Security Think Tank: Map your own important risk metrics

Cyber security has become a board-level topic as enterprises begin to focus on cyber security like never before. This focus means a true need to consider how cyber security is tracked, measured and communicated throughout the organisation.

The simple route to achieve this is the judicious use of key metrics (or cyber security key risk indicators). To avoid getting embroiled in the semantics; I will simply refer to them as metrics. 

A simple search online shows several potential metrics, however, being able to identify the right metric or the right set of metrics is the proverbial million-dollar question. Further, it’s important that organisations recognise the need for a risk-based approach to both measurement and management of cyber risk, with tools like the capability maturity model from the CMMI Institute.

Enterprises globally are struggling to find the right answer for this, and in order to do that we must go back to the basics. In cyber security, as with many other areas, good metrics have the following characteristics:

• They are simple to articulate and understand.
• They are closely coupled to the underlying process, aspect or behaviour that is being measured. This means that a movement in the metric is an indicator that the underlying process, aspect or behaviour is also moving.
• Enable decision-making based the metrics.
• Enable the identification of trends allowing the monitoring of status over time.

A good system will also have a mixture of lead and lag indicators. Briefly, leading indicators are those that can point to future events and occurrences. Lagging indicators are ones that show the impact, or evidence, of past events and activities. This mix is important because metrics need to serve as early-warning indicators, rather than just as an indicator or count of something that has occurred.

Prevention is always better than cure and any metric that can help enterprises on this front can be valuable.

A mix of technical and non-technical metrics is also necessary. We need to consider the diverse audience that our metrics are intended to inform and educate. Any metrics chosen must make sense in a business language – when these metrics are taken to the board, the board needs to be able to understand them in a relatable business context, not (potentially difficult to understand) technical terms.

This last bit may be a challenge – those on the cyber security team responsible for metric-setting and measurement must make them actionable, not just understandable, for the board. Metrics are most powerful when used to set benchmarks within the organisation and to drive improvement based on them. For example, a target may be set that 90% of all organisational systems must be compliant to internal policies at all times. The measurement may reveal a current status of 75%. This enables practitioners to identify and implement the necessary actions to meet the set metric.

Finally, for metrics to be used effectively, two Cs need to be kept in mind: “context” and “cohort”. Metrics need to be taken in context. A single one may not be able to provide the full picture of a situation; equally, a static indication of the metric at a point in time may not always be useful. Therefore, it’s vital to present the key metric with contextual information like any movement or trends, how related metrics are performing, and whether there are any related organisational or security system changes.

In a world of increasing oversimplification, it is imperative that practitioners understand the importance of cohorts of metrics. This is a recognition that a single measure may provide only a partial indication of what is going on, and so it may be beneficial to look at families of metrics that might help explain behaviour and, when taken together, provide insight into what is going on. 

Metrics and key risk indicators in cyber security are ultimately a function of the probability of an event and its consequence. For each individual business, the consequences will be different to the same event, so there can be no “holy grail” metric or measure for every organisation.

Using the guidelines above, however, you will be able to map your own important risk metrics, and create an awareness and understanding of the key steps needed to manage the risk from junior level right to board chair.