Manzill Surolia

Analysis · 17 Jul 2026

Cybersecurity KPIs: A Measurement Framework

Two dozen metrics across eight domains — but a KPI only earns its place if it changes a decision. Here is what each measures, which way is “good,” and the few that belong on a board deck.

8measurement domains
24KPIs on the scorecard
2north-star clocks: MTTD & MTTR
3–5that actually belong on a board deck
1counter-intuitive: more reports = better

Security teams either measure nothing or measure everything — and drowning leadership in forty numbers is its own failure. The discipline is picking metrics that change a decision. This framework organises the field into eight domains and two dozen KPIs, tags each with the direction that counts as improvement, and then strips it back to the handful that belong in front of a board. Two of them — how fast you detect and how fast you respond — sit above all the rest.

1 · The Scorecard: 24 KPIs, 8 Domains

Each KPI, what it measures, and which direction is good. “Good when” matters more than people expect — some metrics you drive down (dwell time, click rate), some you drive up (patch compliance, reporting), and a few are context only.

DomainKPIWhat it measuresGood when
Threat DetectionMTTD (mean time to detect)Average time to identify a security incident↓ lower
Security alerts volumeNumber of alerts generated in a period— context
False positive rate% of alerts wrongly flagged as threats↓ lower
Incident ResponseMTTR (mean time to respond)Average time to contain and remediate↓ lower
Incident resolution rate% of incidents successfully resolved↑ higher
Escalation rate% of incidents needing higher-tier help— context
Vulnerability MgmtVulnerability remediation timeAverage time to patch a found vuln↓ lower
Critical vulnerability countNumber of high-risk vulns open↓ lower
Patch compliance rate% of systems fully patched↑ higher
Identity & AccessPrivileged access violationsUnauthorised privileged-access attempts↓ lower
Access review completion% of periodic reviews done on time↑ higher
Account compromise rate% of user accounts compromised↓ lower
Awareness & TrainingPhishing click rate% who clicked a phishing simulation↓ lower
Training completion rate% of staff completing training↑ higher
Reported incidents (by staff)Incidents employees flag themselves↑ higher
Governance & RiskPolicy compliance rate% adherence to security policies↑ higher
Audit findings countNumber of audit issues identified↓ lower
Risk mitigation coverage% of risks with a mitigation plan↑ higher
Cloud & InfraMisconfiguration rate% of insecure configs detected↓ lower
Endpoint protection coverage% of endpoints actively protected↑ higher
System availability (uptime)% of time systems stay operational↑ higher
Cyber ResilienceBackup success rate% of successful system backups↑ higher
RTO adherence% of recoveries meeting defined RTOs↑ higher
Business continuity readinessOverall preparedness for disruption↑ higher

▸ The one people get backwards: staff-reported incidents rising is good. It signals a reporting culture, not more attacks — a falling number more often means people stopped telling you.

2 · The Two Clocks Above All Others

If you can only track two numbers, track these. Together MTTD and MTTR describe attacker dwell time — how long an intruder operates before you see them and before you stop them. Almost every other KPI on the scorecard exists to pull one of these two down.

MetricThe question it answersWhat lowers it
MTTD“How long until we notice?”Better detection coverage & tuning, lower false-positive rate, threat hunting
MTTR“How long until we stop it?”Playbooks & automation (SOAR), clear ownership, rehearsed incident response

▸ See SOC · SIEM · SOAR for the machinery that moves these two clocks — the SIEM shortens MTTD, the SOAR shortens MTTR.

3 · Leading vs Lagging — and What the Board Sees

Half these KPIs tell you what already happened (lagging); half predict what’s coming (leading). A mature programme watches leading indicators to move the lagging ones — you cut breaches by fixing patch compliance and click rates, not by staring at the breach count.

TypeExamplesUse it to…
Leading (predictive)Patch compliance, phishing click rate, training completion, access-review completion, misconfiguration rateAct early — these move before an incident does
Lagging (outcome)MTTR, account compromise rate, audit findings, incidentsJudge results — the score after the game

▸ For the board, roll 24 down to ~5: MTTD, MTTR, patch compliance, phishing click rate, and business-continuity readiness. One detection clock, one response clock, one hygiene leading-indicator, one human leading-indicator, one resilience outcome.

Bottom line

  • A KPI must change a decision — if a number wouldn’t alter what you do, it’s a vanity metric.
  • Two clocks rule them all — MTTD and MTTR capture dwell time; most other KPIs feed one of them.
  • Direction is the trap — reported incidents up is healthy; alert volume is context, not a score.
  • Lead, don’t just lag — move patch compliance and click rate to move the breach count.
  • Five, not twenty-four, for the board — detection, response, hygiene, humans, resilience.

Sources & method. The eight domains and their KPIs reflect common security-operations and GRC scorecards; definitions describe standard usage. “Good when” directions and the leading/lagging split are the author’s analysis. No fixed benchmark values are asserted — targets depend on sector and maturity. Original analysis; no third-party graphics or text reproduced.