The most important thing is to remember that Key Performance Indicator should be based on the SMART concept:
- Specific,
- Measurable,
- Attainable,
- Relevant,
- Timely.
It´s also crucial to remember that metrics need to be MARC:
- Measurable,
- Actionable,
- Reproducible,
- Comparable.
Example of the KPI would be e.g. network availability, customer satisfaction, number of complaints, number of employees that attended security awareness session…
…
Key Risk Indicators sets a threshold for an alert when risk level approaches unacceptable level.
This could be e.g.:
- number of unauthorized equipment detected in scans,
- number of instances of SLAs exceeding threshold,
- number of business critical systems unable to meet recovery requirements,
- number of systems missing critical patching,
- number of business critical systems which are non-compliant with enterprise security standards.
…
Key Control Indicators:
- number of phishing emails not blocked by filtering system,
- number of user accounts with non-compliant passwords,
- number of accounts with inappropriate level of access.
…
What´s the difference between KRI and KCI?
Key Risk Indicator is like an early-warning sign. It´s about spotting possible danger ahead of time.
Whereas Key Control Indicator are about checking if things we do to keep ourselves safe work properly. It´s something which had been already implemented to mitigate risk.
All in all KPIs measure activity goals.
KRIs measure increased risk level.
KCIs measure performance of control actions.