Link to home
Start Free TrialLog in
Avatar of sunhux
sunhux

asked on

Key Risk Indicators for cybersecurity

Q1:
Our Enterprise Risk Mgmt wants to establish Cyber security KRI (Key Risk Indicators):
I think this is something that must be manageable (ie can be remediated) & measurable
so I suggested :
a) # of virus/malware outbreaks
b) Sev 1 & Sev 2 incidents for the month
c) patching metrics (how many servers & PCs & other devices : % patched)
d) any other ?

Q2:
What about phishing?  I think this is something we can't control as the spammers
or phishers' activities can fluctuate wildly.   It's left to the email security tools &
user awareness.  Besides, I felt that each time a phishing test is conducted, the
results tend to vary widely.   In fact in 2017,  local monetary association organized
a sector-wide phishing test for 11 banks: you'll find the click rate can be from
3 to 27% :  so I beg to differ with the industry click-rate that Proofpoint provided
(I'll extract that article later)  which shows Transport sector's click-rate as 3-4%
lower than Defense/Government.  The figures can't represent anything as it
depends on how good is the phishing campaign.  Anyone care to comment?
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial