3 Threat Intelligence KPIs to Win Your ROI Business Case



What Are Threat Intelligence KPIs and Why Do You Need Them?

Metrics are a vital component of business communications today. Whether you’re in the private or public sector, you need intuitive ways to demonstrate and benchmark your team’s performance and general return on investment (ROI)—or how will key leaders and budget decision-makers know what you do or if it’s any good?



Use KPIs to Build the Business Case for You

The reason to spend time designing key performance indicators (KPIs) is quite simple: they quickly and intuitively demonstrate the business value of your threat intelligence program. For instance, Forrester recently applied its financial modeling instrument, the Total Economic Impact™, to existing Flashpoint customers and calculated that Flashpoint delivers 482% ROI to customers with less than a three-month payback period.

In order to arrive at this impressive ROI result, however, Forrester first had to assess a number of quantifiable performance metrics, such as time saved and mitigated risk exposure. The same applies to your threat intelligence program: Develop a concise but comprehensive list of metrics as the foundation of your threat intelligence ROI business case.

Threat Intelligence KPIs Fall into Common Value Pillars

For threat intelligence, KPIs will ultimately measure work in repeatable and quantifiable outputs, such as volume, duration, frequency, or efficiency (among many others). Most threat intelligence KPIs align to one of a few high-level value pillars consistent throughout related defense and protection domains (e.g., cybersecurity, physical security, or fraud), including:

1. Operational metrics track the speed and efficiency of the team’s day-to-day work. KPIs in this category are typically constructed as the amount of work or time required of the average full-time employee (FTE). When improvements are made, leaders can point to improvements as the total number of weekly FTE hours saved or recovered.
2. Tactical metrics monitor the efficacy at which work is performed and risk mitigated. KPIs in this category convey the quality of the resulting work. False-positive and false-negative rates are good examples of tactical KPIs. Just because your team works fast and detects high volumes of new threats, that activity offers little context about the quality and accuracy of the information generated.
3. Strategic metrics assess performance in relation to financial and business objectives. Strategic KPIs connect and translate threat intelligence outputs to align with your organization’s overarching business or mission. Often evaluated in the form of cyber risk exposure or value at risk (VaR), these KPIs demonstrate the ability of your program’s efforts to either reduce the likelihood of experiencing a damaging event or minimize the business impact should events take place.

---

Three KPIs for Any Threat Intelligence Initiative

There are many valuable threat intelligence metrics you could use to demonstrate business value. But instead of trying to boil the ocean, we recommend choosing a select few metrics that are tracked and reported on consistently and reliably. Three of the more valuable KPIs we tend to see are: 1) FTE analyst efficiency, 2) Mean-time-to-respond (MTTR), and 3) Business productivity. We will dig deeper into each of these three below.

KPI #1: FTE Analyst Efficiency

FTE analyst efficiency is a regularly-cited business benefit incorporated into most business cases for proposing new initiatives or technology implementations. Analysts cover a wide swath of roles, including security operations (SecOps), incident response (IR), third-party vendor risk management, and vulnerability management, among others. The primary benefits are associated with the speed of your threat intelligence operations, often tracked in terms of the number of events investigated or the overall coverage of investigations as a percentage of total threats detected.

Considerations for KPI #1 FTE Analyst Efficiency

To adopt this metric, assess the average FTE analyst salary and begin tracking current and expected future FTE time. As you begin to design this KPI, make sure to ask the following questions:

– What is our current, and desired future, SLA target for internally-derived intelligence requests? How efficient are your activities within each of the five phases of the threat intelligence lifecycle?

– What types of external threat intelligence sources, services, and technology would improve analyst productivity?

– Do we have other existing processes that we could accelerate by incorporating threat intelligence (e.g., Phishing domain monitoring and takedowns, vulnerability management, etc.)?

KPI #2 Mean-Time-to-Respond (MTTR)

The longer cyberthreats go undetected, the greater their potential impact. For this reason, MTTR metrics can be crucial threat intelligence KPIs. Curated threat monitoring based on your organization’s footprint and asset profile ensures you sift through the noise from the start. This results in faster detection, which leads to faster response; and faster responses result in minimized risk exposure. Even so, measuring MTTR is often easier said than done. Consistently measuring the time of threat origination to the time of incident closure may be more nuanced and less of an exact science, necessitating the inclusion of more qualitative context and regular open-lines of communication.

Considerations for KPI #2 MTTR

When you implement an MTTR threat intelligence KPI, be sure to consider:

– From the time threats are discovered, how long does it take for the organization to assess and execute the appropriate response? 

– Is the intelligence you surface consistently relevant, easy to digest, and actionable?

– Are the actions taken from the intelligence repeatable, well-documented, and easy to decision?

KPI #3 Business Productivity

Business productivity KPIs may require more work to pin down, but they also have an even bigger upside than the first two covered, considering the potential size of the saved or recovered business losses. For instance, you can associate threat intelligence performance to major business benefits, like reductions in organization downtime (due to fewer cyberattack-related outages) or improved employee productivity (due to proactive compromised credential monitoring (CCM) that results in fewer account takeovers and account resets).

In order to achieve and more importantly, to measure, the business productivity performance of your threat intelligence efforts, you must identify the specific ways in which the organization or specific employee segments will benefit.

Considerations for KPI #3 Business Productivity

When you’re designing your business productivity KPI, consider the following:

– Which threat intelligence initiatives that you oversee have a regular and meaningful impact on business operations, as a whole or as specific functional sub-segments? 

– How frequently are various business and organizational units reading and actioning on the threat intelligence provided to them? How did those decisions positively impact the business?

– How do you calculate the cost of security breaches or physical safety incidents? If your organization experienced attacks or other threat events in the past, how were the losses calculated for those at that time?

Reevaluate Your KPIs in Broader Context

It’s critical that you design your threat intelligence metrics thoughtfully and purposefully, given the limitations of your existing program and organization. Ask yourself: “How will my threat intelligence program fit within my organization and the existing programs I oversee?”  

If you focus too heavily on one element like output volume, your team may appear overly task-driven, offering only rudimentary, check-the-box type of support. Especially with threat intelligence, the resulting analysis and deliverables it produces are only as valuable as the decisions and actions that are taken from the intelligence. 

Keep Your Threat Intelligence Metrics and KPIs in Check

Metrics are by no means the be-all-end-all. Use them as directional guiding points, not as definitive decrees. Too much emphasis on metrics will distract and confuse even the best threat intelligence teams, taking precious time away from the original missions they set out to achieve. More importantly, make sure your threat intelligence is provided in a timely and actionable manner to the right variety of internal stakeholders and key decision-makers. 





Turn Insight into Action with Flashpoint

Sign up for your demo today! See firsthand how Flashpoint can provide you with the actionable threat intelligence you need to identify and respond to physical, fraud, and cyber threats targeting your organization.