KuppingerCole Report
Advisory Note
By Mike Small

KRIs and KPI for Cyber Security

This report provides selected Key Risk Indicators (KRI) for the area of Cyber security. These indicators are easy to measure and provide organizations with a quick overview of the relevant risks and how these are changing. The indicators can be combined into a risk scorecard which then can be used in IT management and corporate management.

1 Executive Summary

The report provides selected Key Risk Indicators (KRI) for the area of Cyber security. These indicators are easy to measure and provide organizations ...

Login Get full Access

2 Highlights

  • The report provides selected Key Risk Indicators (KRI) for the area of cyber security. These indicators are easy to measure and provide organization ...
Login Get full Access

3 Why work with KRIs and KPIs?

To manage IT services effectively requires a set of measures against which performance can be judged. KRIs and KPIs provide such measures of risk and ...

Login Get full Access

3.1 The value of KRIs and KPIs

There are several obvious ways in which of the use of KRI/KPI offers value. From KuppingerCole’s perspective, the four most important ones are:

  • Reduced impact from risks: risks can be measured in two dimensions, likelihood and impact. It is often very difficult to be sure of the likelihood, but you can usually measure the impact. Controlling or mitigating impact is a key approach to risk management.
  • Management by risk: Consequently, management can focus on identified risks. It is much more efficient to focus on the things with the worst impact instead of trying to cover every aspect, without knowing whether it is relevant or not. Management by risk is sort of “management by exception”, e.g. focusing on the situations where the risk metrics indicate that actions should be taken.
  • Control actions for risks: Risk management involves the definition of control actions to be implemented where risk is unacceptable. These controls enable organizations to respond to risks in a defined and structured way. KPIs allow the effectiveness of these controls to be measured.
  • Proven success in operations and projects: A benefit of both KRIs as well as simple KPIs is that success can be proven. When the current value of a metric is compared with a baseline, you can see how things have improved or worsened. A continuous approach using metrics, allows this kind of comparison.

In short. the benefits of using KPIs for managing by risk are reduced impact, clearly defined control measure and proven success.

4 The Top KRIs/KPIs for Cyber Security

To enable organizations to quickly start using a Risk based approach to cyber security this report identifies the top KRIs/KPIs for the areas identifi ...

Login Get full Access

4.1 Hybrid Cyber Security Architecture

Organizations typically exploit multiple ways in which to deliver their IT services including the use of services from different cloud vendors. At th ...

The complexities introduced by the hybrid delivery model are illustrated in Figure 1. There are multiple technology layers and the responsibility for ...

Login Get full Access

4.2 Identify (ID)

You can’t protect what you don’t know you have. The first step towards cyber security is to classify the assets and data held by the organization ...

Login Get full Access

4.2.1 Asset Management (ID.AM)

NIST Category: “The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and ...

Login Get full Access

4.2.2 Classification of Assets (ID.AM-5)

We strongly recommend creating a risk classification of these assets. The risk classification might be derived from the following properties of applic ...

Login Get full Access

4.2.3 Governance of Cyber Security (ID.GV)

NIST Category: “The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and oper ...

Login Get full Access

4.2.4 Cyber Security Management Framework (ID.GV)

Organizations should adopt a cyber security framework. This is essential to ensure that cyber security standards and best practices are consistently ...

Login Get full Access

4.2.5 Cyber Security Architecture (ID.GV)

A complete and comprehensive cyber security architecture based on recognized standards (e.g. NIST 800-37) is necessary to ensure that security process ...

Login Get full Access

4.2.6 Risk Assessment (ID.RA)

NIST Category: “The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputatio ...

Login Get full Access

4.2.7 Vulnerability Management (ID.RA-1)

Cyber threats exploit vulnerabilities and overcome weak controls to cause cyber incidents where systems or data are damaged, or data is stolen. The m ...

Login Get full Access

4.2.8 Supply Chain Risk Management (ID.SC)

NIST Category: “The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions a ...

Login Get full Access

4.2.9 Service Certification (ID.SC-4)

It is usually impractical for cloud service providers to allow each customer to perform their own audit of their service. The use of standards and re ...

Login Get full Access

4.3 Protect (PR)

“An ounce of prevention is worth a pound of cure.”

Login Get full Access

4.3.1 Identity Management, Authentication and Access Control (PR.AC)

NIST Category: “Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is mana ...

Login Get full Access

4.3.2 Identity Lifecyle Management (PR.AC-1)

This covers KPIs for all the processes concerned with managing the complete lifecycle of the electronic identities individuals with access to systems, ...

Login Get full Access

4.3.3 Employee Screening (PR.AC-1)

It is essential that employees and other entities that have access to organizational systems, applications and data are checked out. Potential employ ...

Login Get full Access

4.3.4 Entitlement Management (PR.AC-4)

Access to information, applications, and systems should be controlled based on business requirements. Access rights should be assigned in a timely ma ...

Login Get full Access

4.3.5 Privileged Account Management (PR.AC-4)

Managing privileged user access is a vital element of cyber security. The assignment of access privileges should be strictly controlled, and the use ...

Login Get full Access

4.3.6 Orphan accounts (PR.AC-1)

These are user accounts in systems which are not associated with a specific known person or entity. They represent an important risk because they cou ...

Login Get full Access

4.3.7 Deployment of strong authentication (PR.AC-7)

The explosion in the ways that people can connect to the systems using mobile devices and the internet has increased the risks of impersonation and ch ...

