Business email compromise targeting executive accounts cost organizations $2.9 billion in 2023 alone, according to FBI IC3 data. The attack doesn't need to compromise a corporate system, it needs to impersonate a CFO convincingly enough to get a wire transfer approved. The credential exposed on the executive's personal email account becomes the pivot to their corporate email via password reuse. The spearphishing email crafted from harvested social media data gets the click that a generic phishing simulation never would.
The KRIs in this domain measure whether your executive protection program is producing measurable risk reduction, not just whether an executive protection policy exists.
If you are standing this up from scratch, start with how to build a KRI program and the consolidated KRI reference library, which maps every domain to one CIS-aligned catalog.
KRI inventory
1. Executive credential exposure rate
What to measure. Percentage of executive and VIP accounts (corporate email, personal email where identifiable, LinkedIn, and other professional platforms) with credentials appearing in dark web breach datasets, including email/password combinations, session tokens, and authentication artifacts.
Why it matters. Credential exposure is the most common initial access vector for executive account compromise. Executives frequently use corporate email addresses to register for third-party services that subsequently suffer breaches. That credential, if the executive reuses passwords or uses weak passwords across accounts, becomes the key to corporate access. Executive credential exposure is discovered almost universally through dark web monitoring, not through internal telemetry. By the time an executive's credential appears in a breach dataset, it has often already been weaponized in targeted attacks against your organization.
- Dark web monitoring platforms (Recorded Future, Digital Shadows, SpyCloud, Flare, ZeroFox): breach dataset monitoring for executive email addresses and usernames
- SpyCloud Employee ATO Prevention: specifically designed for corporate credential monitoring including personal email addresses used by employees
- HaveIBeenPwned Enterprise API: batch query for executive email addresses against known breach datasets
- Threat intelligence platforms (Mandiant Threat Intelligence, CrowdStrike Falcon Intelligence): targeted threat actor monitoring for executive-specific credential chatter on forums and markets
- Identity threat detection (Microsoft Entra ID Protection, Okta ThreatInsight): anomalous login attempts targeting executive accounts, often a signal that credentials are being tested
How to calculate. (Executives with credentials found in breach datasets in the past 90 days) ÷ (total executives monitored) × 100 Track separately: corporate email credentials vs. personal email/third-party service credentials (both matter) Track time-to-remediation: time from discovery to confirmed password reset and session invalidation
| Status | Criteria |
|---|---|
| Green | Active monitoring for all C-suite and board members; <5% with active credential exposure; time-to-remediation <4 hours for corporate credentials, <24 hours for personal; executives notified and briefed within SLA |
| Amber | Monitoring active but not covering all board members or extended VIP list; 5–15% with active exposure; or remediation SLA >24 hours |
| Red | >15% with active exposure; or no dark web monitoring for executives; or exposure discovered reactively (via incident, not monitoring); or credentials in active exploit kits with no remediation |
2. Executive impersonation and brand threat rate
What to measure. Rate of detected impersonation attempts targeting executives, including lookalike email domains, fake social media profiles, fraudulent executive personas on professional networks, and AI-generated voice/video impersonation attempts (deepfake detection).
Why it matters. Impersonation is the operating model of business email compromise. An attacker doesn't need to compromise an executive's actual email account, they need to create a convincing enough impersonation to get a CFO to approve a transfer or a finance team member to change a vendor bank account. Executive impersonation exists on a spectrum: low-sophistication display name spoofing ("CEO Name" from a Gmail account) to high-sophistication lookalike domain registration to increasingly prevalent voice and video deepfakes used in financial fraud. Attackers routinely register lookalike domains (yourcompany-ceo.com, yourcompanyceo.com) within days of a company announcement specifically for impersonation campaigns. Real-time detection of these registrations enables defensive action before the impersonation is deployed.
