KPI vs KRI

KPI

requires attention when outside a threshold

realistic and based on important goals are attainable

shows a performance change indication (i.e. error level goes beyond 8%)

Disaster recovery readiness KPI – results of tests and drills

Used to determine control effectiveness to determine if business requirements are being met

Used to ensure desired metrics are achieved

Choice to stop using vendor based on vendor not meeting KPI

Ex. Average network uptime

KRI

Primary reason for periodically monitoring risk profile may have change

Lagging (backwards looking) are used to gather and report data to management (event has occurred)

Leading (forward looking) are used to predict risk events

Best to have both lag and lead indicators

Provide capabilities to identify whether controls in place remain effective

IT-releated KRIs (for BU app) should be reported to IT management

Most important that they link to a specific risk

Most useful for communicating enterprise risk to management

Most essential attribute is predictive of a risk event

Greatest benefit is early warning signal

Reliability means flags exceptions every time

Design effectivly by documenting operational flow (end-to-end) best

Should be identified with involvement from all stakehodlers

Should drill down to the root cause of the event

Reason for not notifying is not meeting sensitivity threshold

Security Awareness KRI – unauthorized software installs

Most important to have a representative sample for meaninful reports

Effectiveness is based on repeatability

Best to use policies and regulations when developing

Ex. Average number of -- missed patches, data entry errors, virus and phishing attacks

Ex2. Security incidents cuased by unpatched systesm; devices on netowrk that are not hardened
Roles and responsibilities

Users of IT Systems (the business)

• Accountable for business risk related to IT (CIO; CFO; Chief Architect)

Business Owner

• report to when KRI for IT change management reaches it threshold (CISO; help desk; CSIRP Team)

Board of Directors

• Ultimately accountable for risk (chief risk officer; compliance officer; CFO)

• Accountable for overall enterprise strategy for risk governance (Senior Management, BU Managers,
Chief Risk Officer)

Senior Management/ BU Managers

• Accountable for risk to an IT system that supports a critical busines process (IT management; risk
management department; system users)

• approving organizations risk appetite and risk tolerance related to information security (Business unit
manager, Information security officer, risk manager)

System Auditor

• evaluating the effectiveness of existing internal information security controls within an enterprise
(Data Owner; Senior Management; End User)

The IT Department

• responsible for risk posed by third party applications -- if implemented globally (marketing
department; data privacy officer; chief risk officer)

IT Management

• included in reporting IT KRIs related to a critical BU app (key stakeholders; IT admins; finance
department)

Chief Privacy Officer

• included in the reporting of risk (Third-party vendor; Business Continuity manager; Audit Manager)

IT Steering committee
• represented by key members from each department (executive board; high-level IT managers; IT
managers from outside the organization)

The Risk Owner

• aggregate results of continuous monitoring should be reported to (technical staff; audit department;
information security manager)