The Risk-Based Approach to Cybersecurity

One way to think about KRIs and KPIs is with regard to the relationship between altitude and trajectory. A KRI gives the current risk level of the enterprise (the “risk altitude”) while the KPI indicates the direction toward or away from the enterprise-risk-appetite level (“risk trajectory”). An enterprise may not yet have arrived at the leadership

Only by understanding its specific threat landscape can an organization reduce risk. Controls are implemented according to the most significant threats. Threat analysis begins with the question, Which threat actors are trying to harm the organization and what are they capable of? In response, organizations can visualize the vulnerabilities commonly

The risk-based approach to cybersecurity is thus ultimately interactive—a dynamic tool to support strategic decision making. Focused on business value, utilizing a common language among the interested parties, and directly linking enterprise risks to controls, the approach helps translate executive decisions about risk reduction into control implem

Executives are often forced to make sense of a long list of sometimes conflicting metrics. By linking KRIs and KPIs, the cybersecurity team gives executives the ability to engage in meaningful problem-solving discussions on which risks are within tolerances, which are not, and why (see the sidebar, “Linking a KRI to a KPI”).

Having completed actions one through five, the organization is now in a position to build the risk-based cybersecurity model. The analysis proceeds by matching controls to the vulnerabilities they close, the threats they defeat, and the value-creating processes they protect. The run and change programs can now be optimized according to the current

Companies have used the risk-based approach to effectively reduce risk and reach their target risk appetite at significantly less cost. For example, by simply reordering the security initiatives in its backlog according to the risk-based approach, one company increased its projected risk reduction 7.5 times above the original program at no added co