You may have already heard about the term “Key Risk Indicators” (KRIs), and if not, it is pretty self-explanatory. The real issue is: Are you actually using them to power your business goals for the year? The three questions asked when first establishing KRIs are:
- What do KRIs really mean from a security standpoint?
- Why are KRIs important for my business?
- What are the characteristics of a good KRI?
We will address these questions in Part One of our blog post on KRIs today.
What are KRIs?
KRIs are an “important tool within [security] risk management and are used to enhance the monitoring and mitigation of risks and facilitate risk reporting.” – Workiva. KRIs are essentially risk metrics which “graduated” to a Key Risk Indicator. It differs from a Key Performance Indicator (KPI) in that a KPI is meant to measure how well something has been done in the past while a KRI is an indicator of the possibility of a future adverse impact. The word “key” implies that there cannot be too many KRIs; so if you have 100+ KRIs, then they are most likely just risk metrics. KRIs are meant to measure the danger or threat that might happen with a certain probability and result in a negative outcome. However, risk does not always have to be a threat; sometimes it can even be an opportunity. For example, finding out about a small breach on one employee’s personal account can lead you to prevent a larger breach on an organization-wide level later on. In this example, managing risk is about detecting/predicting threats, estimating the probability that it will happen and controlling the impact/outcome. In security risk management (SRM), KRIs are a way to prioritize the allocation of time and resources, therefore they show how efficiently an organization can accomplish its mission. In cyber security, that mission happens to be risk mitigation. Therefore, the level of performance is measured by how well you manage your backlog of open security cases, time for resolution, etc.
Why are KRIs important in SRM?
First, KRIs provide focus for the security team. If you are measuring everything, you are really measuring nothing. So having focus points for what to measure is extremely important.
KRIs can also provide an ocean of meaningful information that allows you to know where to pay close attention. When you start thinking about what can be a potential vulnerability in your organization, it opens you up to problems which perhaps have never been addressed or even noticed in the past. Through developing KRIs, companies can better anticipate risks and take advantage of opportunities.
Additionally, KRIs can help with planning for budget allocation ahead of time and can aid in measuring how an organization’s security priorities change over time by comparing performance year-over-year.
Lastly, KRIs can be used as a means to communicate the importance of certain risks and increase security awareness levels within the organization. More than half of 5,000 security professionals surveyed by the Ponemon Institute across 15 countries including the US, believe that their organization’s security controls do not provide adequate protection against advanced cyber attacks. The same portion of security professionals also said that executives fail to appreciate the value of putting effective security controls in place, and do not equate a data breach with financial loss. This should serve as a wake up call. Recent enterprise breaches at Equifax, the SEC, and Deloitte are proof that more attention needs to be allocated towards security risk management, especially at an enterprise level since the potential impacts on customers’ privacy can be astronomical.
Qualities of good KRIs
Some qualities of a good key risk indicator include:
- The ability to measure the right thing (it supports the decisions that need to be made).
- The ability to be quantifiable (damages can be calculated in dollar amounts).
- Capability to be measured precisely and accurately. Buy-in and responsibility from other team members is beneficial as well.
It is also essential for these KRIs to be constantly monitored and re-evaluated in order to highlight potential risk in “real-time”. An example of a Key Risk Indicator developed by Nehemiah Security is an Exploitability (the intersection of a vulnerability and a threat). It is measurable, it is complex (it includes a combination of two other factors), it is actionable, and it is based on observable outcomes. This makes Exploitability a great candidate for a KRI. For more information about this KRI, read our blog post.
Here at Nehemiah Security, our mission is to deliver visibility into your operations with our security risk management platform and identify actionable insights into how to best manage your overall security risk which can set you up for success in developing your organization’s KRIs. Contact us to learn more.
In Key Risk Indicators, Explained: Part Two, we will discuss:
- The process of how to develop KRIs for your business.
- How to report on and adjust your KRIs.
Stay tuned! For more information about Security Risk Management, visit our blog post about where to start with SRM.