KPI vs. KRI — The Fundamental Difference
Many organizations mistakenly equate performance indicators (KPIs) with risk indicators (KRIs). A KPI measures what has already happened: the number of incidents in the past quarter, the average response time to a ticket. A KRI, on the other hand, measures warning signals — data that indicates a growing probability of an incident in the future. It is the difference between a thermometer and a barometer.
Characteristics of an Effective KRI
A good IT risk indicator should meet several criteria. First, it must be quantitatively measurable and collectible in an automated manner — indicators requiring manual reporting quickly become fiction. Second, it should precede incidents by sufficient time to enable a response. Third, it must be understandable to the audience — the board needs a simplified view, the technical team needs details.
KRI Examples in IT Security Areas
- Vulnerability management — the percentage of systems with unpatched critical vulnerabilities older than 30 days; the trend in weekly discovered vulnerabilities.
- Access management — the number of accounts with passwords unchanged for over 90 days; the number of privileged accounts without active owners.
- Backups — the percentage of critical systems with untested recoverability; the time since the last recovery test for each system.
- Employee awareness — the click rate on simulated phishing in test campaigns; the percentage of employees with uncompleted training.
- Security configuration — the percentage of devices non-compliant with the baseline configuration; the number of security policy exceptions.
Alarm Thresholds and Escalation
Simply collecting indicators is not enough — defining thresholds that trigger actions is key. The three-color model (green-yellow-red) is clear but insufficient for dynamic systems. A better approach is trend-based thresholds: an indicator increase of more than 20% within a week should trigger a review, regardless of the absolute value.
Automating KRI Collection and Visualization
Manual data collection into spreadsheets is the most common reason KRI programs fail. ESKOM.AI multi-agent systems can automatically pull data from various sources — vulnerability management systems, access logs, configuration scan results — and aggregate them into a unified risk dashboard. The generated report reaches the right recipients in cycles matching their needs: daily to the CISO, weekly to the board.
KRIs and Regulatory Requirements
NIS2 and DORA require organizations to have a documented approach to IT risk management. A well-defined KRI program provides not only operational data but also compliance evidence for audits. Documenting indicator changes over time shows regulators that the organization identifies threats and responds to them systematically.