Hello. Welcome to the cybersecurity leadership and management course. Today we'll be discussing cybersecurity management, key risk indicators, KRIs, and key performance indicators, KPIs, within the FAIR framework. My name is Cicero Chimbanda, I am your instructor for this course. Cybersecurity management key risk indicators and key performance indicators within the Factor Analysis of Information Risk, which is also known as FAIR. In this course, we'll be discussing the following topics. We will look at the cybersecurity measuring risks , overview. We will then talk about risk framework within the FAIR, which is the Factor Analysis of Information Risk framework. We will then talk about metrics, the key risk indicators, and then metrics, the key performance indicators. Let's get started. Cybersecurity measuring risk. Cybersecurity measuring risk really depends on the company's or the organization's risk tolerance. I'm in an industry where we do financial risk and investment services. The question is always for the organization or the client to ask the question, are you a risk taker? The answer is always in the weight between risk versus reward. This is a simple metric where it shows the low risk on one side, high risk on the other side. In between, you have individuals or organizations that will have different risk tolerance. You might have an organization that's more conservative and therefore their appetite for risk is very low. Then obviously, you can have moderate conservative or moderately aggressive, or it can go into aggressive or very aggressive. Depending on the organization, this will also dictate the type of measuring or measurement of risks that will be taken and the kind of metrics that will be reported. We have talked before cybersecurity information program or cybersecurity information governance, really, it's all about the deliverables. Security deliverable is to be aligned with the organization strategy. This means that the organization wants to make sure that the security risk tolerance is aligned with the organization strategy. The second is really building trust. An organization, in order to fulfill its obligation, needs to know where it's regulated. What is the boundaries, what are the laws? What is the lane that it must operate under? That will also dictate the type of risk tolerance that the organization will have to take. Obviously, regulatory systems that are rounded or binded around that organization will dictate the risk tolerance, but ultimately the organization wants to deliver trust. Then finally stability. It's not only familiar, this is really the theme of this particular course, delivering security, trust and stability. Well, operational excellence is what the organization wants to deliver. In order to keep the lights on, in order to satisfy the client's demands, in order to meet the employees demands, the company or the organization needs to be operational excellent. It needs to be stable and therefore, this too will be a dictation on how risk is being measured. Let's look at a couple components of measurements of risk. Well, cybersecurity and information security program really has risk measurements in two categories. The first one is the likelihood. What is the likelihood or the probability of something happening? An event. There's usually a worst-case scenario, maximum lost. There's best-case scenario which is the absorbed cost or what is most likely going to happen. Then the second is the impact. The impact is where you have the level of cost. This can be measured in two ways. Quantitative risk, for example, annual loss expectancy, figuring that out, or the single loss expectancy, annualized rate of occurrence, and the formula which we'll look at more, and other sectors and how to measure quantitative risks. But you also have qualitative risk and this is where measurements for such as surveys, such as the quality of service. Once you find out what your measurement of risk, you want to set countermeasures. You want to have countermeasures to meet those risks and this is where you're going to be reporting of out of the administrative control, which is policies and procedures. You want to have metrics around your administrative controls. You have physical controls to meet your risks. These are visual or touchable components that can help you control your risks and you want to have measurements around that. Lastly, you have technical controls. These are systems such as firewalls, and these are countermeasures that you want to have in place to make sure you're mitigating your risk or handling your risk in a proper way. The benefits of having metrics around that is, you will be able to understand the BIA, which is the business impact analysis, the risk factor. This is the cyber risks that makes it possible for you to see the risk in terms of the potential business impact to the customer base. You will see the price, you will see the measurement, and the business value. In addition, you will be able to prioritize. You'll be able to prioritize your risks and controls. You'll be able to see the likelihood of occurrence and also the greatest impact of that occurrence. Lastly, the accuracy. You'll be able to have a performance-based, cost-based evaluation in treating your risks. This is the calculation using technology, using businesses, changes in the organization, creating risk profiles. Again, these are some of the benefits in