Login Get full Access

4.3.8 Network Access Control (PR.AC-4) / (PR.AC-5)

Organizational systems depend upon network communication both within the organization as well as with suppliers, partners and customers. These commun ...

Login Get full Access

4.3.9 Access to Cloud Services (PR.AC-4)

Users and lines of business often use personal or at least unsanctioned cloud services in order to “get the job done”. This has the potential to ...

Login Get full Access

4.3.10 Awareness and Training (PR.AT)

The users of systems are the first line of defense against cyber-attacks. It is essential that they are trained and supported.

NIST Category: “T ...

Login Get full Access

4.3.11 Data Security (PR.DS):

In the hybrid IT service delivery model, the organization using the service is always ultimately responsible for their data wherever it is held and ho ...

Login Get full Access

4.3.12 Use of Data Leak Prevention Technology (PR.DS-5)

Often organizations are not aware of the amount and location of sensitive data that they hold. Employees can create unstructured files such as Word d ...

Login Get full Access

4.3.13 Cloud Access Security Broker (PR.DS-5)

Cloud Access Security Brokers add another layer of protection to organizational data by identifying and controlling the cloud services used by employe ...

Login Get full Access

4.3.14 Encryption of Data at Rest (PR.DS-1)

Stored data is a target for cyber adversaries and encrypting data provides security against some of the risks. It is very helpful to protect data hel ...

Login Get full Access

4.3.15 Encryption of Data in Transit (PR.DS-2)

Data flowing through communications networks are susceptible to interception. Encrypting the data is the most effective way to protect data in transi ...

Login Get full Access

4.3.16 Information Protection Processes and Procedures (PR.IP):

NIST Category: “Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organization ...

Login Get full Access

4.3.17 Change Management (PR.IP)

Related ISO/IEC 27001 Control A12.1.2 Operations Change Management
A.12.5.2 Control of operational software
A.14.2.2 Systems Acquisition / Dev ...
Login Get full Access

4.3.18 Data Backup and Media Handling (PR.DS-3)

There are numerous examples of cyber-attacks leading to data breaches due to poor handling of exchangeable media containing sensitive data. It is imp ...

Login Get full Access

4.3.19 Anti-Malware Protection (PR.PT)

Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, an ...

Login Get full Access

4.4 Detect (DE)

Cyber security depends upon being able to detect anomalies and monitor performance against specified controls. This monitoring requires trustworthy l ...

Login Get full Access

4.4.1 Central Logging and Anomaly Detection (DE.AE)

NIST Category: “Anomalous activity is detected, and the potential impact of events is understood.”

Related ISO/IEC 27001 Control A.12.4 Log ...
Login Get full Access

4.4.2 Security Operations Centre (DE.CM) / (DE.DP)

Organizations need a central point for collecting, analysing and assessing security threats and events. This is commonly known as a Security Operatio ...

Login Get full Access

4.5 Response (RS)

It is not enough to know that your organization is under a cyber-attack it is essential to be able to respond.

It is no longer a case of if an organ ...

Login Get full Access

4.5.1 Tested Incident Response Planning (RS.RP)

NIST Category: “Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.”

Relat ...
Login Get full Access

4.6 Recovery (RC)

It is essential that the organization has a prepared and tested recovery plan that covers all elements needed to deliver the business-critical service ...

Login Get full Access

4.6.1 Tested Incident Recovery Plan (RC.RP)

NIST Category: “Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity ...

Login Get full Access

4.6.2 Operational Resilience (RC.RP)

The organizational systems and applications should be designed, implemented, configured and deployed to achieve the required levels of availability in ...

Login Get full Access

4.7 ISO/IEC 27001 Controls Mapped to KPIs

ISO/IEC 27001 is a widely accepted standard for information security. The KPIs specified in this report help to demonstrate progress towards implemen ...

Login Get full Access

4.8 Hybrid IT Security Elements Mapped NIST Subcategories and to KPIs

The NIST Cybersecurity Framework is being widely adopted and the KPIs described in this report help to demonstrate progress toward implementing this.

... Login Get full Access

5 Recommendations

To realize the benefits described in the previous chapters it is recommended that IT organizations move to using KRIs and KPIs for cyber security. To ...

Login Get full Access

5.1 Organizational aspects

There are currently several standardized frameworks for cyber security available, these include ISO/IEC 27001 and the NIST Cybersecurity Framework. T ...

Login Get full Access

5.2 Risk based cyber security processes

The initial phase of implementing a risk-based approach to cyber security should adopt lean processes.

  • Collection: How can the information be coll ...
Login Get full Access

5.3 The choice of KRIs and KPIs

There are three golden rules for choosing the appropriate KRIs/KPIs:

  1. Choose valid indicators: Indicators should be capable of directly relating to ...
Login Get full Access

5.4 Base KPIs and KRIs on business goals

The KPIs and KRIs must be based on business goals.

For example, if a strategic goal of an organization is for digital transformation, then it needs ...

In terms of cyber security, considering the NIST Cybersecurity Framework particularly, this means that:

  • The organization must be able to identify ...
Login Get full Access

5.5 Scorecard Approach

KuppingerCole strongly recommends building a scorecard for the KRIs. That scorecard could be divided into the following segments:

The scorecard could then include four pieces of information per KRI:

  • Current value
  • Change (either absolute or relative)
  • Direction of change
  • I ...
Login Get full Access


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.