Key Risk Indicators (KRIs) are the answer, but only when they’re chosen deliberately, defined precisely, and weighted in context. This reference library is built for practitioners who already have security controls and want to extract meaningful risk signal from them. Every domain maps explicitly to one or more CIS Controls v8.1, giving you a clear line from KRI to framework coverage.
A KPI tells you if your security program is functioning. A KRI tells you if your organization is exposed. Both matter. Only one belongs in front of a board or a cyber insurer.
How to use this library
Each KRI entry answers three questions:
- What you’re measuring, the specific metric and its unit
- Why it creates or reduces risk exposure, the business consequence
- Threshold signals, the values that indicate green, amber, or red posture
Each domain header identifies which CIS Controls v8.1 it satisfies. A full mapping table appears in the appendix at the end of this document.
Weighting guidance is relative and contextual. A fintech’s MFA adoption rate carries more weight than a traditional manufacturer’s. A manufacturer’s OT patch latency may be existential in ways that don’t appear in a SaaS company’s risk model. Use the base weights as a starting point, then apply your own context multipliers.
- Asset & Software Inventory
- Data Protection
- Secure Configuration Management
- Identity & Access Management
- Continuous Vulnerability Management
- Audit Log Management
- Email & Web Browser Protections
- Malware Defenses & Endpoint Security
- Data Recovery
- Network Infrastructure & Monitoring
- Human Risk & Security Awareness
- Third-Party & Supply Chain Risk
- Application Software Security
- Incident Response Management
- Penetration Testing
- How to weight and combine KRIs
- Appendix: CIS Controls v8.1 coverage map
1. Asset & Software Inventory
Base weight · Critical CIS 1, 2Do you know what you own, hardware and software, and is all of it authorized?
You cannot protect assets you don’t know exist. Asset and software inventory sit at the foundation of every other control in this library. Gaps here compound across every other domain: you can’t patch what you can’t see, you can’t monitor what isn’t inventoried, and you can’t respond to incidents on systems that aren’t tracked.
Hardware asset inventory completeness
MeasurePercentage of known active assets confirmed in the authorized enterprise asset inventory, reconciled against network discovery scans.
WhyAsset inventory is the prerequisite for patching, monitoring, access control, and incident response. Unknown assets are unprotected assets. Discovery scans routinely surface 10–20% more devices than organizations believe they have.
End-of-life asset rate
MeasurePercentage of assets running hardware or operating systems past vendor end-of-life (EOL) with no active support contract.
WhyEOL assets receive no security patches. A single unpatched EOL system in a critical segment is a permanent, unfixable exposure that grows worse every day.
Software inventory coverage
MeasurePercentage of installed software across the environment documented in the authorized software inventory.
WhyUnauthorized software is a primary malware delivery vector. Software you don’t know about can’t be patched, monitored for vulnerabilities, or removed when compromised. Shadow IT at the software layer is as dangerous as at the hardware layer.
End-of-life software rate
MeasurePercentage of software instances running versions past vendor end-of-support.
WhyUnsupported software accumulates unpatched CVEs permanently. Even software that appears to function normally is a ticking vulnerability clock once it crosses the EOL threshold.
2. Data Protection
Base weight · High (Critical for regulated industries) CIS 3Where is sensitive data, and is it actually protected?
Data protection KRIs are particularly relevant for regulatory exposure. Breaches are measured in records, regulators fine based on data classification, and insurers underwrite based on what you hold and how you protect it.
Data classification inventory coverage
MeasurePercentage of data stores with a documented sensitivity classification (public, internal, confidential, restricted).
WhyYou cannot apply the right protection controls to data you haven’t classified. Classification is the prerequisite for encryption, access control, DLP, and breach notification decisions. Unclassified data is implicitly treated as low risk even when it isn’t.
Sensitive data encryption coverage
MeasurePercentage of data stores containing confidential or restricted data encrypted at rest.
