IT Security KPIs: From Technology to Strategy

In information security, KPIs serve as a control and management tool: they make risks comparable, prioritize investments, and provide evidence for audits and regulatory oversight.

In the context of ISO/IEC 27001, NIS2, and other regulatory frameworks, Cyber Security KPIs bridge the gap between technical reality, legal necessity, and management decisions. Here, we demonstrate why KPIs are essential and which criteria according to ISO, KRITIS, NIS2, and NIST are applicable in Germany.

Why Are KPIs So Important in Information Security?

An information security KPI is particularly helpful when it prepares a concrete decision. High-quality IT security metrics are few (BSI IT-Grundschutz), stable (ISO 27001/27004), and defined in a way that makes them comparable over time to track developments (ISO 27004, NIST SP 800-55).

  • Transparency and Early Warning: The BSI describes metrics as indicators of the quality of security processes and as a means of communication. Information security KPIs should highlight where controls are failing before they turn into incidents.
  • Operational Alignment: In practice, a consistent set of metrics facilitates alignment between IT, risk management, and executive leadership, while also serving as a basis for management, GRC, and audit reports.
  • Steering and Effectiveness: Without information security KPIs, improvement remains a mere assertion. In ISO/IEC 27004, measurement is explicitly framed as an assessment of security performance and ISMS effectiveness. NIST describes measurement programs as the foundation for evaluating controls and setting priorities.
  • Internal Audits and Management Reviews: ISO/IEC 27001 requires metrics to be evaluated regularly during internal audits and management reviews. KPIs serve as an objective basis for structurally assessing deviations, potential for improvement, and the effectiveness of measures. Examples include the percentage of audit findings closed on time or the number of significant deviations per review cycle.

The Most Important Cyber Security KPIs

A proven starting point for implementing security KPIs is to focus on a few highly relevant metrics per topic area. A mix of preventative (leading) and retrospective (lagging) indicators is essential. NIST recommends selecting and prioritizing security metrics based on organizational goals and risk appetite (NIST SP 800-55).

Metrics should always be derived from risk analysis and the protection requirements of critical assets; otherwise, there is a risk of collecting isolated data that offers no decision-making value. The following KPIs are common in practice but are not an absolute "must" for every organization—they may require adjustment to meet individual security requirements.

1) Identity & Access (Zero-Trust Oriented)

  • MFA Coverage: While NIST SP 800-63 and Zero Trust principles require multi-factor authentication, they do not mandate a specific percentage. In practice, we view MFA coverage as a vital KPI.
  • SSO/Passwordless Authentication (Adoption Rate): NIST SP 800-207 recommends strong authentication (e.g., MFA), though it does not specify a target "adoption rate."
  • Privileged Accounts Under Control: ISO/IEC 27001 Annex A and CIS Controls demand strict control over privileged access. Specific target values are absent, so organizations set their own benchmarks.
  • Methodology Note: NIST SP 800-55 requires a clear definition for every metric (formula, baseline, timing, exceptions, data source). ISO/IEC 27004 adds requirements for data quality, consistency, and regular review.

2) Vulnerability & Cyber Hygiene

  • Patch Compliance (% of systems up to date): This is a proven metric (e.g., share of patched systems). BSI-Grundschutz advises starting with a few metrics. While no standard explicitly demands "Patch Compliance %," it is a recognized key value in practice.
  • Time-to-Patch (Median days for critical CVEs): Derived directly from NIST SP 800-55—NIST cites "Mean Time to Remediate" as a highly meaningful metric.
  • Backup Restore Test Rate: ISO 27001 Annex A 8.13 requires backup strategies but no specific metric. Specialist sources cite success rates in restoration tests as a sensible resilience KPI.

3) Detect, Respond & Recover

  • MTTD / MTTR (Mean Time to Detect/Remediate): NIST SP 800-55 and others list MTTD/MTTR as core metrics for measuring responsiveness.
  • Containment Success Rate: Not required by an official norm, but SOC metrics like "Incident Containment Rate" (percentage of successfully contained incidents) are common in practice.
  • Recovery Time of Critical Services (RTO Reality): No norm explicitly names this, but organizations measure how long it actually takes to restore critical services compared to the stated RTO. This KPI is crucial for critical infrastructure (KRITIS) to ensure continuous operation.

4) Governance & Compliance (ISO 27001 / NIS2)

  • NIS2 Governance Duty (Art. 20): NIS2 Art. 20 requires management bodies to approve cybersecurity measures and oversee their implementation.
  • Management Training Rate: NIS2 Art. 20 mandates regular training for executives; the percentage of trained managers can be measured as a KPI.
  • Audit Finding Closure Rate: No formal requirement, but used in practice as a maturity indicator.
  • Policy Freshness (% in review cycle): Norms require current policies but don’t specify a metric. Business reports recommend measuring updates (e.g., annual reviews).
  • NIS2 Reporting Obligation (Early warning within 24h): Based on NIS2/KRITIS implementation, early notification must occur without delay (within 24 hours). Organizations derive KPIs from this, such as compliance with this deadline or the completeness of incident reports.
  • Supply Chain Metrics: NIS2 emphasizes SCM risks. In practice, metrics include the percentage of critical suppliers assessed.

Note: To increase NIS2 compliance, an Imprivata whitepaper is available upon request.

Focus: Measuring IT Security Awareness

  • Phishing Rate: How many employees click on simulated phishing emails? How many report them (Report Rate)?
  • Training Completion Rate: Percentage of employees who have finished security training.
  • Incident Reporting: Is the number of irregularities reported by employees increasing?

Note: Supply chain risks are gaining importance. Metrics for evaluating security-relevant third parties support NIS2 supply chain risk management requirements. Assessments according to MaRisk and DORA fall within this framework.

Best Practices: Establishing Sustainable Security Awareness

  • Lead by Example: NIS2 anchors training and responsibility at the executive level.
  • Consistency: Micro-learnings and recurring phishing simulations; trends are often more meaningful here than individual values.
  • Positive Error Culture: The report rate only increases in the absence of a "culture of fear."
  • Reduce Friction: If secure behavior is faster than insecure behavior, acceptance and metrics will rise. In identity projects, SSO can act as a "Security + Usability" lever.

Challenges in Working with Metrics

  • Measuring the Wrong Things: NIST implicitly warns against KPI collections that lack a connection to decision-making. Prioritization based on risk and target state is required.
  • Data Quality and Definitions: A KPI is only as good as its definition (e.g., what exactly constitutes an "incident").
  • Lack of Context: Declining incident numbers could also mean poorer detection. A combination of "leading" and "lagging" indicators is necessary to get the full picture.

Conclusion: KPI Systems Should Trigger Decisions

Metrics are not an end in themselves, but a tool for assessing effectiveness, prioritizing measures, and supporting informed decisions. Only a consciously selected, consistent KPI system makes information security manageable, comparable, and transparent to management, regulators, and auditors.

Correctly applied, information security KPIs provide arguments for budgets, create transparency regarding risks, support compliance evidence, and anchor cybersecurity as a permanent management task. The key is not to measure everything—but to measure the right things, consistently, and with a clear link to risk, goals, and responsibility.