Aligning password policies with cybersecurity KPIs 

As an IT pro, you’re tasked with measuring (and ultimately proving) the value of your cybersecurity investments. But how do you show that your security efforts and expenditures have the desired effect? One way is by aligning your cybersecurity efforts, including password policies, with your organization’s key performance indicators or KPIs. 

In this post, we’ll look at some of the most common cybersecurity tactics, from employee training to account privilege management, and explore the associated KPIs associated with each. We’ll close with a discussion on how password auditing software can help identify additional vulnerabilities in your organization.  

Tactic: Ongoing cybersecurity training 

Hackers and bad actors are always coming up with new strategies to get unauthorized access to sensitive information. Even with the best security tools in place, organizations need to keep their employees on high-alert. This can be achieved with ongoing and personalized cybersecurity training that enables practical experience in successfully identifying the most common and targeted attacks.  

Ensuring your employees are adequately trained can reduce the risk of security breaches due to ignorance or human error. 

  • Pre- and post-training assessments: Shows if participants are learning something from your organization’s cybersecurity training program. Higher scores on post-training assessments indicate that your training activities are effective. 
  • Phishing click rates: Indicates the percentage of staff who clicked on the links from simulated phishing emails during training. The lower the click rate, the better equipped your staff is to recognize (and avoid) phishing attempts effectively. 
  • Social engineering awareness: Targeted assessments to measure your employees’ ability to recognize and avoid social engineering attacks effectively.  

Tactic: Monitoring multi-factor authentication (MFA) 

As an IT professional, you know how crucial multi-factor authentication is to thwarting cyberattacks. But simply deploying it across your organization isn’t good enough, you must also monitor it to ensure that employees use it. If you have emergency admin accounts or other accounts exempt from your MFA requirements, keep a close eye on them to ensure that they’re only being used for their intended purpose. 

By tracking and monitoring MFA use, you’ll reduce your risk of unauthorized access, identify any security gaps that need to be addressed, and meet regulatory compliance requirements. 

  • MFA adoption rate: Shows the percentage of users regularly using MFA. The higher the rate, the more users actively use multi-factor authentication, strengthening your overall security. 
  • MFA success/failure authentication rates: Shows the percentage of MFA authentication attempts that succeed and the number that fail. A high success rate shows that the MFA process works as it should and does not cause users issues or unnecessary friction. A high failure rate indicates that users are running into trouble, and you may need to enhance your training, tweak your MFA policies, or address other technical problems. 
  • MFA bypass rate: Shows the percentage of users exempt from MFA. A high bypass rate should raise eyebrows, potentially indicating policy violations or security weaknesses.  

Tactic: Effective password management 

Multi-factor authentication is an excellent tool in your security toolbox, but it doesn’t work without effective password management. As an IT professional, you know the importance of strong passwords to thwarting cybercriminals and maintaining security.  

Adopting effective password management practices will increase overall security, boost operational efficiency, and ensure your organization complies with industry standards, including GDPR and HIPAA. 

  • Password policy compliance: How compliant are your password policy requirements against various compliance standards, such the NIST password standards.  
  • Breached password check: The number of user accounts using a known or compromised password. This will help you gauge your organization’s resiliency against credential-base attacks. 
  • Password reset requests: The frequency of user-driven password reset requests. The higher the number, the greater the number of forgotten passwords, and opportunity for user frustration. You may need to revisit your password complexity requirements, or explore the use of passphrases which are both stronger, and easier to remember.   

Tactic: Managing account privileges 

Password management is great, but your IT team must also manage account privileges to control which users can access specific data and systems. Your team must ensure that users only have access to the folders, files, and databases needed to do their job and regularly review account privilege settings for highly sensitive files and systems. 

Effectively managing account privileges across your organization will enhance your security, simplify auditing, and reduce the threat of internal data breaches. 

  • Privilege escalation incidents: Shows the number of times users or accounts have successfully gained unauthorized elevated privileges. The higher the number, the higher the vulnerabilities in your privilege management policies and processes. 
  • Privilege review cycle time: Indicates the average time it takes for IT to review and update user roles/privileges. The faster the review cycle time, the more effective your IT department is at adjusting privileges when user roles or responsibilities change. 
  • Privilege revocation time: Highlights the average time it takes for IT to revoke a user’s privileges or access when necessary — for example, if a user is fired or moved to a different role. The faster the revocation time, the lower the chance a user can misuse their privileges.

Measuring the effectiveness of password policies and security programs

Password security is vital to any organization’s cyber defence efforts. And the right password auditing software can help your IT team measure the effectiveness of existing security programs. Specops Password Auditor is a FREE read-only program that scans your Active Directory and identifies password-related vulnerabilities. The tool can be used to generate interactive reports that contain user and password policy information, as well as executive summary reports that can be shared with relevant stakeholders in your organization. The executive report can be generated at any time and provides helpful metrics to evaluate the effectiveness of your password policies.  

Specops Password Auditor’s Executive Summary Report 
Specops Password Auditor’s Executive Summary Report 

Specops Password Auditor can also help you: 

Learn more about Specops Password Auditor, or contact us to speak with an expert.  

Back to Blog

Related Articles

  • Active Directory security best practices

    Our Active Directory best practices address security vulnerabilities in your organization, and serve as barriers for attackers.

    Read More
  • Password reuse: A hidden danger you can’t ignore

    Reusing passwords is common, despite years of warnings to end users. It’s a problem that’s difficult for IT teams to get a handle on, especially if people are reusing work passwords at home. This means a breach elsewhere can bring cybersecurity problems to an organization’s doorstep, even if their own Active Directory password policy is…

    Read More
  • Active Directory password hardening: How it’s done   

    Weak passwords are a problem waiting to happen – Verizon estimates that 80% of hacking-related breaches come from weak or stolen passwords. They’re the most common way for people to access their accounts and applications, making them an obvious attack route for bad actors. This risk prompts organizations to go through a ‘password hardening’ process…

    Read More