Key Risk Indicators

VS
Key Performance Indicators
#LEARNCISMWITHSANTOSH Santosh Nandakumar
Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) are both important metrics used in
the context of information security, but they serve different purposes.

Key Performance Indicators Key Risk Indicators

KPIs are metrics used to measure the

KRIs are metrics used to assess and monitor the
performance and effectiveness of an
potential risks and vulnerabilities that could
organization's information security controls,
impact an organization's information security.
policies, and practices.

The measurement an organization leverages to

The measurement an organization leverages to
understand how well individuals, business units,
determine how much risk they are exposed to or
projects, and companies are performing against
how risky a particular venture or activity is.
their strategic goals.

These are backward-looking and reactive. These are forward-looking and proactive.

Once an organization has identified its strategic By measuring the risks and their potential
goals, KPIs serve as monitoring and decision- impact on business performance beforehand,
making tools that help answer your organizations can monitor, manage and mitigate
organization’s key performance questions. key risks early.

Answers the question: How are we doing Answers the question: What prevents us from
against our goals? achieving our goals?

Example 1: Percentage of employees who are

Example 1: Percentage of Servers/Workstations
following security policies and procedures,
backup Failure in a given Period.
ensuring compliance.
Example 2: Percentage of Servers using weak
Example 2: Percentage of employees who have
authentication protocols.
completed infosec awareness training.

Expected Measurement: 100% Expected Measurement : 0%