When determining key risk indicators (KRIs) for use in an information security program, it is most important to select KRIs that align with business processes. This alignment ensures that the KRIs are relevant to the organization's strategic objectives and operational realities, thereby making them more effective in identifying and managing risks that could impact the business.