having countermeasures, having metrics around your countermeasures that can allow you to have the proper measurement of your risk within your organization. Let's continue. Cybersecurity risk framework factor analysis for information risk. We have talked extensively in previous courses how we don't have to reinvent the wheel. There are frameworks, there are best practices out there to help your organization. You have a roadmap to fulfill your best practices in measurement of risk. In this case, we're looking at factor analysis for information risk. This really is all about risk taxonomy. Having a clear classification for information risk. We all know that in our industry, definitions of nomenclature varies depending on what industry, depending on what company, depending on what country, language. The definition of certain components might not have a standard. What factor analysis for information risk does it create the measurement of risk in today's basic terms, for example, risk and threat. They define the terminology. Looking at risk factor analysis, risk says risk is an open international standard that's developed specifically to communicate the loss of an event, the frequency of that event, and the vulnerability. So as we look at these components, you have a loss event frequency k, which is really the likelihood some would call, and you have a threat event frequency and a vulnerability. These are what make up the loss event frequency. Let's dig in a little bit more to understand. What is threat event frequency? Well, threat event frequency are based on your threat actors. For example, you look at what is the likelihood of an organized crime conducting a threat into my organization based on what we do? What about APT, advanced persistent threat or nation-state? What about insider threats? What about hacktivists? What about script kiddies? You look at all these components and you weight the priority of your threat event, and how frequent potentially will these threats try to penetrate my organization? What is the vulnerability while you have assets in an organization? Assets are data or information. There could be your corporate, your organization, people, intellectual property, systems, physical and virtual, and obviously monetary or non-monetary assets. These are your assets and you need to weigh your vulnerability assessment. What is the probability of this particular assets to be breached during an event? Once you weigh that, then you have to look at the loss magnitude, which is really the impact. We are at the likelihood and we've got the impact, and the way factor analysis for information risks weighs is by saying you have primary loss and you have secondary loss. You apply the model and basically measuring cyber risk accurately, and you effectively create a quantification of the risk by looking at, is the risk factors clearly completely defined? Making sure there's no confusion. Taking the help and making sure that there's accurate scoping and measurement, providing a framework of critical thinking, enabling a robust quantitative analysis using the established methods, and also having a long-term risk plan. This is the cybersecurity risk framework, which is known as FAIR, the Factor Analysis for Information Risk. Let's continue. While when we look at cyber risk measurement, there are two types of indicators. The first one that we're looking at is the key risk indicators. Key risk indicators for a cybersecurity leader is driven to increase the interest of reporting to the shareholders, to the regulatory, obligatory stakeholders, to your employees, to board level. Basically, it's choosing the right KRIs, and even the KPIs that are metrics that depend on your organization. In doing so, we will look at, for example, security. The goal of being secure is to make sure that your data or information remains confidential. There is no breaches to your data. This provides security, which in turn aligns to your organization strategy. What are some administrative controls that can help you in key risk indicators? As we look at administrative controls for security, we have the following. We create a cybersecurity program, a key risk indicator is basically looking at the overall security posture. Having things like indicators that's red, amber, green, are qualitative, and this will help you weight your cybersecurity program. We talked about Cybersecurity Task Force, where you can have a KRI or Key Risk Indicator that will show the quantity of quarterly risk opened by your Cybersecurity Task Force and also looking at which ones were closed during that period. You have annual risk assessments and you can quantify the number of annual high risks discovered. You have penetration tests. You can quantify the number of vulnerabilities exploited during a pen test. Vulnerability scanning. That's when you go on your network and you find out the number. You can have a quantity of number of critical assets with known vulnerabilities. You have a user awareness program or training, and you can quantify the number of failed training courses. You can have incident response program, and you can have key risk indicators that shows the impact of the incident and actual costs versus annual loss expectancy, which we'll also look more in detail in calculations. But again, these are some key risk indicators that can show with insecurity for administrative controls. What about physical