KPI (risk-based /"non-technical")Cyber Management

Begin Learning Cyber Security for FREE Now!

Already a Member Login Here

Home Forums Cyber Management KPI (risk-based /"non-technical")

This topic contains 3 replies, has 3 voices, and was last updated by  MD Khurshid Alam 4 years, 2 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
  • #69677



    Are any of you aware of KPIs that make sense in terms of information security risks for SME? Not really the technical stuff like viruses detected / phishing mails reported / firewall rules set etc…. but rather KPIs for the security risk management.
    I saw suggestions like manpower / certifications, but this makes no sense with just two people. Maybe risks detected? Time to mitigate risks? Risk treatment distribution? But still, it’s just two people managing it, so we don’t have (yet) a very clear track on how many risks we count and how fast they are mitigated. Numbers always could be manipulated (I could easily make two risk out of currently one if it helps my salary bonus).

    Thanks for some input, useful links are welcome too. Of course I know KPI propositions from the standards like ITIL, Cobit and the like, so just some practical advice would be nice (oh, that rhymes)



    Cybersecurity in SME goes with complexity and risks. So, ask yourself what the major risks are that you are facing? Which risks would stress the resilience of your business too much? Draw them on a chart with likelihood of materialization and impact (in terms of damage).

    Now, once you know the risks, you can conjure up some indicators telling you whether you are in a comfort zone or should be increasingly alert because some risks may materialize. As you don’t even say which sector your business is in, suggesting something is a bit hard. Sometimes, market risks or supplier risks outweigh any cyberrisks… depends on the business.

    The number of certified security professionals is meaningless in my opinion as this does not reflect anything about your operational business.



    Hi j94305

    Thanks for your thoughts, I absolutely agree. I’m in the financial services, so of course the regulatory compliance is one of the biggest risks. Since Security is getting regulated as well, we might draw some KPI’s from there.

    Any other input is appreciated.


    MD Khurshid Alam

    knowing or getting the idea what exactly risk is?
    the only way of 50 % solution,then you will go for solution,indicators,factors to use for solution.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?