Shape your 2025 cyber GRC strategy with a complimentary Gartner report
Download Now
Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now
Blog
Cybersecurity
14 Cybersecurity Metrics + KPIs You Must Track in 2024
BlogBreachesResourcesNews
Cybersecurity

14 Cybersecurity Metrics + KPIs You Must Track in 2024

Abi Tyas Tunggal
Abi Tyas Tunggal
updated Nov 26, 2024
updated
Download the PDF guide
Free trial
Contents

Essential Cybersecurity Metrics Checklist

Unlock 14 key metrics + bonus Vendor Risk Management KPIs to strengthen your cyber defense strategy.

Download Now

Tracking cybersecurity metrics is no longer just a best practice—it is essential. From protecting sensitive data to preventing devasting data breaches and spotting cybersecurity risks, having a clear set of key performance indicators (KPIs) can make all the difference. These KPIs help organizations determine the effectiveness of their cybersecurity measures and drive informed decision-making.

However, despite growing digital risks, PWC reports that only 22% of CEOs feel confident that their risk exposure data is comprehensive enough for sound design-making. Alarmingly, this statistic hasn’t budged in the last decade. Additionally, the EY Global Information Security Survey reveals that just 15% of organizations are confident their InfoSec reporting fully meets their expectations.

This blog outlines 14 critical cybersecurity metrics your organization should track to manage vendor risk better, strengthen defenses, and stay ahead of evolving threats. Additionally, assess your cybersecurity program with our downloadable Essential Cybersecurity Metrics checklist, which includes bonus Vendor Risk Management KPIs.

What are cybersecurity metrics & KPIs?

Cybersecurity metrics and key performance indicators (KPIs) are measurable values that track the effectiveness of cybersecurity efforts. These values provide a quantifiable way to see how well an organization is preventing, detecting, and responding to cyber threats.

Cybersecurity metrics range from the number of attempted breaches blocked to an organization’s incident response speed. KPIs are broader and measure things like overall risk reduction or improvement in compliance levels. Together, this data paints a picture of your organization’s cybersecurity posture—and identifies areas that need improvement.

Why are information security metrics important?

Whether you’re tracking incident response times, vendor risk ratings, or employee security training completion rates, the right cybersecurity metrics and KPIs empower you to make informed decisions and prove the value of your security investments.

Information security metrics transform raw data into actionable insights. Metrics provide visibility into an organization’s vulnerabilities, strengths, and weaknesses—allowing you to make data-driven decisions. As Peter Drucker said, what gets measured gets managed, and cybersecurity is no different. If you can't measure your security efforts, you won't know how you're tracking.

Cybersecurity metrics for the board

Cybersecurity metrics also play a major role in communication with an organization’s board members or stakeholders. Your tracked metrics and KPIs can speak directly to business risks and outcomes, including how cyber threats might impact an organization’s bottom line, reputation, and compliance status.

Key cybersecurity metrics for the board might include:

  • Cost of cyber incidents
  • Risk reduction over time
  • Regulatory compliance
  • Incident response automation
  • Vendor Risk Management

These metrics give your board a clear view of how cybersecurity is being managed as part of the larger business strategy—making it easier to support continued investment in security measures.

14 Cybersecurity KPIs to track in Vendor Risk Management

Below are examples of clear KPIs and metrics you can track and present to your stakeholders to demonstrate your Vendor Risk Management efforts. To serve as a guide for improving performance across all 14 primary cybersecurity metrics, each checklist item is presented in question form.

Download this checklist here >

1. Level of preparedness

Level of preparedness measures how well an organization is equipped to prevent, detect, and respond to cybersecurity threats, including the readiness of its technology, processes, and people.

