Security teams either measure nothing or measure everything — and drowning leadership in forty numbers is its own failure. The discipline is picking metrics that change a decision. This framework organises the field into eight domains and two dozen KPIs, tags each with the direction that counts as improvement, and then strips it back to the handful that belong in front of a board. Two of them — how fast you detect and how fast you respond — sit above all the rest.
1 · The Scorecard: 24 KPIs, 8 Domains
Each KPI, what it measures, and which direction is good. “Good when” matters more than people expect — some metrics you drive down (dwell time, click rate), some you drive up (patch compliance, reporting), and a few are context only.
| Domain | KPI | What it measures | Good when |
|---|---|---|---|
| Threat Detection | MTTD (mean time to detect) | Average time to identify a security incident | ↓ lower |
| Security alerts volume | Number of alerts generated in a period | — context | |
| False positive rate | % of alerts wrongly flagged as threats | ↓ lower | |
| Incident Response | MTTR (mean time to respond) | Average time to contain and remediate | ↓ lower |
| Incident resolution rate | % of incidents successfully resolved | ↑ higher | |
| Escalation rate | % of incidents needing higher-tier help | — context | |
| Vulnerability Mgmt | Vulnerability remediation time | Average time to patch a found vuln | ↓ lower |
| Critical vulnerability count | Number of high-risk vulns open | ↓ lower | |
| Patch compliance rate | % of systems fully patched | ↑ higher | |
| Identity & Access | Privileged access violations | Unauthorised privileged-access attempts | ↓ lower |
| Access review completion | % of periodic reviews done on time | ↑ higher | |
| Account compromise rate | % of user accounts compromised | ↓ lower | |
| Awareness & Training | Phishing click rate | % who clicked a phishing simulation | ↓ lower |
| Training completion rate | % of staff completing training | ↑ higher | |
| Reported incidents (by staff) | Incidents employees flag themselves | ↑ higher | |
| Governance & Risk | Policy compliance rate | % adherence to security policies | ↑ higher |
| Audit findings count | Number of audit issues identified | ↓ lower | |
| Risk mitigation coverage | % of risks with a mitigation plan | ↑ higher | |
| Cloud & Infra | Misconfiguration rate | % of insecure configs detected | ↓ lower |
| Endpoint protection coverage | % of endpoints actively protected | ↑ higher | |
| System availability (uptime) | % of time systems stay operational | ↑ higher | |
| Cyber Resilience | Backup success rate | % of successful system backups | ↑ higher |
| RTO adherence | % of recoveries meeting defined RTOs | ↑ higher | |
| Business continuity readiness | Overall preparedness for disruption | ↑ higher |
▸ The one people get backwards: staff-reported incidents rising is good. It signals a reporting culture, not more attacks — a falling number more often means people stopped telling you.
2 · The Two Clocks Above All Others
If you can only track two numbers, track these. Together MTTD and MTTR describe attacker dwell time — how long an intruder operates before you see them and before you stop them. Almost every other KPI on the scorecard exists to pull one of these two down.
| Metric | The question it answers | What lowers it |
|---|---|---|
| MTTD | “How long until we notice?” | Better detection coverage & tuning, lower false-positive rate, threat hunting |
| MTTR | “How long until we stop it?” | Playbooks & automation (SOAR), clear ownership, rehearsed incident response |
▸ See SOC · SIEM · SOAR for the machinery that moves these two clocks — the SIEM shortens MTTD, the SOAR shortens MTTR.
3 · Leading vs Lagging — and What the Board Sees
Half these KPIs tell you what already happened (lagging); half predict what’s coming (leading). A mature programme watches leading indicators to move the lagging ones — you cut breaches by fixing patch compliance and click rates, not by staring at the breach count.
| Type | Examples | Use it to… |
|---|---|---|
| Leading (predictive) | Patch compliance, phishing click rate, training completion, access-review completion, misconfiguration rate | Act early — these move before an incident does |
| Lagging (outcome) | MTTR, account compromise rate, audit findings, incidents | Judge results — the score after the game |
▸ For the board, roll 24 down to ~5: MTTD, MTTR, patch compliance, phishing click rate, and business-continuity readiness. One detection clock, one response clock, one hygiene leading-indicator, one human leading-indicator, one resilience outcome.
Bottom line
- A KPI must change a decision — if a number wouldn’t alter what you do, it’s a vanity metric.
- Two clocks rule them all — MTTD and MTTR capture dwell time; most other KPIs feed one of them.
- Direction is the trap — reported incidents up is healthy; alert volume is context, not a score.
- Lead, don’t just lag — move patch compliance and click rate to move the breach count.
- Five, not twenty-four, for the board — detection, response, hygiene, humans, resilience.
Sources & method. The eight domains and their KPIs reflect common security-operations and GRC scorecards; definitions describe standard usage. “Good when” directions and the leading/lagging split are the author’s analysis. No fixed benchmark values are asserted — targets depend on sector and maturity. Original analysis; no third-party graphics or text reproduced.