IT Security

27 KPIs

% of downtime due to security incidents

[total downtime due to security incidents] percentage of [total downtime]

% of email spam messages stopped/detected

[number of spam email stopped/detected] percentage of [number of spam emails]

% of email spam messages unstopped/undetected

[number of spam email unstopped] percentage of [number of spam email]

% of hours devoted to train tecnichal staff in IT security compared with the total ones

% of patches applied outside of maintenance window

% of spam false positives

% of systems covered by antivirus/antispyware software

[Systems covered by antivirus/spyware software] percentage of [total systems]

% of systems not to policy patch level

% of systems with latest antivirus/antispyware signatures

[Systems with latest signatures] percentage of [total systems]

% of virus incidents requiring manual cleanup

% of virusses & spyware detected in email

Cost of cleanup of virus/spyware incidents

Cost of patches

Distribution cycle of patches

average of ([time of being aware of patches] to [time of implementation of patches]

Frecuency of IT security audits

Latency of unapplied patches

average of ([age of missing patches])

Number of detected network attacks

Number of hours spent in IT Security training

Number of occurrences of loss of strategic data

Number of outgoing virusses/spyware caught

Percent of incidents classified as security related

Risk Level Matrix

[Risk Level = value X probability]

Security Implementation Duration

Security Incident Resolution Time by Severity

Security vulnerability density per 1,000 lines of code

Spam detection failure %

Weighted security vulnerability density per unit of code

sum of ( [number of security vulnerabilities by seriousness] * seriousness weight)