KRIs and KPI for Cyber Security
This report provides selected Key Risk Indicators (KRI) for the area of Cyber security. These indicators are easy to measure and provide organizations with a quick overview of the relevant risks and how these are changing. The indicators can be combined into a risk scorecard which then can be used in IT management and corporate management.
1 Executive Summary
The report provides selected Key Risk Indicators (KRI) for the area of Cyber security. These indicators are easy to measure and provide organizations with a quick overview of the relevant risks and how these are changing. The indicators can be combined into a risk scorecard which then can be used in both IT management and corporate management.
The concept of Key Performance Indicators is well established at the corporate level, using scorecards as a tool for providing a quick overview on the progress of organizations towards their goals. Key Risk Indicators add risk metrics to that view, showing how well these risks are being managed as well as highlighting changes in risk.
Cyber security concerns the processes and technologies involved in protecting against and responding to the threats of cyber-attacks as well as ensuring the confidentiality, integrity and availability of organizational data. Its objectives are to ensure legitimate access to data and resources while managing the risks of illegitimate activities by cyber adversaries both inside as well as outside of the organization. These risks include the theft of information, fraud through alteration of systems or data, and the subversion access of IT systems (through ransomware for example). The large number of recently reported cyber incidents shows the need to address these issues.
The adoption of a hybrid IT service delivery model and the race towards digital transformation have increased the challenges of managing cyber security. While the cyber security measures that large scale CSPs (Cloud Service Providers) implement often exceed those that a commercial organization has the skills or budget to afford, the overall responsibility for cyber security is shared and this can lead to errors due to misunderstandings. In any case the ultimate responsibility for managing access to organizational data usually lies with the user organization and many cyber incidents stem from service user failures.
There are several frameworks that can be used for cyber security these include ISO/IEC 27001 and more recently the NIST Cyber security Framework. This latter was developed in the USA based on a Presidential Executive Order (EO) 13636 – “to ensure the reliable function of their national critical infrastructure”. This Order directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure.
The NIST framework has gained popularity since it provides a core set of desired cyber security activities and outcomes using common language that is easy to understand. The Framework Core guides organizations in managing and reducing their cyber security risks in a way that complements an organization’s existing cyber security and risk management processes. It provides implementation Tiers that help to guide organizations to consider the appropriate level for their cyber security program.
The framework supports a risk-based approach to cyber security since not all organizations have the same threats and risk appetite. KuppingerCole also advises a risk-based approach to cyber security. In this approach it is helpful to have a set of Key Risk Indicators and Key Performance Indicators for cyber security that can be related both the organizational situation and the framework. These help to identify the current status and understand what needs to change. This report provides these for cyber security.
Kuppinger Cole strongly recommends using KRI concepts as management tool within today’s hybrid IT for cyber security. Many KRIs are easy to use and their adoption can provide rapid results. Using these indicators, risks can become a key control for IT and support for decisions around IT investments.