Information Security Forum (ISF), a nonprofit association that researches and analyzes security and risk management issues has noted that many CISOs are reporting the wrong key performance indicators (KPIs) and key risk indicators (KRIs).
In part-I of the series, we discussed KPIs and KRIs basics to help new leaders understand the importance of KPIs and KRIs. In part-II, we focused on how to write effective KRIs. In part III, we list examples of effective KRIs.
The measured value of KRI’s should be able to reflect the negative impact it would have on the organization’s KPI. The KRI’s are like an early warning system that alerts the management when risk exposure exceeds tolerable limits. While KPI’s are performance indicators to help identify the performing and underperforming aspects of the enterprise and provide further guidance on the allocation of resources to the areas that merit more attention. Below are examples of effective KRI’s:
Privacy KRIs
| KRI | Domain | Risk |
| Percentage of third parties with access control issues identified as a critical risk. | Vendor Risk Management | Unauthorized access by third parties resulting from access misuse. |
| The percentage in increase in policy exceptions from last year. | Privacy Policies | The policies, standards, or procedures not followed resulting in exception approvals |
| Percentage of high-risk issues newly identified during privacy impact assessments. | Privacy by Design | Lack of control over privacy data will lead to loss of confidential information, legal issues, and failure to comply with privacy regulations like CCPA and GDPR. |
Current Indicators or Operational KRI’s
| KRI | Domain | Risk |
| Percentage of time system availability compared to scheduled availability over a period of time. The average amount of time (measured in days) elapsed between system failures, | Systems Management | Lack of systems availability will result in the organization not able to meet business needs and failure of services. |
| The average amount of time required for the support team to diagnose, resolve, and close an IT support request. | Systems Management | Delay in resolving issues may impact business reputation, loss of business and legal issues. |
| Percentage of Critical Systems without Up-to-Date Patches. | Systems Management | Lack of up to date patches may impact performance as well as increased exposure to vulnerabilities impacting the business. |
Logging or Lagging Indicators:
| KRI | Domain | Risk |
| Failed login data analysis Increased Password Reset Request | Access Control | Failure of access controls may lead to data breaches and loss of information and confidentiality. |
| Anomalies in Privileged User Account Activity | Access Control | Failure of controls over privileged access may lead to data breaches and access to sensitive data causing reputational damage. |
Other examples include a large number of requests for a particular data file or access to a particular server, suspicious registry changes, suspicious changes to the files, etc.
Leading Indicators:
| KRI | Domain | Risk |
| An increase in social engineering and phishing attacks. | Information Security | Lack of training will enable attackers to gain access to confidential information that results in financial losses and even legal and regulatory compliance issues. |
| Percentage of satisfied customers to total customers. | Service Management | Lack of customer satisfaction will lead to the loss of customers and business failures. |