WhyUnencrypted sensitive data converts any unauthorized access event into a reportable breach. Encryption at rest is the last line that converts a loss event into a non-event from a regulatory perspective. It is also one of the first things a cyber insurer verifies at renewal.
Data in transit encryption rate
MeasurePercentage of sensitive data transfers using current encryption standards (TLS 1.2 minimum; TLS 1.3 preferred).
WhyPlaintext transmission of sensitive data over any network, internal or external, is an interception risk. Deprecated protocols (SSL, TLS 1.0/1.1) provide false assurance.
Cloud storage misconfiguration rate
MeasureNumber of cloud storage resources (S3 buckets, Azure blobs, GCS buckets) publicly accessible without authentication.
WhyPublicly accessible cloud storage remains one of the most common causes of data exposure, and among the most embarrassing to explain to regulators or customers. Many exposures persist for months before discovery because no one is monitoring for them.
DLP policy bypass rate
MeasureRatio of sensitive data transfer attempts bypassing DLP controls versus total detected attempts.
WhyHigh block rates with low bypass rates signal effective enforcement. High bypass rates, even with active DLP tooling, indicate data leaving channels your tools cannot inspect. Track trends, not point-in-time values.
3. Secure Configuration Management
Base weight · High CIS 4Are your systems hardened, or are they running out of the box?
Default configurations are designed for compatibility and ease of use, not security. Every asset deployed without a hardened baseline carries unnecessary attack surface, default credentials, unnecessary services, permissive network rules, and unreviewed settings that attackers have already catalogued. These KRIs measure whether your configuration controls are real or theoretical.
CIS Benchmark compliance score
MeasurePercentage of assets passing automated CIS Benchmark configuration checks for their asset class (servers, workstations, network devices, cloud accounts).
WhyCIS Benchmarks are the most widely used hardening standard. Low compliance scores indicate assets deployed with default or overly permissive configurations, the attack surface attackers exploit before they need to exploit vulnerabilities.
Configuration drift rate
MeasurePercentage of assets that have deviated from their approved configuration baseline since last verified check.
WhyConfiguration drift is insidious, it happens gradually through routine changes, software installs, and administrative shortcuts. Drift accumulates silently until it becomes a security incident. Assets that drift from baseline are running configurations no one has reviewed for security implications.
Default credential elimination rate
MeasurePercentage of deployed assets (network devices, servers, applications, IoT) confirmed to have default credentials changed.
WhyDefault credentials are published by manufacturers and indexed by search engines. Shodan and similar tools allow anyone to find internet-accessible devices with default credentials in minutes. This is not a sophisticated attack, it is the equivalent of a locked door with the key taped to it.
Unnecessary service exposure rate
MeasurePercentage of assets running services, ports, or protocols not required for their documented business function.
WhyEvery unnecessary service running on an asset is attack surface that doesn’t need to exist. Unnecessary services accumulate through convenience installations, legacy software, and missed decommissioning steps.
4. Identity & Access Management
Base weight · Critical CIS 5, 6Who can get in, and how well is that controlled?
Identity is the primary attack vector in the majority of breaches. Attackers don’t break in, they log in. These KRIs surface credential and access exposure before it becomes an incident.
MFA enrollment rate
MeasurePercentage of users and accounts with active multi-factor authentication enrolled.
WhyEach un-enrolled account is a credential-stuffing target. One compromised account in a privileged role is a breach, not a security event, a breach.
Privileged account sprawl
MeasureCount of admin and root accounts versus a defined and approved baseline.
WhyOver-provisioned admin accounts expand blast radius. Each unneeded privilege is a weapon waiting to be found. Tends to grow silently during rapid hiring and migration projects.
Dormant account rate
MeasurePercentage of accounts with active credentials and no activity in more than 90 days.
WhyFormer employees, contractors, and service accounts that were never properly offboarded. A classic attacker persistence vector, dormant accounts are reactivated because no one is watching them.
