Skip to content

Explain the difference between security KPIs and KRIs, with examples.

Short answer

A KPI (Key Performance Indicator) measures how well a security activity is performing against its objective — for example mean time to detect, patch SLA compliance, or percentage of systems with MFA. A KRI (Key Risk Indicator) is a forward-looking signal that risk exposure is increasing toward an unacceptable level, with a threshold that should trigger action — for example the number of overdue critical patches, count of unmanaged devices, or failed access reviews trending up. KPIs tell you how you're doing; KRIs warn you about where you're heading.

Metrics are how security communicates with the rest of the business. Interviewers ask this because confusing KPIs and KRIs is common, and the difference shapes whether a dashboard drives action or just decorates a slide.

KPIs: how well are we performing?

A Key Performance Indicator measures performance against an objective. It is largely backward- or present-looking and tells you whether a control or process is doing its job. Examples:

  • Mean time to detect / respond (MTTD / MTTR).
  • Patch SLA compliance — percentage of criticals patched within target.
  • MFA coverage — percentage of accounts with MFA enabled.
  • Phishing simulation report rate.

KPIs answer: are we good at this?

KRIs: where are we heading?

A Key Risk Indicator is a forward-looking, leading signal that risk exposure is rising toward an unacceptable level. The defining feature is a threshold and tolerance tied to risk appetite, so crossing it triggers action. Examples:

  • Number of overdue critical patches trending upward.
  • Count of unmanaged or unknown devices on the network.
  • Failed or skipped access reviews increasing.
  • Volume of exceptions/risk acceptances granted.

KRIs answer: is this becoming dangerous?

The overlap

The same raw data can feed both: patch compliance as a KPI (performance) and overdue critical patches past a threshold as a KRI (warning). What makes it a KRI is the link to a risk threshold and an escalation trigger.

Why this matters

Strong candidates explain that KPIs measure performance while KRIs are leading signals tied to risk appetite with action thresholds. Showing how one metric can serve both roles — and tailoring the presentation for a board versus engineers — demonstrates real reporting maturity.

Likely follow-ups

  • How do you set a meaningful threshold and tolerance for a KRI?
  • Can the same underlying metric serve as both a KPI and a KRI? Give an example.
  • How would you present these to a board versus to an engineering team?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.