Tracking preparedness helps identify gaps in defenses and ensures an organization can act quickly when threats arise, reducing potential damage. Examples of this KPI include:

  • The number of security incidents detected and resolved within a specific period (e.g., month, quarter, or year).
  • The percentage of incidents prevented due to proactive security measures, such as endpoint protection, intrusion detection systems, and threat intelligence.
  • The number of false positives and false negatives generated by security monitoring tools and how these numbers are being reduced through continuous refinement of the monitoring process.
  • The level of employee security awareness and the frequency of cybersecurity awareness training programs.
  • The frequency of simulated phishing attacks to test phishing attack susceptibility.
  • How many devices on your corporate network have the latest security patches installed?
  • How many high-risk vulnerabilities have been identified?
  • How many systems have failed vulnerability scans, and what is the plan to remediate those issues?
  • How frequently are backups taken, and how are they tested for completeness and accuracy?
  • How often are disaster recovery, incident response, and business continuity plans tested, and when was the last successful test?
  • How is your organization managing data classification and data retention policies, and how are those policies enforced?
  • What is the frequency of security awareness training for employees, and what metrics are used to measure its effectiveness?
  • How are security policies and procedures updated and communicated to employees, and how is compliance monitored?
  • How many devices on your corporate network are running outdated operating systems or software?
  • How many devices on your network are running end-of-life (EOL) software and no longer receiving security updates?
  • How often are internal and vendor risk assessments conducted, and what actions are taken as a result of those assessments?
  • How are security controls tested for effectiveness and assurance?
  • How often are security policies and procedures reviewed and updated to reflect changes in the threat landscape?

To start evaluating the security risks of your vendors, download your free cybersecurity risk assessment template.

2. Unidentified devices on internal networks

Unidentified devices on internal networks refer to the number of devices or internal networks within an organization’s infrastructure that have not been identified or properly cataloged.

These unidentified devices or networks pose a significant security risk as they create entry points for cyber attackers. Understanding network security is a key part of robust cybersecurity programs, and tracking this metric includes understanding the following:

  • What is the inventory of authorized devices on your network, and how is it maintained and kept up-to-date?
  • How many assets are there in your network?
  • How many of those assets store sensitive data?
  • What is the process for responding to unauthorized devices on the network, and how are these devices quarantined and monitored?
  • How are IoT devices secured, and what is the process for monitoring and patching their vulnerabilities?
  • How is network segmentation implemented, and how are different types of devices segregated on the network?
  • How are access controls implemented for devices on your network, and how are access permissions granted and revoked?
  • How are devices authenticated and authorized before being allowed to connect to the network?
  • What is the policy for employees bringing their own devices (BYOD) to work, and how are these devices managed and secured?
  • What measures are in place to detect and respond to rogue access points or other unauthorized network infrastructure?
  • What is the process for tracking the lifecycle of devices on your network, including acquisition, deployment, maintenance, and retirement?
  • How are third-party devices and services securely integrated into your network, and how do you manage their access and permissions?
  • What is the policy for remote access to your network, and what measures are in place to secure and monitor remote connections?

UpGuard’s attack surface monitoring solution can help you quickly map your attack surface by identifying all IP addresses in your digital inventory. This scanner can help you discover unmaintained assets expanding your attack surface and increasing your risk of suffering a data breach.

Take a tour of UpGuard's attack surface management features >

3. Intrusion attempts

Intrusion attempts measure the number of attempted breaches or unauthorized access events aimed at an organization’s networks or systems.

Tracking intrusion attempts provides an overview of the frequency and severity of threats targeting an organization, enabling CISOs and security teams to strengthen cybersecurity strategies where needed. Tracking intrusion attempts includes understanding the following:

  • How many intrusion attempts have been detected and blocked by your intrusion detection system?
  • What is the average time it takes to investigate and respond to detected intrusion attempts?
  • What is the process for reporting intrusion attempts to relevant stakeholders, including management, legal, and law enforcement?
  • How many unauthorized access attempts have been detected and blocked by your firewall?
  • What is the process for investigating and responding to detected intrusion attempts, and how are those findings communicated?
  • How are logs and other security event data collected and analyzed, and what tools and processes are used for this purpose?
  • How are security incidents classified and prioritized, and what response procedures are in place for each classification?
  • How frequently are security logs reviewed, and what is the process for reviewing them?
  • How are security events and incidents correlated and analyzed to identify potential threats and attacks?
  • What measures are in place to prevent false positives and false negatives in intrusion detection systems?
  • How are network traffic patterns and anomalies monitored to detect potential intrusions?
  • How are incident response plans updated and tested in response to new intrusion attempts and attack trends?
  • How are security controls adjusted and fine-tuned based on the results of intrusion detection and response efforts?