Least privilege compliance rate
MeasurePercentage of user accounts confirmed to have only the permissions required for their documented role, verified through access reviews.
WhyPermission creep is universal. Users accumulate access over time, through role changes, project assignments, and convenience grants, and those permissions are almost never revoked. The result is a user population with far broader access than anyone intended or reviewed.
Service account audit coverage
MeasurePercentage of service accounts with a documented owner and a recorded last-review date.
WhyUnmanaged service accounts are the accounts attackers pivot through. No one notices unusual activity because no one is watching, and no one owns remediation when something goes wrong.
5. Continuous Vulnerability Management
Base weight · Critical CIS 7How long does exploitable exposure persist?
Time is the fundamental variable in vulnerability risk. The question isn’t whether you have vulnerabilities, you do. The question is how long they remain exploitable.
Mean time to remediate (MTTR), critical CVEs
MeasureAverage number of days from discovery to confirmed remediation for critical-severity vulnerabilities.
WhyAttackers weaponize critical CVEs within hours of public disclosure in many cases. Every day above your SLA is measurable, quantifiable exposure. MTTR is the single most underreported metric in vulnerability programs.
Unpatched critical vulnerabilities >30 days
MeasurePercentage of assets carrying unpatched critical vulnerabilities beyond the 30-day remediation window.
WhyA direct measure of SLA compliance and remediation capacity. High rates indicate resource gaps or an organization silently accepting unacknowledged risk. This is what your cyber insurer is looking at.
Internet-facing asset patch rate
MeasurePercentage of internet-exposed assets fully patched at the current remediation cycle.
WhyExternal attack surface is higher priority than internal. An unpatched internet-facing server isn’t a risk, it’s an invitation. Perimeter assets should be tracked separately from internal ones.
Known Exploited CVE exposure
MeasureNumber of assets running software with CVEs listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
WhyCISA’s KEV list tracks vulnerabilities with confirmed exploitation in the wild. These aren’t theoretical risk, they’re being actively used by threat actors. Any exposure here is direct operational risk, not backlog.
Vulnerability scan coverage rate
MeasurePercentage of in-scope assets scanned for vulnerabilities within the defined scan frequency window.
WhyA vulnerability you haven’t scanned for is a vulnerability you don’t know you have. Coverage gaps in scanning, often caused by network segmentation, agent deployment failures, or undiscovered assets, create blind spots that persist until something goes wrong.
6. Audit Log Management
Base weight · High CIS 8Can you reconstruct what happened, before, during, and after an incident?
Audit logs are the foundation of detection, investigation, and forensics. Without comprehensive, tamper-resistant, centrally retained logs, you are flying blind, during an incident and during the inevitable post-incident review. Regulators, insurers, and auditors all require documented evidence of logging capability. These KRIs tell you if your logging infrastructure is actually working.
Critical asset log coverage rate
MeasurePercentage of critical assets (servers, network devices, authentication systems, cloud control planes) with active, centralized log forwarding confirmed.
WhyA log that exists only on the device it came from is useless in a breach, attackers routinely clear local logs during intrusions. Centralized logging is the baseline. Coverage gaps mean incidents in those systems will be uninvestigable.
SIEM ingestion completeness
MeasurePercentage of expected log sources actively confirmed as ingesting into SIEM within the last 24 hours.
WhyLog sources fail silently. A SIEM that appears healthy may have stopped receiving logs from critical systems days or weeks ago, and no alert fires because the absence of data isn’t an event. This metric requires active monitoring of expected-source inventory versus confirmed-receiving sources.
Log retention compliance rate
MeasurePercentage of log categories retained for the full period required by policy, regulatory requirement, or contractual obligation.
WhyRegulatory investigations and forensic analysis routinely require log data going back 12–24 months. Retention gaps discovered during an investigation cannot be retroactively filled. Common causes: storage cost pressure, misconfigured rotation policies, and system migrations with no log transfer.
Audit log integrity rate
MeasurePercentage of critical log streams with tamper detection or integrity verification controls enabled (immutable storage, cryptographic hashing, write-once destinations).
