Whether we like it or not, the performance of our jobs is reflected in both the metrics and Key Performance Indicators (KPIs) that have been assigned to us. The world of Cybersecurity is also well known for this, but which ones are important for your IT Security staff? We will explore some of the major ones in this blog.

The Top KPIs

These are the metrics that relate directly to the team:

  1. The Alarm Time to Triage (aka the “TTT”):

This is a reflection of how quickly your Cyber analysts can respond to a particular warning or alert that comes through the Security Incident and Event Management (SIEM) tool. For example, if a message appears that some sort of malicious activity is starting to precipitate, just how quickly can somebody pick up and act on it? The response time is what this metric indicates.

  1. The Alarm Time to Qualify (aka the “TTQ”):

While the TTT indicates how long it takes your team to jump upon a real alert or warning, this metric indicates just how long it takes to actually fully investigate it, and if need be, escalate it up the triaging chain so that it can be responded to in an efficient manner.

  1. The Threat Time to Mitigate (aka the “TTM”):

Once a warning or alert has been deemed real and after it has been sent for triaging, it is absolutely imperative that your Incident Response Team attempts to mitigate the depth of damage as quickly possible. The time that it takes to accomplish this task is purely reflected in this particular KPI.

  1. The Threat Time to Recover (aka the “TTV”):

After the Incident Response process has started, how quickly does it take for your IT Security staff to end this process and restore the mission critical operations back to a sense of normalcy? The time it takes to do this can be seen in this metric. It is important to keep in mind that this can be viewed more as a Disaster Recovery KPI, rather than as a Business Continuity one.

  1. The Mean Time to Detect (aka the “MTTD”):

Unfortunately, many threat variants literally fly under the radar for extended periods of time. There are many reasons for this, such as Alert Fatigue that has been brought upon your team, or simply that your security tools could not pick it up as it broke through your lines of defense. Obviously, you want your team to detect each risk as quickly as possible when these kinds of situations actually happen, and this metric shows you exactly that.

  1. The Total Uptime and Downtime:

This metric simply reflects how often your IT/Network Infrastructure is running (which is the “Uptime”), versus how long it is not fully functional (which is the “Downtime”). Ideally your Uptime should be rated as high as 99.999%, with a Downtime of only .001%.

  1. The Total Cost Per Incident:

Whenever a business has been impacted by a Cyberattack, there are financial costs involved. These include both quantitative and qualitative factors, such as lost revenue per hour, and brand/reputational loss, respectively. In fact, it has been estimated that it costs an organization an average of well over $8.8 million per security incident (SOURCE: 1). While this is no doubt a staggering number, you want this amount to be as low as possible. When this happens, it means that your IT Security Team has acted in a prompt and thorough manner, and all of the other relevant teams as well (such as Incident Response, Disaster Recovery, and Business Continuity).

  1. The Total Number of Intrusion Attempts:

This KPI reflects the number of times a Cyberattacker has made an effort to break through your lines of defense, while not actually getting in. This kind of metric can be established over a certain time period that you deem is reasonable, such as hourly, daily, weekly, etc. This metric can tell you a lot about where problems are coming from based on the intrusion attempts.

  1. The Total Number of Botnet Infections and Detection Deficit:

A Botnet can be defined as follows:

“It is a network of computers infected by malware that are under the control of a single attacking party, known as the bot-herder.”

(SOURCE: 2).

In other words, this is when the devices in your IT/Network Infrastructure get hijacked and have a malicious payload deployed onto them. These devices then form a chain of sorts, and can be leveraged together to launch other forms of threat variants to other devices that are completely external to your own environment. The KPI in this instance is used to describe how many of your computers, servers, workstations, etc. have become infected like this, and how quickly your IT Security team detected this. This is starting to become a very important metric.

  1. The Total Time For Software Patches:

This KPI demonstrates how quickly it takes your team to identify the latest software patches and upgrades, and the promptness in which they are deployed. Of course, the quicker that this happens, the lower the statistical odds are of a security breach from happening at your business or in any of your devices, networks, or servers.


Overall, this article examined some of the key metrics and KPIs that you as the CISO will require as you prepare your reports for the CEO and Board of Directors. It is very important to keep in mind that the effectiveness of these KPIs can only be gauged over a period of time, not just a single instance.