KRI 101: Information Security

Updated: Jul 29

Vector image of a man pulling the needle of a giant speedometer representing KRI towards low
KRI 101: Information Security

Implementing and managing key risk indicators in the field of information security comes with its own subset of risks and challenges. To ensure that you have an iron-clad security management system in place, you will need to be equipped with all the necessary information to come up with KRIs for your business.

What Is A Key Risk Indicator?

The key risk indicator is one of the most critical metrics that well-governed organizations track. These indicators measure how risky or threatening activity is for the business goal set by the organization. These risks are pit against the organization's objectives and then deduced to check the level of threat they pose.

The purpose of key risk indicators is to provide early warning signals or signs when the risks are actively moving in a direction that may affect the organization's overall performance.

How Do Key Risk Indicators Work?

KRIs aid in managing and monitoring risks. They correspond to several operational risk management procedures and activities, including risk identification, and risk control evaluations. The application of frameworks for risk appetite, risk management, and governance also comes under Key Risk Indicators.

A risk indicator is essentially any variable that is used to track changes in risk exposure over time. When they track a crucial risk or do so successfully due to their predictive value, they become KRIs.

Here is a detailed structure of how key risk indicators monitor risks.

Start With Defining Objectives

Key risk indicators begin by identifying the objectives which will minimize the possibility of a data breach in the context of infosec. Defining these objectives will ensure that you have a steadfast system in place to achieve business goals.

Identify The Posed Risks

Post defining objectives, your organization will have to play a hands-on approach to identifying the risks associated with the mentioned objectives. In this instance, the risks can be identified as a breach of customer information or unauthorized access to data storage folders.

Develop The Correct Indicators

To get early warnings regarding the identified risks, you must have the correct key indicators. If the customer data breach is a risk, then the key risk indicator here would be many simultaneous system logins using the same ID.

Monitor And Issue Warnings

Key risk indicators are not defense mechanisms. They can only indicate that the identified risk exceeds the tolerance threshold, upon which your organization must take corrective action. Here, the warning would be issued if more than one login uses the same ID.

Assign Workflow

The threat does not extinguish once the warning has been issued. For effective control and security, your organization should establish a team wherein alerts are sent and tasks assigned to follow up with the notifications.

Mitigation Of Risks

This entire structure terminates when the warnings from crucial risk indicators are acted upon. Taking necessary steps would result in no breach of customer data, which will consequently mean that the risk has been mitigated.

These key risk indicators are, therefore, advance notifiers of threats, but only if structured and implemented in the correct way.

What Are the Types Of KRIs?

Broadly, key risk indicators are divided into three categories depending on their nature. These three categories help us understand the risk's state alongside other detrimental factors.

  1. Leading Indicators

These indicators are signifiers of emerging risk trends related to events that may occur in the future. Planning for the future should consider a variety of leading indicators since different leading indicators have varying degrees of accuracy, precision, and leading linkages.

An example of a leading indicator could be the number of employees who click on phishing emails.

  1. Current Indicators

As the term suggests, current indicators are signifiers of the risk that the organization is currently exposed to.

An example of a current indicator will be the number of staff who have not completed the mandatory security training.

  1. Lagging Indicators

These indicators are historical notes one must keep in mind, so they don't occur again. They are risks that turned into threats in the past and could potentially repeat themselves.

The time taken between the termination of an employee to the deletion of their account can be considered an example of a lagging indicator.

Key risk indicators also differ based on operational risks. According to the nature of the organization, there are two ways you can select key risk indicators, and they are;

  1. Top-down key risk indicators

Select metrics are made by senior management and/or directors to track goals across the organization. For KRIs at the strategic level, this is often the best strategy. In the context of top-level strategy and company objectives, top-down KRIs can assist aggregation and management comprehension.

  1. Bottom-up key risk indicators

The business entity or process manager chooses and keeps track of the indicators they believe are important for their operational processes using this method. A bottom-up strategy ensures that managers of business entities use metrics most pertinent to the actual operational goals of their commodities and processes.

How To Differentiate Between Good And Bad Key Risk Indicators?

Having too many risk indicators can be as threatening as having fewer risk indicators. While the latter does not provide enough information to gain an insight into the organization, the former runs the risk of offering too much information. There is no right or an incorrect number of risk indicators to have; however, the Institute of Operational Risk advises taking into account the following:

  • Number of key risks identified

  • If the data needed to monitor key risk indicators are easily accessible

  • The cost of extracting information

  • Intended audience and scope

However, it is vital to remember that simply addressing these factors will not provide you with a good-to-go key risk indicator checklist. To differentiate between good KRIs from bad KRIs, you'll have to keep a few things in mind, and they are as follows.

  1. Relevancy: The indicator/data assists in identifying, quantifying, tracking, or managing risk and/or risk-related repercussions that are directly related to important business goals or Key Performance Indicators.

  1. Measurable or Quantifiable: If the metric or data can be quantified (as a number, percentage, etc.), is comparatively accurate, comparable over time, and has value even without further analysis.

  1. Predictability: The indicator is good if it can predict future risks or issues that management can proactively act on in the present.

  1. Monitoring with ease: The indicator should include information that is easy to gather, analyze, and report on, as well as affordable for the organization.

  1. Auditable: The data you gathered, compiled, and reported on for the specific indicator should all be verifiable and accounted for.

  1. Comparability: It's critical to be able to benchmark your indication and data—both internally and against industry standards so that you can confirm the indicator thresholds,

Examples Of KRIs In Information Security

You now know the purpose of KRIs, the qualities of a strong KRI, and how KRIs work. Finding the KRIs that might be useful for your group or organization is the next step. However, picking from a predetermined list of indications isn't always as simple as it is when it comes to IT governance.

Which KRIs should be monitored depends on a variety of characteristics that are unique to each organization, including objectives, culture, products, processes, and other activities. Your lists of KRIs for IT governance may differ depending on the items you sell, who regulates you, where you operate, and the specific goals and priorities of your firm.

To simplify the learning process, we have picked three common key risk indicators across infosec systems and described their associated risks along with their nature.

Key Risk Indicators

Business Interruption

Reputational Damage

Customer Information Breach

Associated risk

Loss of Data

Terminated employees having access to systems


Measurable risk indicator

Number of system backup failures

Average amount of time between terminating an employee and ending account access or system access.

The number of employees who click on phishing emails.





Reason for tracking this metric

Backup failures may come from system failures brought on by highly customized software or from new or updated software.

Serious data breaches may occur if fired personnel were given continued access to networks and data.

You can determine whether employees need more security training by putting up phishing simulations and testing them on your staff.

Closing Thoughts

Most Key Risk Indicators have specific, measurable thresholds, owing to which they can be dynamically updated through continuous monitoring and analysis. You can use KRIs to automate workflows whenever thresholds are exceeded and ensure you're on top of tracking follow-up and rectifying mistakes. With information about KRIs in hand, you can easily link it with KPIs and monitor how it affects your business health and growth.