What Are Protection-Level Agreements in Cybersecurity and How to Use Them

In cybersecurity, bridging the gap between technical performance and business priorities is critical. Protection-Level Agreements (PLAs) offer a structured approach to define and communicate security expectations, translating technical safeguards into clear operational commitments that support consistent execution (Source).

This blog post is inspired by Gartner's research on Protection-Level Agreements (PLAs), which emphasize aligning cybersecurity performance with business outcomes through measurable, outcome-driven metrics.

What Are Protection-Level Agreements?

A Protection-Level Agreement (PLA) is a shared commitment between executives and security teams that defines the target level of cybersecurity protection—along with the cost and effort required to achieve it.

PLAs are built on outcome-driven metrics that measure results, not just technical activity. For example, a PLA might aim to reduce phishing simulation click rates to 5% within three months, supported by a specific training plan and budget.

Based on Gartner’s research, PLAs help organizations treat cybersecurity as a business decision. They connect security goals to business outcomes, making it easier to gain leadership support, track performance, and manage risk effectively.

In essence, PLAs:

• Set clear, measurable protection goals
• Use outcome-driven metrics to define success
• Align cybersecurity efforts with business priorities

This creates transparency, accountability, and stronger alignment between technical teams and leadership.

Why Are PLAs Important?

Protection-Level Agreements (PLAs) help align cybersecurity efforts with business goals by turning protection targets into measurable and accountable outcomes. Instead of relying on vague expectations, PLAs provide a structured way to define what success looks like and how it will be achieved.

Key benefits of PLAs include:

• Clear Risk Boundaries: PLAs make it easier for executives and cybersecurity leaders to agree on acceptable levels of risk. This shared understanding supports faster, better-informed decisions when facing security challenges.
• Tangible Business Value: PLAs connect cybersecurity spending to expected results. By focusing on specific outcomes—rather than just activity—they help ensure that budgets are used where they deliver the most value.
• Defined Roles and Accountability: PLAs assign responsibility for achieving outcomes across teams. Everyone involved understands their role, the targets, and how their work contributes to the organization’s overall security posture.

For example, if a program exceeds its budget, a PLA helps guide adjustments by providing predefined targets and options. This enables informed decisions rather than reactive responses.

By encouraging outcome-focused planning, PLAs improve communication between business and security leaders, support better resource management, and strengthen long-term cybersecurity performance.

Key Components of a PLA

A Protection-Level Agreement (PLA) works best when it is tailored to your organization's needs and focuses on meaningful, trackable outcomes. Below are the core components that make a PLA actionable and effective:

• Clear Outcome Goals: Define what success looks like in simple, measurable terms. This could involve reducing security incidents, improving staff response rates, or achieving specific training participation milestones.
• Starting Point Benchmarks: Establish your current level of performance before setting targets. Understanding where you are helps clarify where you need to go and how progress will be measured.
• Realistic Improvement Targets: Set goals that are challenging but achievable. For instance, aiming to increase threat reporting by a specific percentage gives teams direction without overpromising results.
• Link to Organizational Priorities: Each PLA should reflect how security improvements support wider business needs—such as maintaining service reliability, building customer trust, or managing compliance obligations.
• Built-in Checkpoints: Set regular times to revisit the agreement. These reviews help ensure goals stay aligned with changing risks, technologies, or business conditions, and allow for course corrections as needed.

Implementing PLAs: A Comprehensive Roadmap

Establishing a Protection-Level Agreement (PLA) isn’t just about setting goals - it’s about building a shared understanding between leadership and security teams around what protection means, how much it should cost, and how success will be measured. This approach reflects practical experience combined with strategic insights from industry research, including work published by Gartner.

The following roadmap outlines a flexible and actionable process for implementing PLAs in a way that supports both security outcomes and broader business objectives:

1. Align Early with Key Decision-Makers

Begin by engaging executives, department heads, and other stakeholders to uncover their concerns, expectations, and strategic priorities. Early alignment ensures the PLA reflects actual business needs and secures buy-in before goals are formalized.

2. Map Your Starting Point

Evaluate existing performance indicators such as simulation outcomes, response times, or training participation. Establishing a clear baseline provides the context needed to define realistic improvement targets and track measurable progress.

3. Define Outcomes That Matter

Set clear protection goals that focus on behavior and results. Examples include reducing the rate of phishing simulation clicks, increasing employee reporting of suspicious emails, or improving incident response efficiency across departments.

4. Explain the Value Internally

Ensure all participating teams understand not just the technical tasks, but the broader purpose behind the PLA. Communicate how these goals contribute to risk reduction, operational stability, and compliance, using simple, relatable language supported by real examples when possible.

5. Review Regularly and Evolve

Business environments, technologies, and threats all change—your PLA should, too. Schedule routine reviews (e.g., quarterly or biannually) to assess performance, revisit assumptions, and adjust targets as needed to keep the agreement relevant and effective.