WhyLogs that can be modified are not evidence. Sophisticated attackers target logging infrastructure specifically to cover tracks. Log integrity controls ensure that if logs exist, they can be trusted.
7. Email & Web Browser Protections
Base weight · High CIS 9Are your highest-volume attack vectors actually defended?
Email and web browsing are responsible for the overwhelming majority of initial access events, phishing, malicious downloads, drive-by compromise, and business email compromise. Technical controls in this domain reduce the blast radius of human behavior: even a user who clicks a malicious link may be protected by web filtering; a phishing email blocked at the gateway never reaches anyone to click.
Email authentication protocol enforcement
MeasurePercentage of owned email-sending domains with SPF, DKIM, and DMARC configured and enforced at policy=reject or policy=quarantine.
WhySPF, DKIM, and DMARC prevent domain spoofing, the technical mechanism behind most business email compromise (BEC) attacks. Without DMARC at enforcement policy, anyone can send email that appears to come from your domain. BEC losses now exceed ransomware losses annually.
Email security gateway effectiveness
MeasureRate of malicious emails reaching end-user inboxes past email security gateway controls (phishing, malware, BEC).
WhyYour email gateway is the first line of defense for the highest-volume attack vector. Gateway bypass rates, measured through threat intelligence feeds or post-incident analysis, tell you how much you’re relying on your users as a backup control.
Web content filtering coverage
MeasurePercentage of users with active DNS or proxy-based web content filtering applied to all browsing sessions, including remote and mobile.
WhyWeb filtering blocks malicious download sites, command-and-control infrastructure, and phishing pages before they load. Coverage that only applies in-office is increasingly irrelevant, remote and mobile users need the same protection.
Browser / email client patching rate
MeasurePercentage of endpoints running current or N-1 supported versions of email clients and web browsers.
WhyBrowsers and email clients are the most actively exploited client-side applications. They receive frequent security updates because vulnerabilities are found and weaponized continuously. Running outdated versions is a persistent, measurable risk.
8. Malware Defenses & Endpoint Security
Base weight · High CIS 10, 1 (partial)Are your endpoints a controlled boundary or an open field?
Endpoints are the most common initial access point. These KRIs measure the actual enforcement of your endpoint policy, not whether a tool is purchased, but whether it is deployed, active, and working.
EDR agent coverage
MeasurePercentage of endpoints with an active, reporting endpoint detection and response agent.
Why“We have CrowdStrike” is not a risk control. 85% coverage means 15% of endpoints are invisible to your detection capability. Gaps tend to cluster on older hardware and remote offices, the same assets most likely to be targeted in attacks designed to avoid detection.
Anti-malware solution effectiveness
MeasureDetection and prevention rate for known malware categories, measured through threat intelligence correlation or red team testing.
WhyAnti-malware coverage is meaningless without effectiveness data. An agent deployed but running in audit-only mode, or with outdated signatures, or misconfigured to exclude critical directories, provides false assurance without real protection.
Full-disk encryption rate
MeasurePercentage of endpoints with full-disk encryption enabled and verified through MDM or endpoint management.
WhyEvery unencrypted device that leaves a building, lost, stolen, or abandoned, is a potential reportable breach event. Pure downside risk with a simple technical control.
Host-based firewall compliance rate
MeasurePercentage of endpoints with host-based firewall enabled and configured per approved policy.
WhyHost-based firewalls provide a last line of network defense directly on the endpoint, particularly important for remote workers and laptops that operate outside the corporate perimeter. A disabled or misconfigured host firewall is an undetected gap.
Unmanaged device rate
MeasurePercentage of devices detected on the network that are not registered in MDM or asset inventory.
WhyShadow IT is invisible risk. Personal devices, lab hardware, and unregistered IoT all represent uncontrolled attack surface. You cannot patch, monitor, or respond to devices you don’t know exist.