4. Security incidents

Security incidents refer to any event that compromises the integrity, confidentiality, or availability of an organization’s information systems. These incidents can include successful ransomware attacks, data security breaches, and phishing attempts, among others.

Monitoring security incidents helps organizations understand their exposure to threats and the effectiveness of incident response processes. Track this metric by answering the following:

  • How many security incidents have been detected and resolved in the past month/quarter/year?
  • How many successful cyber attacks have occurred in the past month/quarter/year?
  • What types of incidents have occurred, and what was the impact of each incident?
  • What metrics are used to track incident response and resolution times, and how are these metrics used to improve the incident response process?
  • How is data recovery managed in the event of a security incident, and how are backups tested and validated?
  • What is the root cause analysis of each incident, and what corrective actions were taken to prevent similar incidents from occurring in the future?
  • What is the average downtime experienced during a security incident, and what is the impact on the organization's operations?
  • What is the average cost associated with a security incident, including costs for incident response, remediation, and reputational damage?
  • How is user behavior monitored to identify potential security incidents or insider threats?
  • How is threat intelligence gathered and used to proactively detect and prevent security incidents?
  • What is the process for reporting security incidents to regulatory authorities, customers, and other stakeholders?
  • How is the organization's incident response plan updated and tested to ensure it remains effective and relevant?

UpGuard’s vulnerability detection module ranks discovered internal and vendor security risks by criticality, helping security teams address threats most likely to result in a data breach. By making it easier to prioritize critical risks, UpGuard keeps your security posture optimized to resilient levels at all times.

UpGuard’s Vulnerability Management Module.

Explore more features in a free trial of UpGuard >

5. Mean Time to Detect (MTTD)

Mean Time to Detect (MTTD) is a crucial metric for determining the efficiency of your organization's threat detection and response capabilities should a third-party vendor become compromised. A lower MTTD minimizes the time a hacker can operate undetected, reducing the potential damage and scope of a security incident.

To track MTTD, consider the following:

  • How long does it take for your team to become aware of security threats and incidents?
  • What is the average MTTD for your organization?
  • What is the process for detecting and responding to security threats and incidents, and how is this process tested and validated?
  • How are threat intelligence feeds and other sources of security information used to improve MTTD?
  • How are security controls and monitoring tools tuned to improve detection and response times?
  • How are alerts and events from security monitoring tools triaged and prioritized, and what criteria are used to determine severity?
  • How often are security monitoring tools and sensors updated, and how is their updated performance monitored?
  • What is the process for investigating and resolving security alerts and incidents, and how are those findings communicated?
  • How are false positives and false negatives addressed in the security monitoring process, and how is this process continually refined?
  • How are security incidents classified and prioritized, and what response procedures are in place for each classification?
  • What training and education programs are in place for security analysts and incident responders, and how is their performance monitored and evaluated?
  • How are key metrics and KPIs related to MTTD?

6. Mean Time to Resolve (MTTR)

Mean Time to Resolve (MTTR) tracks the average time it takes to fully resolve a cybersecurity incident, from detection to remediation. Tracking this metric helps organizations reduce incidents' impact on business operations, limiting downtime and financial losses.

To track MTTR, organizations should focus on the following:

  • What is your mean response time following immediate awareness of a cyber attack involving a vendor?
  • What is the average MTTR for your organization?
  • How is incident response coordinated and managed, and what resources and personnel are involved in the response process?
  • How is the incident response process continually evaluated and improved, and what metrics are used to track this process?
  • How are security incidents categorized and prioritized, and what response procedures are in place for each category?
  • What are the key steps involved in the incident response process, and how are they tracked and measured?
  • What is the average time it takes to identify the root cause of security incidents, and what measures are in place to ensure a thorough investigation?
  • How are incident response teams trained and prepared for different types of security incidents, and how is their performance assessed during incident response exercises?
  • What is the process for restoring systems and data following a security incident, and how is the effectiveness of this process validated?
  • How are lessons learned from security incidents incorporated into incident response plans and procedures to prevent similar incidents in the future?
  • What is the role of external resources, such as incident response vendors and law enforcement agencies, in the incident response process, and how are they coordinated and managed?
  • How are stakeholders, such as customers and business partners, informed and kept up-to-date during the incident response process?

