Key Performance, Key Risk and Key Control Indicators

The most important thing is to remember that Key Performance Indicator should be based on the SMART concept:

  • Specific,
  • Measurable,
  • Attainable,
  • Relevant,
  • Timely.

It´s also crucial to remember that metrics need to be MARC:

  • Measurable,
  • Actionable,
  • Reproducible,
  • Comparable.

Example of the KPI would be e.g. network availability, customer satisfaction, number of complaints, number of employees that attended security awareness session…

Key Risk Indicators sets a threshold for an alert when risk level approaches unacceptable level.

This could be e.g.:

  • number of unauthorized equipment detected in scans,
  • number of instances of SLAs exceeding threshold,
  • number of business critical systems unable to meet recovery requirements,
  • number of systems missing critical patching,
  • number of business critical systems which are non-compliant with enterprise security standards.

Key Control Indicators:

  • number of phishing emails not blocked by filtering system,
  • number of user accounts with non-compliant passwords,
  • number of accounts with inappropriate level of access.

What´s the difference between KRI and KCI?

Key Risk Indicator is like an early-warning sign. It´s about spotting possible danger ahead of time.

Whereas Key Control Indicator are about checking if things we do to keep ourselves safe work properly. It´s something which had been already implemented to mitigate risk.

All in all KPIs measure activity goals.
KRIs measure increased risk level.
KCIs measure performance of control actions.