These indicators should be directly tied to your. Percentage of Downtime Due to Scheduled Activities All Systems The total amount of downtime, measured in minutes, that has been set aside and used by the IT function for planned system maintenance activities (as opposed to unplanned downtime) as a percentage of total downtime (planned and unplanned) during the measurement period. KRI examples can be used as a starting point to determine what gaps exist in current risk measurement activities of organizations. Cybercriminals often use threat intelligence tools and exploit the lag between patch releases and implementation. So, they must reduce the possibility of a cyberattack that could disrupt their business. However, we need to measure organizational cybersecurity performance, and applying some EVM concepts is a good place to start. Security ratings can feed into your cybersecurity risk assessment process and help inform which information security metrics need attention. Percentage of Critical Systems without Up-to-Date Patches The total number of critical systems (all deployed instances of the system or application running on each device/workstation) that do not currently have up-to-date patches installed and running as a percentage of total critical system end user devices/workstations. When implementing key risk indicators, businesses often do not have a frame of reference to begin picking the most important KRIs for their company use the list of KRI examples below to determine what areas of information technology pose a risk to your business operations today. Percentage of Firewall Rules Added or Changed Within Last 90 Days That Were Formally Documented The number of changes to firewall rules that were applied to the companys firewall (across all firewall applications/systems in use) that were formally documented according to the companys policies/procedures as a percentage of total firewall rule changes applied within the last 90 calendar days. If your business isn't concerned about cybersecurity, it's only a matter of time before you're an attack victim. //-->