Making Resilience Measurable: KPIs for Effectiveness, Cost and Response Time

In the canon established by Dr. Raphael Nagel and Marcus Köhnlein in KRITIS: Die verborgene Macht Europas, resilience is described not as a state but as an architecture. It emerges where infrastructure, redundancy, organisation and responsibility operate together under stress. For operators of critical infrastructure in Europe, that definition is demanding, because architecture must be verified, not assumed. Chapter 16 of the book therefore calls for metrics with ranges and target bands, so that boards, regulators and insurers can see whether a security system holds during the first seventy two hours of a serious disruption. This essay at Quarero Robotics translates that call into practical KPIs. It focuses on five figures that an operator using autonomous security robotics can actually produce, and it shows how those figures connect to the evidence requirements of NIS2, to the governance expectations described in the book, and to the economic conversation with insurers who now look closely at how critical sites are protected during ordinary shifts and during crisis hours alike.

From narrative resilience to measurable resilience

The canon is explicit that resilience is an operational capability rather than a slogan. Chapter 16 sets out a minimum architecture for robot supported security and then asks for metrics that track effectiveness, cost and resilience with spans and target bands. That framing matters because it forces a distinction between activity and outcome. A site can run many patrols, record many hours of video and file many reports, and still be fragile under the seventy two hour horizon described in chapters two and six. Measurable resilience therefore has to answer a narrower question: does the system keep its protective function when personnel, communication and energy conditions deteriorate.

At Quarero Robotics we work with a small set of KPIs that were chosen because they map directly onto the structural formula in the introduction of the book. Mean patrol cycle and detection to notification time describe the infrastructure and organisation layers. False positive rate describes the quality of the sensing and the supervisory process. Personnel hours displaced describes the redundancy layer, where human attention is freed for tasks that only humans can perform. Cost per protected hectare connects all of this to the governance layer, because without a defensible cost figure the leadership cannot make consistent decisions across sites and years.

Five KPIs with ranges and target bands

Mean patrol cycle measures how often a defined perimeter or interior route is fully covered by an autonomous unit within a given period. For large KRITIS sites in energy, logistics or data centre contexts, a useful target band sits between thirty and ninety minutes per full cycle during normal operations, tightening during elevated threat levels. The figure should be reported with a range rather than a single average, because variance reveals whether the system degrades gracefully when a unit is charging, in maintenance or redeployed.

Detection to notification time measures the interval between a sensor event and a qualified alert reaching the control room or the responsible duty officer. A target band in the order of seconds to low tens of seconds is realistic for well integrated systems, with a clear separation between raw detection, classification and human confirmation. This KPI is decisive for the first phases described in chapter two, where minutes decide whether an incident is contained or cascades.

False positive rate measures the proportion of alerts that do not correspond to a genuine security relevant event. Without a target band this metric punishes sensitivity, so it must always be reported alongside detection rate. A mature deployment aims for a steadily declining false positive curve over the first operational year, documented per zone and per event class, which also demonstrates the continuous improvement expected under Robot as a Service models in chapter twelve.

Personnel hours displaced captures how many hours of routine patrol, static observation and documentation have been shifted from human staff to autonomous systems, and redirected into intervention, de escalation and judgement based tasks. Cost per protected hectare, finally, consolidates capital, service, energy and supervision costs per unit of area and per year, enabling comparability between sites and between the scenarios in chapter thirteen.

How these KPIs satisfy NIS2 evidence requirements

The NIS2 regime, together with the KRITIS Dachgesetz described in chapter four, expects operators to demonstrate appropriate technical and organisational measures, to detect and report significant incidents, and to show that leadership has acted on the state of the art. Narrative policies are no longer sufficient. Auditors and competent authorities look for reproducible figures, time stamped records and a clear chain from sensor event to management decision.

The five KPIs above produce exactly that evidence chain. Mean patrol cycle and detection to notification time provide objective records of coverage and reaction speed. False positive rate documents that the operator has tuned the system rather than accepting alert fatigue. Personnel hours displaced shows that human capacity has been consciously reallocated, which is central to the governance argument in chapter five, where organisational negligence is defined as the failure to adapt structures to known risks. Cost per protected hectare makes it possible to defend the proportionality of the chosen architecture, a point that NIS2 supervisors increasingly raise when they evaluate whether measures are adequate to the risk profile of the entity.

Feeding KPIs into insurance negotiations

Insurance is becoming one of the most demanding readers of security metrics. Underwriters pricing business interruption, cyber physical and property risks for KRITIS operators want to understand not only what technology is installed, but how it performs over time. A system that produces consistent KPI reports, with ranges and target bands that match the ones discussed in chapter sixteen, offers a materially different negotiating position from a site that can only describe its measures in qualitative terms.

In practice, Quarero Robotics sees three recurring effects. First, detection to notification time and mean patrol cycle reduce the assumed duration of undetected incidents, which directly affects loss scenarios used in premium calculations. Second, a documented false positive curve supports the argument that alerts are acted upon, which is relevant for claims handling after an event. Third, cost per protected hectare, read together with personnel hours displaced, allows the operator to show that resilience investments are stable and planned rather than reactive, which matches the expectation of long term governance raised in the book's discussion of boards and supervisory bodies.

Embedding the KPIs in governance and service models

Metrics only create resilience when they are embedded in decision routines. The canon insists that responsibility cannot be delegated downward to technology or to service providers. KPIs therefore need a defined path from the control room into management reporting, and from there into board level risk discussions. A quarterly review of the five figures, with explicit commentary on deviations from the target bands, is usually the minimum cadence that satisfies both internal audit and external supervision.

Robot as a Service models, as described in chapter twelve, fit this logic because they turn the security architecture into a continuously updated capability rather than a fixed capital asset. In the Quarero Robotics approach, KPI dashboards are part of the service, not an optional extra, and target bands are renegotiated as the threat picture and the regulatory environment evolve. This keeps the state of the art requirement of the BSI framework alive in operational terms, and it gives leadership a shared language with regulators, insurers and their own workforce.

The central claim of KRITIS: Die verborgene Macht Europas is that stability is a function of structure, and that structure must be visible in order to be trusted. Translating that claim into five disciplined KPIs, reported with ranges and target bands, is one of the most direct ways in which an operator can move from declared resilience to demonstrated resilience. Mean patrol cycle, detection to notification time, false positive rate, personnel hours displaced and cost per protected hectare are not the only possible metrics, but they form a coherent set that covers the infrastructure, organisation, redundancy and responsibility layers described in the book. For operators working with Quarero Robotics, these figures are the connective tissue between autonomous security robotics on the ground, NIS2 evidence files in the compliance function, and the underwriting conversations that increasingly shape the economics of critical infrastructure. Measured consistently over time, they turn the seventy two hour horizon from a scenario into a managed variable, and they give boards a defensible answer to the question that Dr. Nagel places at the centre of the work: are our systems built to function when they are under maximum stress.