9. Data Recovery
Base weight · High CIS 11When ransomware hits, what actually survives?
Data recovery capability is the ultimate test of resilience. Ransomware groups have made backup destruction their primary tactic, they know that organizations without recoverable backups have no negotiating position. These KRIs measure whether your recovery capability is real or theoretical.
Backup coverage rate
MeasurePercentage of critical systems and data stores with automated backups running on the defined schedule.
WhyBackup coverage gaps are invisible until you need them. Systems added without going through a formal provisioning process frequently get missed in backup schedules, often the same systems that would be most painful to lose.
Backup integrity verification rate
MeasurePercentage of critical data backups successfully tested for restoration within the last 90 days.
WhyUnverified backups fail when you need them most. Ransomware groups specifically target backup infrastructure. An untested backup is an assumption, not a recovery option, and discovering it’s broken during an incident is the worst time to find out.
Recovery Time Objective (RTO) validation
MeasurePercentage of critical systems with documented RTOs validated through a tested recovery exercise within the last 12 months.
WhyAn RTO of “4 hours” that has never been tested is not a recovery commitment, it’s a guess. Untested RTOs almost universally prove optimistic when actually needed.
10. Network Infrastructure & Monitoring
Base weight · High (Critical for manufacturing, OT, infrastructure) CIS 12, 13Is your network infrastructure controlled, and are threats being detected on it?
Unexplained external exposure
MeasureDelta between open internet-facing ports and services versus the approved and documented baseline.
WhyEvery service exposed to the internet that isn’t in your approved inventory is a potential beachhead. Shadow services accumulate after migrations, developer environments, and vendor integrations. The delta is your unknown external attack surface.
Firewall rule hygiene score
MeasurePercentage of firewall rules flagged as any/any, missing logging, or missing a documented owner.
WhyPermissive firewall rules accumulate over years. Each undocumented “any/any” rule is an unintentional permission no one remembers authorizing and no one wants to remove for fear of breaking something. A leading indicator of control decay.
Remote access authentication strength
MeasurePercentage of VPN and remote access sessions authenticated with MFA.
WhyRemote access without strong authentication is the primary ransomware delivery mechanism. A single unprotected VPN credential is a company-wide risk. This metric should be 100%.
Network monitoring coverage rate
MeasurePercentage of network segments with active intrusion detection, traffic analysis, or network detection and response (NDR) coverage.
WhyPerimeter firewalls prevent some attacks; network monitoring detects the ones that get through. Most organizations have perimeter coverage but significant blind spots inside the network, particularly in OT segments, cloud VPCs, and legacy network zones.
DNS filtering coverage
MeasurePercentage of endpoints and users with DNS-level filtering applied, blocking known malicious domains.
WhyDNS filtering blocks malware command-and-control, phishing domains, and malicious downloads at the resolution layer, before any content reaches the endpoint. One of the highest-value, lowest-friction controls available.
11. Human Risk & Security Awareness
Base weight · Medium CIS 14Are your people a vulnerability or a control?
Human risk KRIs carry medium baseline weight because technology controls should bound the blast radius of human error. In organizations with immature tooling, they move up significantly. Track human risk metrics, but don’t let them substitute for fixing the technical controls that make human error consequential.
Phishing simulation click-through rate
MeasurePercentage of targeted users who click a link in a simulated phishing exercise.
WhyA leading indicator of security awareness maturity and training effectiveness over time. Track the trend across quarters, not the point-in-time number.
High-risk user training completion
MeasurePercentage of repeat clickers and privileged users current on targeted security awareness training.
WhyAggregate completion rates mask the users who matter most. Repeat clickers and users with privileged access are your highest-consequence human risk population. Track them separately and assign targeted training.
Security incident report rate
MeasureRate at which employees report suspicious emails, events, or anomalies to the security team.
WhyLow reporting rates indicate low awareness or a culture where people don’t feel safe reporting mistakes. Both suppress your ability to detect social engineering early, before it becomes an incident.
