KPI vs KRI
Key Performance Indicators vs Key Risk Indicators
#LEARNCISMWITHSANTOSH
| Key Performance Indicators | Key Risk Indicators |
|---|---|
| KPIs are metrics used to measure the performance and effectiveness of an organization's information security controls, policies, and practices. | KRIs are metrics used to assess and monitor the potential risks and vulnerabilities that could impact an organization's information security. |
| The measurement an organization leverages to understand how well individuals, business units, projects, and companies are performing against their strategic goals. | The measurement an organization leverages to determine how much risk they are exposed to or how risky a particular venture or activity is. |
| These are backward-looking and reactive. | These are forward-looking and proactive. |
| Once an organization has identified its strategic goals, KPIs serve as monitoring and decision-making tools that help answer your organizationās key performance questions. | By measuring the risks and their potential impact on business performance beforehand, organizations can monitor, manage and mitigate key risks early. |
| Answers the question: How are we doing against our goals? | Answers the question: What prevents us from achieving our goals? |
| Example 1: Percentage of employees who are following security olicies and procedures, ensuring compliance. | Example 1: Percentage of Servers/Workstations backup Failure in a given Period. |
| Example 2: Percentage of employees who have completed infosec awareness training. | Example 2: Percentage of Servers using weak authentication protocols. |
| Expected Measurement: 100% | Expected Measurement: 0% |