What is an example of a key risk indicator (KRI)?

A key risk indicator (KRI) is a metric used to provide an early signal of increasing risk exposures in various areas of an organization. The frequency of security incidents qualifies as an exemplary KRI because it directly reflects the organization's security posture and ability to manage risks effectively. A high frequency of security incidents may indicate weaknesses in security controls, insufficient training, or the presence of potential vulnerabilities in the system.

In addition to signaling potential risk, monitoring the frequency of security incidents allows organizations to analyze trends over time, identify areas requiring improvement, and implement proactive measures to mitigate those risks. This makes it a vital component of risk management and control monitoring efforts, ultimately aiding in informed decision-making.

The other options, while relevant metrics, do not directly indicate risk levels in terms of security incidents. They focus on aspects such as employee training or organizational audits, which do not necessarily correlate consistently with immediate risk situations. Therefore, while they can contribute to understanding the overall security environment, they are not as direct or effective as the frequency of security incidents in revealing immediate risk levels.