7. Mean Time to Contain (MTTC)

Mean Time to Contain (MTTC) measures the average time it takes to contain a security threat and prevent it from spreading across systems or networks. Quick containment is crucial to minimizing damage and limiting the scope of an attack, especially in highly connected environments like healthcare organizations.

Organizations can track MTTC by understanding the following:

  • How long does it take to contain identified internal and third-party attack vectors across all endpoints and systems from the time of initial detection?
  • What is the average MTTC for each type of security incident or attack, such as malware infections, data breaches, and DDoS attacks?
  • How effective are your containment measures in preventing further damage or data loss, as measured by the scope and severity of each incident?
  • How well do your incident response team and processes work in coordinating containment efforts across different departments such as IT, legal, and public relations?
  • How do you prioritize and allocate resources to different types of incidents based on their severity, impact, and risk to your business operations and reputation?
  • How will you prevent similar incidents in the future across each of the following threat mitigation categories: security controls, awareness training, and policy and procedure updates?
  • How do you evaluate the success of your containment efforts, such as by measuring the reduction in incident frequency, cost, and time-to-remediation and the improvement in security awareness and compliance?
  • How do you measure the reduction in incident frequency?
  • How do you measure the reduction in time-to-remediation?
  • How do you measure improvement in the cybersecurity habits of your staff?

8. First-party security ratings

First-party security ratings evaluate an organization’s cybersecurity posture, typically based on external assessments and industry-standard security scoring methods.

First-party security ratings provide a real-time snapshot of an organization’s security health, helping benchmark readiness while identifying areas of improvement. Tracking first-party security ratings includes answering the following:

  • What is your organization's current security rating, and how is it calculated?
  • How has your security rating changed over time, and what factors have contributed to these changes?
  • What security controls and practices are evaluated as part of the security rating assessment?
  • How does your organization compare to industry benchmarks and best practices in terms of security rating?
  • How is the security rating used to identify areas of weakness and prioritize security investments?
  • What communication channels are used to share the security rating with stakeholders, and how is this information used to build trust with customers and partners?
  • What actions are taken to maintain or improve the security rating over time, and how are these actions tracked and evaluated?

9. Average vendor security rating

The average vendor security rating, based on external evaluations, reflects the overall cybersecurity posture of your third-party vendors. Monitoring vendor security ratings helps you manage third-party risks, ensuring that your partners don’t introduce vulnerabilities into your environment. Examples of tracking this metric include:

  • How many vendors are in your organization's supply chain, and what percentage of those vendors are considered high-risk?
  • What criteria are used to evaluate vendor security, and how are those criteria weighted?
  • How frequently are vendor security assessments conducted, and what is the process for conducting those assessments?
  • What types of security ratings or scoring systems are used to evaluate vendor security, and how are those ratings incorporated into the vendor selection process?
  • How are vendor security ratings monitored and updated over time, and what is the process for reevaluating vendor security when new vulnerabilities or threats emerge?
  • What is the process for addressing vendor security issues, and how are those issues communicated to the vendor?
  • How is vendor security performance evaluated and reported to senior management or the board, and what metrics are used to measure it?

UpGuard’s security ratings features allow you to track the security postures of all vendors in real time.  With security ratings quantified using an objective and reliable calculation mechanism, a drop in security ratings is a likely indication of a new security exposure that could result in a security incident if exploited by hackers.

Security Ratings by UpGuard.

Learn how UpGuard calculates security ratings >

10. Patching cadence

Patching cadence refers to how frequently and consistently an organization applies patches and updates to fix vulnerabilities in systems and software. A regular and timely patching process reduces the window of exposure to known vulnerabilities, minimizing the risk of exploitation and enhancing vulnerability management.

To track patching cadence, consider the following:

  • How frequently are security patches and updates released by software vendors, and how quickly are they implemented?
  • How are high-risk vulnerabilities prioritized for patching, and what is the process for testing and validating patches before implementation?
  • How are legacy systems and software that are no longer supported by vendors patched, and what measures are in place to mitigate their security risks?
  • How are patches and updates distributed and installed across different devices and systems, and how is this process managed and monitored?
  • What is the average time it takes to apply patches once they are released, and what is the maximum acceptable patching window for high-risk vulnerabilities?
  • What metrics are used to track patching effectiveness and compliance, and how are these metrics used to drive improvements in the patching process?
  • How are patches validated to ensure they do not cause any conflicts or disruptions in the systems they are being applied to?
  • How are legacy systems and applications that are no longer supported with security patches being handled? Is there a plan in place to deal with these systems?
  • Are there any exceptions to the patching process, such as certain systems or applications that cannot be patched for operational or other reasons? How are these exceptions managed and mitigated?

