Information Security Forum (ISF), a nonprofit association that researches and analyzes security and risk management issues has noted that many CISOs are reporting the wrong key performance indicators (KPIs) and key risk indicators (KRIs). The other aspect that we need to know is relevant IT KRIS and KPIs for CIO, CEO, and Board of Directors. In today’s blog, we will discuss KRIs and KPIs to provide a better understanding of IT Managers.
A KRI is a metric for measuring the likelihood that the combined probability of an event and its impact will exceed the organization’s risk appetite. The KRIs are like an early warning system that alerts the management when risk exposure exceeds tolerable limits. A KPI is a key measurable value that indicates progress toward an intended result or in achieving intended results. The measured value of KRI should be able to reflect the negative impact it would have on the organization’s KPI.
To be measurable/comparable, the KRI’s should be specific, predictive, and easy to quantify through hard numbers, percentages or ratios. Effective KRI’s should be:
- Measurable – The KRIs represented in quantifiable numbers, count, percentage, etc.
- Predictable – Provide alerts or warning of something may fail
- Comparable – Measurable KRIs can be compared over a period
- Informational – able to provide information about risks, the direction of risk, control effectiveness
The KRI’s defined using the above principles enable firms to:
- Know the risk exposure and direction of risk
- Provide information about control effectiveness and changes to be made
- Helps in risk reporting, communication to management, prioritization, etc.
- Helps to know about the operations and manage operational risks
Examples of cyber security KRI’s and KPI’s:
- The volume of social engineering attempts reported within the organization in the last X months.
- The percentage of staff trained in IT security policies and procedures.
- Fully patched devices
- Mean Time to Resolve (MTTR) threats
- Days to patch the systems
Identifying key risk indicators requires an understanding of the organization’s goals or in the case of cybersecurity, it will be key information security priorities. Linking KRIs to KPIs enables managers to manage performance and know in advance about the direction of risk. The linking enables managers to know more about risk behavior and its impact on business performance.
Below are a few examples:
|Lack of succession plan for key management positions may interrupt business continuity, failure to deliver projects on time and not able to meet SLAs.||Project delivery deadlines||Succession planning for key IT Management positions|
|Inadequate security with third party systems may impact the company and lead to the exposure of company data.||Third-Party Compliance Requirement Adherence||Number of incidents due to third party systems vulnerabilities|
|Exposure to cyber-attacks due to the untimely application of patches||Systems downtime||Systems without up to date patches|
|Failure to meet the compliance obligations||Compliance requirements timely implementation||Loss of customer PII or PHI data.|
The diagram below from the COSO research paper “Developing Key Risk Indicators to Strengthen Enterprise Risk Management” helps to depict the link between objectives to strategies to risks to KRI. We will discuss more in the next blog part II.