- Domain monitoring (DomainTools, CSC Digital Brand Services, MarkMonitor): lookalike domain registrations for your company name + executive surnames, variations, and common BEC patterns (yourco-legal.com, yourco-payments.com)
- Social media monitoring (ZeroFox, BrandShield, Recorded Future): fake profiles on LinkedIn, Twitter/X, Facebook claiming to be your executives; executive impersonation accounts
- Email gateway telemetry: display name impersonation attempts blocked by email security, how many emails per period attempted to impersonate executive names from external domains
- DMARC reporting: p=reject enforcement rate and volume of spoofed emails blocked by DMARC enforcement across your domain portfolio
- AI-generated content detection: emerging tooling for voice clone and deepfake detection, particularly relevant for wire transfer authorization workflows
How to calculate. (Impersonation incidents detected per quarter), track absolute count and trend by type Track separately: domain registrations, social media impersonations, email impersonation attempts, deepfake/voice clone incidents For DMARC: track enforcement coverage (% of domains at p=reject) and monthly volume of spoofed emails rejected
| Status | Criteria |
|---|---|
| Green | Lookalike domain monitoring active and alerting within 24 hours of registration; social media impersonation monitoring active; DMARC at p=reject for all domains; executive display name protection configured in email gateway; <5 impersonation incidents per quarter requiring escalation |
| Amber | Domain monitoring active but >48 hours to alert; or social media monitoring not active; or DMARC not at enforcement on all domains; or 5–15 escalated impersonation incidents per quarter |
| Red | >15 escalated impersonation incidents per quarter; or no domain monitoring; or DMARC not deployed; or an impersonation resulted in a successful fraud event; or deepfake/voice clone techniques used against your executives without detection capability |
3. Executive digital footprint risk score
What to measure. Scope and risk exposure of publicly available information about executives, including personal contact information, home address availability, family member information, travel and location disclosure, financial data, and other OSINT that enables targeted social engineering.
Why it matters. Threat actors perform extensive open-source intelligence (OSINT) reconnaissance before targeting executives. The information they harvest determines the quality of the spearphishing email, the social engineering script, and the impersonation attempt. Executives often have significant personal information in public data broker databases (Spokeo, Whitepages, BeenVerified), property records (available in most counties), court records, political donation filings (public), SEC filings listing address of record, and across social media. This information doesn't just enable digital attacks, it creates physical security risk for executives and their families. The digital footprint risk score is an assessment of how much OSINT-harvestable information is publicly available and what attack vectors it enables.
- Data broker removal services (DeleteMe, Kanary, Optery, Privacy Bee): monitoring and removal of executive personal information from people-search and data broker sites
- OSINT assessment (manual or tooled): periodic assessment of what information is publicly available about executives, using tools like Maltego, SpiderFoot, or manual searches across property records, court records, donation filings, LinkedIn, social media
- Google Alert monitoring: automated monitoring for executive name mentions in news, forums, and public postings
- LinkedIn privacy audit: what information is visible to non-connections vs. connections; whether work history details enable targeted attacks
- Executive social media audit: what location information is shared in posts, whether travel patterns are disclosed, whether family members are tagged in ways that expose personal information
- Data broker opt-out completion rate: for executives enrolled in removal services, what percentage of identified data broker listings have been successfully removed
Scoring approach (risk score per executive, 1–10).
- High-risk factors (2 points each): home address publicly available, family member information exposed, real-time location sharing via social media, personal phone number in data broker databases
- Medium-risk factors (1 point each): prior home addresses available, employer history enables spearphishing, financial disclosure available (public company officers), frequent travel patterns disclosed, political affiliations/donation history public
- Low-risk (0 points): information is professional/generic and does not meaningfully enable targeted attack
| Status | Criteria |
|---|---|
| Green | All C-suite executives scored <4; data broker removal service active with quarterly removal verification; executive social media guidelines established and followed; periodic OSINT assessment conducted; executives briefed on personal digital hygiene |
| Amber | One or more executives scored 5–7; or data broker removal not active; or executive social media audit not conducted in 12+ months; or no formal executive digital hygiene guidance |
| Red | Any executive scored >7; or executive home address/family information actively exploited in targeting; or no personal information monitoring program; or an executive has suffered a physical security incident enabled by digital OSINT |
4. Executive account security posture score
What to measure. Technical security posture of executive accounts, including phishing-resistant MFA enforcement, privileged access configuration, email security controls specific to executive mailboxes, executive device security baseline compliance, and executive account monitoring coverage.
