You can't improve what you don't measure. "Security KPI and KRI" package define measurements that are essential to understand your security posture. It including business, ISMS, operations, cybersecurity, security risks and audit performance measures (including a security dashboard).
Security KPI and KRI
The ISMS (Information Security Management System) measures shows how well it is run within your organization. Some of it is measures through the security awareness of the staff, how many exceptions to existing policies are made, measuring management system objectives, etc.
It measures the incidents such as DDoS, unauthorized access, data loss, web face-defacement, etc. They are all part of various Cyber-attack scenarios which must be monitored. Cybersecurity measurements shows how well an organization fares against all of those cyber threats, regardless of its origin of attack.
Audits provide an independent view of your management systems and other security aspects to an agreed scope. Trends of these measurements must be observed to understand improvements in this areas. When you measure the number of non-conformities, it is also important to understand the quality of each of the findings. Ultimately, it is not the number of audit findings, rather the quality of findings that counts.
Business would like to understand the impact that information security investments have on its business objectives. It is important to measure the financial effectiveness of information security, especially the value under protection, cost of protecting it and the losses through cyber-attacks and other means that occurs after protection measures are implemented.
Most of the organizations typically measures their security operations in much greater details than necessary. All measurements must produce actionable intelligence which then shall enable the organization to take actions which helps it to continually improve its security posture.
All security organizations measure its security risks management practices to understand its effectiveness. These measures demonstrate an organizations risk appetite and risk tolerance levels. The measures such as 'number of high-rated risks accepted' is a good example. The risk management measurements are a huge reflection of an organization's future security posture.
Visualization is everything. With people getting more and more addicted to short videos and texts, it is important to visualize the presentations in short and summarized pictorial view to capture their attention. A BRAG color-coded dashboard is just the tool for this purpose.