:2016.

CCN-STIC 815

The public agency from Spain Centro Criptológico Nacional (CCN) issues the guide CCN-STIC-815, that is about information security metrics and indicator.

You might also be interested in…

Leave a Reply

Your email address will not be published. Required fields are marked *