Blog | July 23, 2020 4 MINS

Information Security KRI's and Cybersecurity Metrics

Featured Image

Avoid Analysis Overload Across Cybersecurity Metrics with Focused Risk and Performance Indicators

In today’s data-driven business operations, delivering meaningful cybersecurity metrics is essential to measure the value of your business resources and progress made toward your business goals.


The sheer amount of security tools in play at a given organization can make general data governance and aggregating insights across systems a challenge to model. Often there are so many data points to connect, identifying where to start can be overwhelming. A GRC solution can help organize and structure data for direct reporting or harmonize data across security, regulatory, and internal compliance objectives.


Beyond the internal challenges around structuring data, an added layer of complexity involves understanding what metrics your market is benchmarking. Having tailored cybersecurity metrics is a strategic initiative to follow your organization’s performance in line with your core business drivers.


What are some of the Key Risk Indicators (KRIs) and cybersecurity metrics leading organizations track regularly? 

Having insights into focused perspectives and evidence of KRI can help your organization evaluate your overall risk posture. Understanding the magnitude and extent of your risk exposure requires a detailed mapping of operations across your business network, IT, and security asset infrastructure and control practices. 


We’ll outline some of the insights that can be drawn from these cybersecurity metrics and propose questions to consider in analyzing your business operations.


Balancing and Prioritizing Mitigation Efforts

  1. Number of critical assets with known vulnerabilities

One of the first variables to consider here is, what are my critical assets? Secondly, how many known system vulnerabilities do I have? By layering these two data points, we can quickly prioritize efforts to ensure our core operations’ ongoing continuity.


  1. Internal vulnerabilities vs. external vulnerabilities

Depending on your network, the title of this cybersecurity metric could be solely focused on external vulnerabilities across different divisions of your supply chain. Vulnerabilities outside of your control can cost your business much more than initially evaluated on a vendor contract across performance, schedule, and quality of service. If the extent of your vulnerabilities is disproportionality distributed across third-party relationships, business data could be at a higher risk.


  1. Frequency of review of third parties 

When you consider the ongoing nature of how you evaluate your own internal operations, it is equally important to review and assess your third-party network on a regular basis. There are a number of factors that can cause security best practices to lapse within an organization. Change management, shift in priorities, or


Enhancing Confidence in System Access with Cybersecurity Metrics

  1. The number of users with “superuser” access?

Viewing this metric in line with an understanding of who your key GRC managers and admins are is a good indicator of building confidence in your overall access controls. Often, specific tasks can be accomplished by delegation, which can require a higher level of access than you would traditionally distribute. Maintaining extended “superuser” access can leave you exposed to a handful of vulnerabilities. First, the instance that individuals could unknowingly compromise system settings impacting the execution of certain functionality and the quality of data over time. Secondly, extended access could expose sensitive or privileged information to users who do not have a role in the processing activities for intended data.


Having complete and flexible role-based access can help organizations better adapt “super users” to a limited number of individuals who can then adjust settings as needed for subsequent team members.


  1. Number of days to deactivate former employee credentials

Regardless of any malicious intent from employees, there is no longer an appropriate use-case for accessing company systems outside of personal employee data. It’s crucial to promptly uphold access deactivation and reduce the probability that company data is misused or inappropriately accessed. This KRI can be an indicator of potential vulnerably for various threats. Alternatively, this cybersecurity metric can also be a KPI for employee offboarding in general. Analyzing the time it takes to deactivate employee credentials is also a great example where companies could implement automation to trigger access controls and permission updates tied to an HR database of employment status and role.


  1. Frequency of access to critical enterprise systems by third parties

How often are third parties accessing your critical assets or proprietary information? Understanding access trends and frequency can help monitoring systems identify changes or abnormalities that could be potential threat agents, exploiting access points or system vulnerabilities.


Evaluate Your Monitoring and Response Initiative


  1. Mean time to detect

How long are incidents flying under the radar or outside of preview? A low mean time to detect is an excellent indicator that your monitoring activity and reporting channels are well functioning and adequately utilized. Alternatively, if incidents are going unreported for an extended period, this could be an indicator of gaps in your security tools or cultural challenges in understanding security initiatives.


  1. Mean time to resolve  

Measuring how long it takes to resolve an incident can be a good indicator of overall business continuity and general risk management preparation. Taking an averaged approach, you can normalize against outliers to understand if your incident response is appropriately empowered.

  1. Outage as a result of an attack

Time is money, what is the value or loss that a company incurs due to an incident? Calculating downtime due to an incident or Denial and Service Attack can help you quantify loss across your business. Once you have a quantified downtime, you can analyze the extent of the impact on your organization’s ability to operate across business functions. This cybersecurity metric is a KPI to explain and support your overall risk management program.



Reinforcing Security Best Practices

  1. Number of completed training courses

This metric can help deliver additional context to evaluating the efficiency of your controls if they are underperforming; it may be an education gap or opportunity. Identify the percentage of stakeholders who have completed training courses for policies related to security practices. Overall these policy metrics can help you identify if there are courses in your training library that have not to be promoted or distributed that could help correct behavior?


  1. Number of passed Attestation Quizzes

Beyond completed training courses to understand the distribution of best practices and policy guidelines, we can then dive deeper into evaluating the number of passed attestation quizzes. Does this metric correlate with our evaluation of how stakeholders execute and perform this control in practice?


Having KRI’s that can fuel KPI discussions across your business will help enable your overall enterprise risk management program. Having a dynamic and rich data structure can help you organize and correlate data across risk elements across assets, processes, threats, vulnerabilities, and custom risk attributes and qualitative metrics. This flexible structure provides additional context in line to translate risk into business impact as it relates to your organization across your company.


Request a demo from our team of GRC professionals to see how OneTrust’s flexible structure and dynamic reporting engine can model these cybersecurity metrics or unique KPI’s to your business.