12. Third-Party & Supply Chain Risk
Base weight · High CIS 15How exposed are you through vendors you trust?
Your security posture is bounded by the weakest link among your vendors. Supply chain attacks have become the preferred vector for targeting organizations that are otherwise well-defended. Most TPRM programs generate questionnaire responses, not risk signals.
Critical vendor assessment currency
MeasurePercentage of Tier 1 (critical-dependency) vendors with a completed security assessment within the last 12 months.
WhyAn assessment from three years ago is not a risk control. Vendor posture changes, leadership turns over, security programs atrophy, cloud architectures shift. Currency of assessment is as important as the assessment result.
Vendor data access + MFA enforcement
MeasurePercentage of vendors with access to sensitive customer or operational data that can confirm MFA enforcement for their own personnel.
WhyA vendor with access to your customer data who doesn’t enforce MFA internally is your problem. Their breach becomes your breach, and your regulatory notification obligation.
Vendor contract security clause coverage
MeasurePercentage of vendor contracts with material access to sensitive data or critical systems that include defined security requirements, breach notification obligations, and audit rights.
WhyContractual security clauses are the mechanism for enforcing vendor accountability. Without them, you have no recourse when a vendor’s breach exposes your data and no notification timeline to plan around.
Vendor concentration risk
MeasurePercentage of critical business functions dependent on a single vendor with no documented fallback.
WhyThe CrowdStrike incident showed how a single vendor update can halt global operations. Concentration in critical infrastructure is systemic risk, not individual vendor risk.
13. Application Software Security
Base weight · High (Critical for software product companies, SaaS, fintech) CIS 16Are you building security in, or bolting it on?
Application vulnerabilities are the entry point for a significant proportion of web-based breaches. Organizations that develop software, customer-facing applications, internal tools, or APIs, carry application security risk that doesn’t appear in infrastructure-focused security programs. These KRIs measure whether your software development process is producing secure code or quietly accumulating technical security debt.
SAST / DAST pipeline coverage
MeasurePercentage of active applications with automated static (SAST) and dynamic (DAST) security testing integrated into the CI/CD pipeline.
WhySecurity testing that runs in the CI/CD pipeline catches vulnerabilities before they reach production. Manual security reviews at release gates are too slow, too inconsistent, and too easy to skip under delivery pressure.
Third-party component vulnerability rate
MeasurePercentage of applications with known high or critical CVEs in direct or transitive open-source dependencies, as identified by software composition analysis (SCA).
WhyModern applications are 80–90% open-source code by volume. Log4Shell, Struts, and Spring4Shell were all vulnerabilities in dependencies, not in code organizations wrote. Unmanaged open-source risk is one of the least-visible sources of exploitable vulnerability.
Secure SDLC adoption rate
MeasurePercentage of development teams following a documented secure software development lifecycle (SDLC) with defined security gates (threat modeling, security review, penetration testing at release).
WhySecure SDLC is the organizational practice that makes application security systematic rather than ad hoc. Teams without a defined secure SDLC make security decisions inconsistently, or skip them entirely under release pressure.
Web Application Firewall (WAF) coverage
MeasurePercentage of internet-facing web applications protected by a WAF in blocking mode.
WhyWAFs provide a compensating control layer for known web application attack classes (OWASP Top 10) while underlying vulnerabilities are being remediated. A WAF in detection mode provides visibility but not protection.
14. Incident Response Management
Base weight · High (Weighted heavily by cyber insurers) CIS 17How fast can you detect, contain, and recover?
Prevention fails. The question is not if you’ll have an incident but how quickly you’ll know, and how much damage accumulates before you contain it. IR readiness KRIs are the ones cyber insurers weight most heavily, and the ones that most directly predict financial loss magnitude.
Mean time to detect (MTTD)
MeasureAverage hours from a security event occurring to the security team becoming aware of it.
WhyIndustry median dwell time is still measured in weeks. Every hour an attacker operates undetected is lateral movement, data exfiltration, and persistence establishment.