controls? Well, within the cybersecurity, you can have a SOC, which is a Security Operation Center. You can have a key risk indicator that will show the overall operational effectiveness, red, amber, green. This is a quality of a KRI. You have security teams, the personnel, security guards. You can have customer interaction and complaints. You can have key risk indicators of how many complaints are you receiving, your entry badges, or biometrics. Obviously, you can weigh what's called False Acceptance Rate, that's the FAR or the False Rejection Rate, again, a quantitative way of having a key risk indicator. Building security cameras, you can look at the quality, the quality of video captured assisting resolving an incident. you can have physical alarms, alerts. You can look at MTTR, which is the Mean Time to Respond, or looking at false positives or false negatives. Again, we will define a lot of these terms, but these are some key risk indicators that you can use, sample risk indicators, while measuring physical controls. Lastly, encrypted disk drives. You can look at the encryption strength for mission-critical and high-sensitive data, and again, of quality. Then lastly, technical controls. Primary, Next-gen firewalls. These again, are security appliances. You can look at the number of high-valued risk attempts that were blocked. You can look at your secure access service edge, which you can look at the root cause, or internal service provider, or was it the product or vendor? You can have qualitative data that can show if there's an issue in those different components. Multi-factor authentication. Again, looking at the gaps of training, the onboarding, the result, or misconfiguration, or misusing verification method again, a qualitative way of measuring your MFA. Intrusion detection systems, the IDS. You can look at the false negative ratio of actual attacks that are not detected within a wireless IDS or even a wire IDS looking at the number of total transactions. Lastly, endpoint protection that has antivirus, anti-malware. You can quantify the number of virus or malware detected on the endpoint. Again, these are some key risk indicators that you can measure and you can show your specific stakeholders, your constituents, your leaders, your regulatories, in order to show that you are measuring risk. Looking at now, the key performance index. Key performance index are indicators that show from a business standpoint or organization standpoint measurements in order for decision-makers to make decisions. For example, looking at the same indications: confidentiality, security organization, strategy. Let's look at the key KPIs within administrative control. Within a cybersecurity program, you might want to look at the total cost of ownership versus breach cost. Cyber task force, the number of quarterly risk closed. The annual risk assessment, number of annual high risk resolved. Penetration tests, number of breach attempts blocked. Vulnerability scanning, the past vulnerable versus current vulnerability. User awareness training, the number of passed training courses, and an incident response, looking at the meantime to detect, mean time to resolve. Again, these are some key performance indicator measurements that you can have for administrative controls. Physical controls, in the same way, you can have KPIs looking at the SOC, looking at the total cost of ownership, of operations versus the plan. Looking at a budget, qualitative or quantitative, sorry. You can have security teams and security guards looking at the number of incidents discovered and resolved. Entry badges, the durability of the badges. Building security cameras, the warranty costs versus the annual loss expectancy costs. Physical alarms, you can look at the measurements of the physical measurements, entry cards, parking security, lighting requirements. Then lastly, encrypted disk drives, you can look at the speed to access the data. Is it slow versus the non-encrypted drives. Again, a quantitative KPI. In technical controls, you can look at the perimeter, again, as we did with KRIs. But in KPIs, the key performance indexes, is you look at the number of connections, number of hosts, the kilobytes transferred, packets transferred. These are all quantitative measurements that you can have associated to your firewall. For security edge, access service edge, SASE, you can look at the BGP reachability, web, server availability, response time, the throughput, page loading time. Again, these are different measurements that you can have in order to make the proper decisions. Multi-factor authentication, supporting tickets, log to track, failed login attempts. Then intrusion detection systems, you're looking at the traffic measurement, arrival of packets, encryption. You can look at the throughput, decryption, diffusion, looking at the CPU processor performance indicators. Then again for your antivirus and the malware, looking at the impact of the hosts on the impact. Is there negative performance impact? These are some measurements that you can have for key performance index. In conclusion, it is absolutely important to have measurements. It's absolutely important to have indicators that will report back to your stakeholders, your senior managers, your regulatory bodies, and your employees, and also your client. This is the course on key performance indexes and metrics. We will see you on the next course.