Information Security KRI & KPI - Relevant To CISO, CIO And Board Part I

Information Security Forum (ISF), a nonprofit association that researches and analyzes security and risk management issues, has noted that many CISOs are reporting the wrong key performance indicators (KPIs) and key risk indicators (KRIs). The other aspect that we need to know is relevant IT KRIs and KPIs for CIO, CEO, and Board of Directors. In today's blog, we will discuss KRIs and KPIs to provide a better understanding for IT managers.

What are KRIs and KPIs, and how are they different?

A KRI is a metric for measuring the likelihood that the combined probability of an event and its impact will exceed the organization's risk appetite. KRIs are like an early warning system that alerts management when risk exposure exceeds tolerable limits. A KPI is a key measurable value that indicates progress toward an intended result or in achieving intended results. The measured value of KRI should be able to reflect the negative impact it would have on the organization's KPI.

What makes a KRI effective?

To be measurable and comparable, KRIs should be specific, predictive, and easy to quantify through hard numbers, percentages, or ratios. Effective KRIs should be:

Measurable - KRIs are represented in quantifiable numbers, counts, percentages, etc.
Predictable - Provide alerts or warnings that something may fail.
Comparable - Measurable KRIs can be compared over a period.
Informational - Able to provide information about risks, direction of risk, and control effectiveness.

What do well-defined KRIs enable firms to do?

The KRIs defined using the above principles enable firms to:

Know risk exposure and direction of risk.
Provide information about control effectiveness and changes to be made.
Help in risk reporting, communication to management, and prioritization.
Help understand operations and manage operational risks.

What are examples of cybersecurity KRIs and KPIs?

Examples of cyber security KRIs and KPIs from regular cybersecurity monitoring:

KRIs

The volume of social engineering attempts reported within the organization in the last X months.
The percentage of staff trained in IT security policies and procedures.

KPIs

Fully patched devices.
Mean Time to Resolve (MTTR) threats.
Days to patch the systems.

Why should KRIs be linked to KPIs?

Identifying key risk indicators requires an understanding of the organization's goals or, in cybersecurity, key information security priorities. Linking KRIs to KPIs enables managers to manage performance and know in advance the direction of risk. This linking enables managers to understand risk behavior and its impact on business performance.

What are example Impact to KPI to KRI mappings?

Below are a few examples:

Impact	KPI	KRI
Lack of succession plan for key management positions may interrupt business continuity, fail to deliver projects on time, and miss SLAs.	Project delivery deadlines	Succession planning for key IT management positions
Inadequate security with third-party systems may impact the company and expose company data.	Third-Party Compliance Requirement Adherence	Number of incidents due to third-party system vulnerabilities
Exposure to cyber-attacks due to untimely application of patches	Systems downtime	Systems without up-to-date patches
Failure to meet compliance obligations	Compliance requirements timely implementation	Loss of customer PII or PHI data

What diagram illustrates the link between objectives, strategies, risks, and KRIs?

The diagram below from the COSO research paper Developing Key Risk Indicators to Strengthen Enterprise Risk Management helps depict the link from objectives to strategies to risks to KRIs. We will discuss more in the next blog, Part II.

Information Security KRI KPI Relevant to CISO CIO and Board Part I diagram