Risk and Performance Measurement

Level of Risk

The level of acceptable risk needs to be determined, which in term will determine what the level and required KPI?s are. An incident will have an impact on the business process supporting a business product or service. The level of risk should be based on the cost to the business for each event or incident and the frequency or occurrence of these events on a business process. The cost of the risk is an accumulation of the:

  • real cost of the event and the activities to repair ? including time and materials
  • the potential loss to the business, that is the business risk, in terms of the loss to its future share price. The share price being a reflection of the worth of the business
  • loss of service, or the impact to the users of the service being supplied, in terms of passed on costs to the business

The level of acceptable risk is a measure of these costs and the frequency of the risk event.

Acceptable-Level-of-Risk

Figure 12: Acceptable Level of Risk

Measurements

Security Services operate in real-time and the loss of even part of the service could result in a major exposure to a business. The effectiveness of the services needs to be measured on an hourly/daily basis using Key Performance Indicators (KPIs) which are brought to a centralised dashboard view of an organisation. The diagram below shows the feeding of the KPIs to a dashboard.

Security-Measurement-System
Figure 13: Security Measurement System
The KPIs are designed to show the health of the security service so that the risk to a business can be measured. If a KPI is not satisfied, then the risk to the business needs to be assessed and actions taken to manage that risk.
An example of KPI could be that the virus signature within the anti-virus gateway must be updated within 48 hours of being released. For high risk updates, the KPI may be set at a 2 hour update time. If this was not done it may put the business at risk of being infected by a new virus that will impact the operation of the business systems. Not performing the update may indicate a failure of the software that needs to be attended to.

Acceptable Risk

Security services must control the business risk and appropriate measures need to be in place to determine how well these services are mitigating the risks to the required levels. This enables the business to determine the effectiveness of their security investments as well as respond to risks. For those information security business risks that have been identified there needs to be an acceptable level of risk. This acceptable level needs to be linked to the Key Performance Indicators to determine how well
the security service is mitigating the risk and when emergency or mitigation activities are needed.

Acceptable-Risk

Compliance

The KPIs should be backed up by the traditional compliance auditing for the security management processes.  The compliance is against the levels defined and the assigned responsibilities.