Site icon Blog | Cyber Security News & Training | Einnosec

Examples Of Effective KRIs Part III

Information Security Forum (ISF), a nonprofit association that researches and analyzes security and risk management issues has noted that many CISOs are reporting the wrong key performance indicators (KPIs) and key risk indicators (KRIs).

In part-I of the series, we discussed KPIs and KRIs basics to help new leaders understand the importance of KPIs and KRIs. In part-II, we focused on how to write effective KRIs. In part III, we list examples of effective KRIs.

The measured value of KRI’s should be able to reflect the negative impact it would have on the organization’s KPI. The KRI’s are like an early warning system that alerts the management when risk exposure exceeds tolerable limits. While KPI’s are performance indicators to help identify the performing and underperforming aspects of the enterprise and provide further guidance on the allocation of resources to the areas that merit more attention. Below are examples of effective KRI’s:

Privacy KRIs

KRIDomainRisk
Percentage of third parties with access control issues identified as a critical risk.Vendor Risk ManagementUnauthorized access by third parties resulting from access misuse.
The percentage in increase in policy exceptions from last year.Privacy PoliciesThe policies, standards, or procedures not followed resulting in exception approvals
Percentage of high-risk issues newly identified during privacy impact assessments.Privacy by DesignLack of control over privacy data will lead to loss of confidential information, legal issues, and failure to comply with privacy regulations like CCPA and GDPR.

Current Indicators or Operational KRI’s

KRIDomainRisk
Percentage of time system availability compared to scheduled availability over a period of time. The average amount of time (measured in days) elapsed between system failures,Systems ManagementLack of systems availability will result in the organization not able to meet business needs and failure of services.
The average amount of time required for the support team to diagnose, resolve, and close an IT support request.Systems ManagementDelay in resolving issues may impact business reputation, loss of business and legal issues.
Percentage of Critical Systems without Up-to-Date Patches.Systems ManagementLack of up to date patches may impact performance as well as increased exposure to vulnerabilities impacting the business.

Logging or Lagging Indicators:

KRIDomainRisk
Failed login data analysis Increased Password Reset RequestAccess ControlFailure of access controls may lead to data breaches and loss of information and confidentiality.
Anomalies in Privileged User Account ActivityAccess ControlFailure of controls over privileged access may lead to data breaches and access to sensitive data causing reputational damage.

Other examples include a large number of requests for a particular data file or access to a particular server, suspicious registry changes, suspicious changes to the files, etc.

Leading Indicators:

KRIDomainRisk
An increase in social engineering and phishing attacks.Information SecurityLack of training will enable attackers to gain access to confidential information that results in financial losses and even legal and regulatory compliance issues.
Percentage of satisfied customers to total customers.Service ManagementLack of customer satisfaction will lead to the loss of customers and business failures.