Mean time to contain (MTTC)
MeasureAverage hours from initial detection to confirmed containment of a security incident.
WhyDetection is meaningless without timely response. A fast MTTD paired with a slow MTTC still produces large breach scope. Containment speed is the primary driver of breach cost.
Tabletop exercise recency
MeasureDays since the last formal incident response tabletop exercise with documented outcomes and action items.
WhyIncident response is a muscle. An IR plan that hasn’t been rehearsed is a plan that won’t function under pressure. Regulators under SEC Cyber Rules, DORA, and NIS2 increasingly require documented exercise cadence.
IR plan currency
MeasureDays since the incident response plan was last reviewed, updated, and approved by relevant stakeholders.
WhyAn IR plan written before your current cloud architecture, vendor relationships, or regulatory obligations was written for a different organization. Outdated IR plans fail in ways their authors didn’t anticipate.
15. Penetration Testing
Base weight · Medium (Increases post-architecture-change or at IG2/IG3) CIS 18Have you verified your defenses by trying to break them?
Penetration testing validates that your security controls work as intended, not just that they exist. Internal assessments and automated scanning miss entire categories of attack: chained vulnerabilities, misconfiguration combinations, social engineering paths, and logic flaws that no scanner identifies. Pen testing is the reality check for your security program.
External penetration test recency
MeasureDays since last external network penetration test conducted by a qualified third party.
WhyExternal pen tests simulate the most common attacker perspective, an adversary on the internet attempting to gain a foothold. Annual testing is the minimum; organizations with frequent architecture changes or high-value targets need more frequent cadence. This is one of the most commonly asked questions at cyber insurance renewal.
Web application penetration test recency
MeasureDays since last web application penetration test for customer-facing or critical internal applications.
WhyWeb application pen tests go beyond what automated scanners find, they identify business logic flaws, authentication bypasses, authorization failures, and chained vulnerabilities that SAST and DAST miss. Application architecture changes make previous test results stale faster than infrastructure changes.
Critical finding remediation rate
MeasurePercentage of critical and high-severity penetration test findings from the most recent test that have been confirmed remediated.
WhyA penetration test that produces a report that sits unactioned is not a security control, it’s an expensive document. Finding remediation rate measures whether the program produces outcomes, not just reports.
Mean time to remediate pen test findings
MeasureAverage days from pen test finding identification to confirmed remediation, tracked by severity.
WhyFinding remediation speed tells you whether your security team treats pen test output as priority work or advisory backlog. Organizations that treat pen testing seriously close critical findings in days, not months.
How to weight and combine KRIs
Individual KRIs are signals. Risk posture is the composite. Combining them well requires a weighting methodology, not a single formula, but a structured way to account for context.
Three weighting factors
Apply all three to each KRI domain. Final weight = base weight × context multiplier × velocity factor.
Base weight
The inherent importance of this domain across most organizations. Asset inventory and identity management are universally critical. Penetration testing carries medium base weight because it validates other controls rather than being a control itself.
Context multiplier
Industry, regulatory regime, and business model. Healthcare weights data protection near-absolutely. Fintech weights IAM similarly. A software company weights application security in ways that don’t appear in a manufacturer’s risk model. A manufacturer adds weight to network segmentation and OT monitoring.
Velocity factor
Rate of change amplifies effective weight. A KRI trending sharply in the wrong direction deserves more attention than a stable amber metric. Movement is more informative than point-in-time state, deterioration over 30 days is a different conversation than the same level for a quarter.