11. Access management

Access management measures how well an organization controls and monitors user access to sensitive systems and data. Strong access management reduces the risk of unauthorized access and helps protect sensitive information and critical systems from internal and external threats. Examples of tracking this metric include:

  • How is access to sensitive data and systems controlled and monitored, and how is privilege escalation prevented?
  • What are the different types of user roles and access levels, and how are they defined and documented?
  • How often are user accounts reviewed and audited for compliance with access policies and procedures?
  • Are all accounts secured with Muli-Factor Authentication (MFA)?
  • Have you created password policies addressing common malpractices, such as password recycling and weak passwords?
  • What is the process for monitoring user activity and access logs, and how are suspicious or anomalous behaviors detected and investigated?
  • What controls are in place to protect privileged accounts?
  • What are the procedures for granting temporary or emergency access to users, and how are these situations documented and reviewed?
  • How is access to third-party applications and services managed, and what additional controls are in place to prevent unauthorized access or data leakage?
  • How are access policies and procedures communicated to users, and what training or awareness programs are in place to promote secure access practices?
  • How is access granted to new employees, and how is access removed when an employee leaves the company?
  • What is the process for managing access requests and approvals, and how are these requests documented and tracked?
  • How is access control regularly audited and reviewed, and how often are access policies and procedures updated?
  • What are the consequences of non-compliance with access policies, and how is compliance with access policies monitored?
  • How is access to sensitive data and systems restricted, and how are those restrictions enforced?
  • How is the principle of least privilege applied to limit user access and reduce the risk of privilege escalation attacks?
  • What tools and processes are used to monitor user activity and detect potential insider threats?

12. Company vs peer performance

Benchmarking your organization's security performance and cybersecurity strategy against industry peers can provide valuable insights into areas for improvement. Comparing your performance against peers helps you understand where you stand in the industry, identify best practices, and prioritize areas that need attention.

To effectively compare your security posture with that of your peers, consider the following:

  • What key performance indicators are used to measure your organization's security posture compared to industry peers?
  • What specific security controls and policies do peer organizations have in place that your organization does not?
  • How is your organization using benchmarking data to identify areas for improvement in your security program?
  • What strategies are your peers using to stay ahead of emerging threats, and how can your organization adopt those strategies to better protect against cyber attacks?
  • How has your organization's security performance compared to your peers over time, and what trends or patterns have emerged?
  • How is your organization using competitive intelligence and industry insights to inform your security strategy and decision-making?

An executive summary report is one of the best methods of communicating your security performance with stakeholders. UpGuard offers a library of cybersecurity report designs to help you reflect your cybersecurity efforts in a style that meets the unique communication requirements of your stakeholders.

UpGuard's security report library.

Read more about UpGuard’s reporting capabilities >

13. Vendor patching cadence

Vendor patching cadence tracks how frequently and consistently an organization’s third-party vendors apply patches and updates to fix vulnerabilities. Ensuring vendors follow a robust patching process is critical to minimizing third-party vulnerabilities that could affect an organizaiton’s security. Examples of tracking this metric include:

  • How frequently are your third-party vendors' systems scanned for vulnerabilities, and how are these scans conducted?
  • How many risks have been identified in your third-party vendor's systems, and what is the plan to remediate these risks?
  • How many critical vulnerabilities are yet to be remediated in your vendor's systems?
  • What is the process for validating vendors who have implemented security patches?
  • What is the process for terminating vendor relationships in the event of poor security performance or failure to comply with security standards?
  • How is your organization monitoring fourth-party vendor risk (the vendors used by your vendors)?
  • How is your organization prioritizing patching for third-party vendors based on risk level?
  • What is the process for communicating patching requirements and deadlines to third-party vendors?
  • How is your organization tracking compliance with vendor patching requirements and deadlines?