Why it matters. Executives are simultaneously the highest-value targets and the most common exception to security controls. MFA rollout that gets to 95% adoption often stalls on the remaining 5% because senior executives pushed back on friction. Executives frequently carry unmanaged personal devices with corporate email access. Their assistants may have delegated access to executive mailboxes, creating a lateral path. Their home networks are out of scope for corporate security. Measuring executive account security posture separately from the general population matters because the threat model is different, executive accounts warrant stronger controls, not weaker ones.
- Identity platform (Entra ID, Okta, Ping): MFA method per executive account, is this hardware token (YubiKey) or phishing-resistant passkey, or is it SMS/authenticator app that can be SIM-swapped or adversary-in-the-middle'd?
- Conditional access policies: are executives subject to tighter or looser conditions than general population? Are executive accounts excluded from any security policies (check for exclusion groups)?
- Exchange Online / Google Workspace: delegate access on executive mailboxes, who has send-as or read access to executive email? Is that access appropriate and reviewed?
- MDM/EDM: device enrollment status for all devices with access to executive email; are personal devices accessing corporate resources through managed containers or raw access?
- Microsoft Defender for Office 365 / Google Workspace Security: impersonation protection configuration specifically for executive accounts; Safe Attachments and Safe Links policies applying to executive mailboxes
- UEBA/XDR alerts: is there dedicated monitoring for anomalous activity on executive accounts, or are they treated the same as general user accounts?
- Sign-in risk scoring: high-risk sign-in events for executive accounts and response SLA
Composite scoring, check each element.
- 1. Phishing-resistant MFA (hardware token or passkey) on primary corporate account
- 2. No policy exclusions for executive accounts that weaken security controls
- 3. Mailbox delegate access reviewed in past 90 days and documented
- 4. All devices with email access are MDM-enrolled (including personal devices)
- 5. Enhanced anti-impersonation protection configured for executive personas in email gateway
- 6. Dedicated account monitoring with escalation path for executive-account anomalies
- 7. Executive accounts not enrolled in self-service password reset (SSPR), SSPR bypasses some controls
| Status | Criteria |
|---|---|
| Green | All 7 elements passing for all C-suite and board accounts; executive-specific security briefing conducted annually; executive sign-in risk alerts reviewed within 1 hour |
| Amber | 5–6 elements passing; or one or more executives on SMS MFA only; or personal device access not managed; or policy exclusions for any executive account |
| Red | <5 elements passing; or any executive on no MFA; or executive account policy exclusions that remove controls; or an executive account has been compromised |
5. Executive-Targeted threat intelligence coverage
What to measure. Degree to which your threat intelligence program is actively monitoring for executive-specific targeting, including named executive mentions on threat actor forums, executive-targeted spearphishing campaign indicators, threat actor personas assigned to your executive team, and sector-specific executive targeting trends.
Why it matters. Most threat intelligence programs are configured for organizational-level monitoring, your IP ranges, domain names, brand keywords. Executive-specific monitoring requires a different targeting model: named individual monitoring on dark web forums, monitoring for executive-specific phishing lure documents (those using executive names or headshots as lures to get internal employees to click), and tracking threat actor activity against your industry peer group's executives as an early warning signal. When a threat actor posts "I have creds for [CEO name] at [company]" on a cybercriminal forum, you need to know within hours, not weeks.
- Threat intelligence platforms (Recorded Future, Flashpoint, Mandiant, Intel 471): named executive monitoring in dark web forums, paste sites, and threat actor communication channels
- Digital risk protection platforms (ZeroFox, Constella Intelligence): executive-specific monitoring with alerting on named mentions, credential postings, and targeting discussions
- Sector-specific ISAC threat briefings: executive targeting trends in your industry, are peers experiencing coordinated executive-targeting campaigns?