By following this roadmap, organizations can embed PLAs into their cybersecurity strategy in a way that is both practical and adaptable. Framed around shared goals, transparent metrics, and business relevance, PLAs help ensure that security efforts are not only measurable but meaningful—both to technical teams and executive leadership.

Example Metrics for Protection-Level Agreements

To be effective, a Protection-Level Agreement (PLA) must be grounded in metrics that clearly reflect behavior, progress, and performance. The examples below highlight how organizations can track meaningful outcomes using real-world data, helping teams stay focused on human risk while driving measurable improvements in security posture.

The following 8 categories represent common PLA metrics used to align training efforts with business-focused cybersecurity goals.

1. Phishing Susceptibility

This metric tracks how employee behavior changes over time in response to phishing simulations. Key indicators include:

• Decrease in click rates on simulated phishing emails
• Increase in reporting rates of suspicious messages
• Reduction in repeat clickers (individuals who consistently fall for simulations)

This type of trend analysis helps security teams evaluate the effectiveness of awareness initiatives and adapt security training based on behavioral data.

2. Real Phishing Email Reporting

This measures how often employees report real phishing threats they encounter in their inboxes. An increase in this reporting rate indicates higher employee vigilance and a stronger internal defense layer against socially engineered threats.

PLA targets might involve raising reporting rates from 5% to 20%, turning passive users into active participants in early threat detection.

3. Phishing Simulation Click Rate

A foundational metric in many PLAs, this tracks the percentage of users who click on links in simulated phishing emails. A declining trend here signals increased recognition of malicious cues and improved judgment in daily communication tasks.

An organization might set a goal to reduce average click rates from 25% to below 5% over a defined period.

4. Repeat Clicker Rate

This focuses on employees who repeatedly fall for phishing simulations, even after receiving security awareness training or alerts. Tracking this subgroup enables targeted coaching strategies to correct high-risk patterns at the individual level.

Reducing this rate helps lower the likelihood of real phishing breaches driven by predictable behavior.

5. Phishing Simulation Reporting Rate

Separate from real phishing reporting, this metric tracks how often employees report simulated phishing messages sent as part of training campaigns. Higher reporting rates here indicate awareness, confidence in using reporting tools, and engagement with training content.

A PLA goal might target increasing simulation reporting from 10% to 40% over a few quarters.

6. Simulation Coverage

Coverage refers to the percentage of employees who have participated in phishing simulations during a set period (e.g., past 12 months). Full participation ensures a consistent and accurate view of organizational risk and helps avoid blind spots in behavioral data.

Many organizations aim to raise simulation coverage from around 90% to full 100% engagement.

7. Security Training Coverage

This metric shows how many employees have completed required cybersecurity awareness training. It may also reflect how recently training was completed and whether refresher modules are assigned.

A typical PLA target might be to increase training coverage from 50% to 90% within a year, aiming for broad knowledge distribution and reduced human error.

Turning Metrics into Action

To make these metrics actionable:

• Tie each one to a specific performance target
• Align metrics with a clear business benefit (e.g., reduced incident costs, fewer data breaches)
• Schedule regular reviews to track progress and adjust expectations

When implemented thoughtfully, PLA metrics help teams shift from reactive awareness campaigns to proactive behavior change, while giving executives a clear picture of the value cybersecurity efforts deliver.

The Business Impact of PLAs

Protection-Level Agreements (PLAs) bring structure and clarity to how cybersecurity performance is planned, measured, and communicated. Instead of focusing on technical processes alone, PLAs define what level of protection is needed, how it will be achieved, and what the outcomes should deliver for the business.

When integrated into broader cybersecurity governance, PLAs offer several business advantages:

• Informed Decision-Making: Executives can evaluate security priorities based on agreed protection outcomes—such as reducing human error–driven risk—making decisions that are grounded in measurable goals rather than abstract risk models.
• Clear Investment Rationale: By tying protection targets to specific performance indicators, organizations can justify where budget is needed and explain the expected impact of those investments in operational terms.
• Shared Accountability: PLAs outline who owns which outcomes—from employee behavior change to training completion or threat reporting—creating a transparent framework for tracking progress and identifying roadblocks.
• Better Risk Communication: Because PLA outcomes are defined in business-relevant language (e.g., fewer incidents, faster reporting), they help bridge the gap between cybersecurity teams and leadership, ensuring everyone understands how security supports business continuity and resilience.

Ultimately, PLAs shift the focus from activity to effectiveness. They give security leaders the ability to communicate performance in terms that matter to stakeholders—while giving organizations the confidence that resources are being used to reduce real-world risk, especially at the human layer.

Implement Protection Level Agreement with Keepnet Human Risk Management

Looking to implement effective PLAs in your organization? Keepnet Human Risk Management provides tools and insights to craft outcome-driven metrics that bridge the gap between cybersecurity and business priorities. Empower your team to secure executive buy-in and deliver measurable results. Discover how Keepnet can help you achieve your security goals today!

Watch our Youtube below to learn how you can leverage PLA in executive reports.