UpGuard’s Vendor Tiering feature allows third-party vendors to be tiered based on security criticality. This allows vendors with the highest potential impact on your security posture to be prioritized in monitoring and remediation processes, reducing the likelihood and impact of third-party breaches.

Vendor Tiering by UpGuard
Vendor Tiering by UpGuard

Check out more features with a free trial of UpGuard >

14. Mean time for vendor incident response

The efficiency of your vendors' incident response is crucial for minimizing the risk of data breaches. The longer it takes vendors to respond to incidents, the higher the chance you will suffer from a third-party data breach. To ensure a prompt and effective incident response from your vendors, consider the following:

  • How long does it take for a vendor to respond to security incidents and vulnerabilities?
  • What is the average MTTR for your vendor's incident response?
  • How is incident response coordination managed between your organization and your vendors?
  • How are security incidents and vulnerabilities communicated to vendors, and how is response progress tracked?
  • How are vendor response times and incident response performance evaluated and monitored?
  • How are vendor incident response procedures continually evaluated and improved, and what metrics are used to track this process?
  • How are incident response procedures for third-party vendors integrated into your overall incident response plan, and how are they updated and communicated to relevant personnel?
  • How are incident response responsibilities and expectations outlined in service level agreements (SLAs) with third-party vendors, and how are these SLAs monitored and enforced?

Learn more about data breaches and how to prevent them in our free eBook, A Complete Guide to Data Breaches.

A complete guide to data breaches by UpGuard

Frequently asked questions

  • What are metrics in cybersecurity? Metrics in cybersecurity are measurable data points used to track the effectiveness of security controls and processes.
  • What are the top 5 security metrics? The top five security metrics include incident response times, number of detected vulnerabilities, patching cadence, intrusion attempts, and security training completion rates.
  • What are KPIs in cybersecurity? KPIs in cybersecurity are key performance indicators that measure long-term security goals, such as risk reduction, compliance, or incident resolution efficiency.
  • What are the 5 C’s for cybersecurity? The 5 C’s for cybersecurity refer to Change, Compliance, Cost, Continuity, and Coverage.
  • How do you measure cybersecurity success? Cybersecurity success is measured by tracking metrics like reduced incidents, faster response times, risk mitigation, and compliance with regulatory standards.

How to choose the right cybersecurity metrics for your VRM program

There’s no objective standard for choosing the right set of cybersecurity KPIs and KRIs in the context of Vendor Risk Management. Your choice of metrics depends on your industry, security needs, regulations (NIST, GDPR, HIPAA, etc), guidelines, best practices, and ultimately, you and your customer's appetite for risk. Outside of the metrics outlined above, the CIS Controls also provide a cost-effective, prioritized list of security controls for improving cybersecurity performance internally and across the vendor threat landscape.

That said, you will want to choose metrics that are clear to anyone, even non-technical stakeholders. A good rule of thumb is if your non-technical stakeholders can't understand them, you need to either pick new metrics or do a better job of explaining them. Benchmarks and industry comparisons are an easy way to make even complex metrics understandable.

When referencing cybersecurity metrics in an executive meeting, remember the most important metric to focus on is cost. The objective of these meetings is to demonstrate how cybersecurity is saving the organization money. For best results, it's highly recommended that you support your presentation with a cybersecurity executive report.

Reviewed by
Kaushik Sen
Kaushik Sen
Chief Marketing Officer

Ready to see
UpGuard in action?

Free trial

Ready to save time and streamline your trust management process?

Get started
Tags:
Cybersecurity
Author
Abi Tyas Tunggal
Abi Tyas Tunggal
Reviewed by
Kaushik Sen
Kaushik Sen
Join 27,000+ cybersecurity newsletter subscribers

Essential Cybersecurity Metrics Checklist

Unlock 14 key metrics + bonus Vendor Risk Management KPIs to strengthen your cyber defense strategy.
Download Now
UpGuard logo
UpGuard is a complete third-party risk and attack surface management platform.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Products
Tools
Company
Insights
Products
Compare
Solutions
Company
Insights
© UpGuard, Inc.
Research GuidelinesPlatform Terms & ConditionsWebsite Terms & ConditionsPrivacyCookies