As an Information Security Manager, you're creating a report for your company's board of directors. You want the board to understand the organization's security stance compared to real-time threats. What should be your primary focus when selecting the metrics to present?