What KPI’s and KRI’s should you use to measure the effectiveness of your cybersecurity program?

I would be interested in know what KPI’s and KRI’s you use for organisation and board?

There are many frameworks which provide a measure for success, however the essential 8 framework is very good and has some KPIs to enable a company to go from basic to expert.

One of the measures we use is with our staff education program. We use Mimecast education program and it gives us completion rates and the success rates of the questions at the end. We have run a baseline of an email attack from this system to see how many staff clicked through and we will run another one at a later date. It is just one of a few measures we look at.

1 Like

The letter K is the “key” in this :grinning: You have to measure the operational stuff but you should only report the most important indicators to the board, until you get their attention and they ask for more detail.

It’s enabling visibility of the program’s primary objectives or measures, and those are probably listed in program’s original business case - assuming you’re asking about a program of work funded in that way. Typically that would be improving maturity across areas of an agreed framework. If you’re talking about general cybersecurity then good indicators are those around risk (eg currency of enterprise risk assessment and mitigating actions, ratings and trajectory of high level risks), performance among peer organisations (if you can find out, eg budget/staffing/maturity), and anything where you want to build support for doing something different. For example you could report improvements in event detection and response time if you were driving SecOps expansion/improvements. Security Metrics by Jacquith was a good book I used as a basis for mine a few years ago.

In my case the board and the organisation are two different audiences with different reporting needs so I don’t use the same for both. The organisation gets more info that matters to individuals in their business areas and roles, usually published through a coordinating function along with indicators from other teams.


Ok, so I’ll start out with some definitions to provide an explanation of my thinking and then segue to some recommendations.

A KRI in our context quantifies risk in a particular domain of cybersecurity, for instance, network security.

Risk is, strictly speaking, defined as being the product of loss event frequency and loss event impact (annually). Loss event frequency can be decomposed into threat event frequency and vulnerability. Loss event frequency can be decreased by the application of security controls to assets to decrease vulnerability (assuming the level of threat you are subject to stays constant).

If your organisation doesn’t have a good grasp of the loss event frequency it is subject to of impactful events (I don’t think many companies do), then you can use a framework of security controls that at least describes vulnerability, where the maturity of the application of controls signifies less vulnerability and immaturity, more. You’ll need to make and have your board understand that you are making the simplifying assumption that your level of threat stays constant.

The best set of controls for this purpose I’ve found is the CIS Controls. Version 8 is the latest version and has over 150 controls. I believe the CIS no longer provide metrics for v8; so, you’ll need to derive metrics from their description of each control. v7 had a robust set of metrics, and it’s a shame they got rid of these. You can use v7 metrics as a guide to create v8 metrics.

Once you have your metrics defined and empirical data collected for each metric, you can create summary metrics for domains like network security, endpoint security, application security, supplier management, and so forth, where these summary metrics are calculated as the arithmetic means of the metrics that fall into each domain. These summary metrics will be your KRIs.

A KPI in our context quantifies the performance in the management of risk in the domain of cybersecurity.

Therefore, for KPIs, I’d follow the guidance of the FAIR institute in chapter 13 of their book “Measuring and Managing Information Risk”. Their take on KPIs is that these should measure the performance of risk management processes, for instance:

— the visibility one has of the security controls landscape
— whether visibility into key landscape areas has increased or decreased
— the effectiveness of risk management decision making
— the variance in the application of specific controls across the landscape
— whether this variance has increased in frequency, severity, or duration
— the causes of this variance — lack of awareness, incorrect prioritisation, or a lack of skills
— on-time closure rates of findings
— high-risk or unauthorised risk acceptances

Unfortunately, they don’t provide a robust set of canned metrics beyond these suggestions. I believe any risk management framework that covers the bullet points above could be used to derive such metrics. It’s an area of “active research” for me.

—— ENDS ——

1 Like