Domain weight defaults by vertical
Starting weights on a 1–5 scale. Calibrate against your threat model, regulatory exposure, and what controls you actually have producing signal.
| Domain | CIS Controls | SaaS / Fintech | Healthcare | Manufacturing |
|---|---|---|---|---|
| Asset & Software Inventory | CIS 1, 2 | 4 | 4 | 5 |
| Data Protection | CIS 3 | 5 | 5 | 3 |
| Secure Configuration | CIS 4 | 4 | 4 | 5 |
| Identity & Access Management | CIS 5, 6 | 5 | 5 | 4 |
| Vulnerability Management | CIS 7 | 4 | 5 | 5 |
| Audit Log Management | CIS 8 | 4 | 5 | 3 |
| Email & Web Protections | CIS 9 | 4 | 4 | 3 |
| Malware Defenses & Endpoint | CIS 10 | 3 | 4 | 4 |
| Data Recovery | CIS 11 | 4 | 5 | 4 |
| Network & Monitoring | CIS 12, 13 | 3 | 3 | 5 |
| Human Risk & Awareness | CIS 14 | 2 | 3 | 3 |
| Third-Party & Supply Chain | CIS 15 | 4 | 4 | 4 |
| Application Software Security | CIS 16 | 5 | 4 | 2 |
| Incident Response | CIS 17 | 4 | 5 | 4 |
| Penetration Testing | CIS 18 | 3 | 3 | 3 |
| Cloud Security Posture | CIS 4, 6 | 5 | 4 | 2 |
From KRIs to a risk posture score
Once you have KRI values and weights, the aggregation model is straightforward: score each KRI green/amber/red (1/2/3), multiply by domain weight, sum the results, and normalize to a 0–100 scale. Set thresholds at the organizational level that reflect your risk appetite, not industry benchmarks, which reflect averages across organizations with very different profiles.
The score itself matters less than the direction. A risk posture improving from 62 to 71 over a quarter is the signal your board needs. A posture holding at 85 with three critical KRIs spiking red is more urgent than the aggregate suggests, which is why domain-level visibility matters as much as the composite.
Don’t average your way out of a red KRI. A single critical-weight domain in red posture, unpatched KEV vulnerabilities, zero backup verification, no MFA on remote access, is a material risk regardless of what the aggregate number says. Composite scores should surface critical outliers, not hide them.
Appendix: CIS Controls v8.1 coverage map
Every KRI domain in this library maps to one or more CIS Controls v8.1. Use this table to verify framework coverage at a glance or to trace a specific control back to the domain where it’s measured.
| CIS Control | Description | KRI Domain |
|---|---|---|
| CIS 1 | Inventory and Control of Enterprise Assets | Asset & Software Inventory; Malware Defenses & Endpoint |
| CIS 2 | Inventory and Control of Software Assets | Asset & Software Inventory |
| CIS 3 | Data Protection | Data Protection |
| CIS 4 | Secure Configuration of Enterprise Assets and Software | Secure Configuration Management; Cloud Security Posture |
| CIS 5 | Account Management | Identity & Access Management |
| CIS 6 | Access Control Management | Identity & Access Management; Cloud Security Posture |
| CIS 7 | Continuous Vulnerability Management | Vulnerability Management |
| CIS 8 | Audit Log Management | Audit Log Management |
| CIS 9 | Email and Web Browser Protections | Email & Web Protections; Network & Monitoring (DNS) |
| CIS 10 | Malware Defenses | Malware Defenses & Endpoint |
| CIS 11 | Data Recovery | Data Recovery |
| CIS 12 | Network Infrastructure Management | Network Infrastructure & Monitoring |
| CIS 13 | Network Monitoring and Defense | Network Infrastructure & Monitoring |
| CIS 14 | Security Awareness and Skills Training | Human Risk & Security Awareness |
| CIS 15 | Service Provider Management | Third-Party & Supply Chain Risk |
| CIS 16 | Application Software Security | Application Software Security |
| CIS 17 | Incident Response Management | Incident Response Management |
| CIS 18 | Penetration Testing | Penetration Testing |
Stop measuring by hand.
Draxis reads your existing security controls, extracts KRI values programmatically, and surfaces them as financial and operational risk signals, so you can show your board what your security stack is actually telling you about exposure, not just that it’s running.
Don't wait for the breach to read the signal →