- Spearphishing lure analysis: security operations analysis of incoming spearphishing attempts that use executive names, headshots, or personas as lures targeting internal employees
- Business email compromise alerts: inbound BEC attempts targeting finance or HR that impersonate executives, volume, sophistication, and response time
How to calculate. Coverage assessment: (executives with named monitoring active) ÷ (total executives in monitoring scope) × 100 Alert quality: what percentage of executive-related intelligence alerts are actionable (result in a protective action) vs. noise Response time: time from alert to protective action (credential reset, impersonation takedown, employee warning)
| Status | Criteria |
|---|---|
| Green | Named monitoring active for 100% of C-suite and board; threat intelligence alerts reviewed within 4 hours; integration between TI alerts and executive security team; documented response playbook for executive targeting alerts; sector-specific executive threat briefings consumed quarterly |
| Amber | Monitoring active but not for all board members or extended VIP list; or alert review SLA >24 hours; or no documented response playbook for executive targeting events |
| Red | No executive-specific threat intelligence monitoring; or monitoring active but alerts not actioned; or executive has been targeted in a threat actor campaign that was not detected by monitoring |
Deriving these KRIs by source type
Dark Web Monitoring
curl -H "X-Api-Key: $SPYCLOUD_KEY" \
"https://api.spycloud.io/enterprise-v2/breach/data/emails/executive@yourcompany.com"
curl -H "X-Api-Key: $SPYCLOUD_KEY" \
-X POST "https://api.spycloud.io/enterprise-v2/breach/data/bulk" \
-d '{"emails": ["ceo@company.com", "cfo@company.com", "cto@company.com"]}'curl -H "hibp-api-key: $HIBP_KEY" \
"https://haveibeenpwned.com/api/v3/breacheddomain/yourcompany.com"
curl -H "hibp-api-key: $HIBP_KEY" \
"https://haveibeenpwned.com/api/v3/breachedaccount/executive@yourcompany.com?truncateResponse=false"Domain Monitoring
curl -u "username:api_key" \
"https://api.domaintools.com/v1/mark-alert/?query=yourcompany&days_back=7"
curl -u "username:api_key" \
"https://api.domaintools.com/v1/yourcompany-ceo.com/reputation"company = "yourcompany"
permutations = [
f"{company}-ceo.com", f"{company}ceo.com",
f"ceo-{company}.com", f"{company}-legal.com",
f"{company}-payments.com", f"{company}-invoices.com",
f"{company}-finance.com", f"noreply{company}.com"
]Executive Account Security, Identity Platform
Connect-MgGraph -Scopes "UserAuthenticationMethod.Read.All"
$executives = @("ceo@company.com", "cfo@company.com", "cto@company.com")
foreach ($exec in $executives) {
$methods = Get-MgUserAuthenticationMethod -UserId $exec
[PSCustomObject]@{
User = $exec
MFAMethods = $methods.AdditionalProperties['@odata.type'] -join ", "
HasPhishingResistant = $methods | Where-Object {
$_.'@odata.type' -in @('#microsoft.graph.fido2AuthenticationMethod',
'#microsoft.graph.windowsHelloForBusinessAuthenticationMethod')
} | Measure-Object | Select-Object -ExpandProperty Count
}
}az ad app list --show-mine
curl -H "Authorization: Bearer $TOKEN" \
"https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies" | \
jq '.value[] | {name: .displayName, excluded_users: .conditions.users.excludeUsers}'$executives = @("ceo@company.com", "cfo@company.com")
foreach ($exec in $executives) {
Get-MailboxPermission -Identity $exec |
Where-Object { $_.IsInherited -eq $false -and $_.User -ne "NT AUTHORITY\SELF" } |
Select-Object Identity, User, AccessRights
}Digital Footprint Assessment
curl -X POST "https://api.joindeleteme.com/v1/subscribers" \
-H "Key: $DELETEME_API_KEY" \
-d '{"email": "executive@company.com", "first_name": "Name", "last_name": "Last"}'
curl "https://api.joindeleteme.com/v1/records?subscriber_id=$ID" \
-H "Key: $DELETEME_API_KEY"theHarvester -d yourcompany.com -b linkedin,google,bing -l 200
shodan search "org:yourcompany" --fields ip_str,port,hostnames
Draxis turns these KRIs into a live signal
Draxis connects to the tools you already run (dark web monitoring, brand protection, and identity security tooling) and computes these executive protection KRIs automatically, with the green/amber/red bands, trend lines, and drift alerts described above. No spreadsheets, no manual stitching.
See how Draxis reads your stack →