There is no single rule for choosing how to track or measure cybersecurity. Every company quantifies and assesses risk in its own way based on situational variables, such as:
The risk-based approach to cybersecurity is customizable and enables you to tailor cybersecurity programs to specific requirements and operational vulnerabilities that are unique to your needs.
Examples of useful metrics to track include:
From a business perspective, also consider communicating:
Another related benefit to the risk-based approach involves how it separately measures both the risk reduction efforts you have made and the actual reduction in risk. Traditional practices measure collective effectiveness based on program completion. Although a single metric, measuring this way doesn't tell the entire story of your effort – or your risk.
Too often, we make decisions based on conflicting metrics. By clearly linking efforts or action taken to actual risk reduction, we can make business decisions that weigh impact more effectively. This provides the flexibility to adjust for risk reduction at any level, wherever risk exists.
Regardless of the metric, it has to be meaningful to the person or group to whom its being presented. Additionally, you should consider that you may have different tiers of metrics depending on the audience. More technical detailed metrics may be needed for some audiences and, in other cases, higher level summary metrics may be appropriate.
Decisions about how best to reduce cyber risk can be controversial and often vary based on your unique needs and priorities. In some cases, you can use a formal methodology that provides an in-depth and customizable process for assessing risk for a particular business situation. Such methodologies measure and manage cyber risks using best practices that focus on innovation and education.
One such example is Factor Analysis of Information Risk ([FAIRTM](https://www.fairinstitute.org/)), an open standard quantitative risk analysis model that describes what risk is, how it works and how to quantify it. The methodology provides the means to determine how much risk you have; how much risk specific factors represent; how much more or less risk you will have as specific factors change; and what the most cost-effective options are for managing it.
FAIR can be used anywhere you need to know how much risk exists. For example, for audit findings, policy exception requests, comparing risk issues (i.e. does option a or option b represent more risk to our organization?), augmenting cyber insurance coverage, building business cases for new security measures, or for defending security expenditures.
Other structured methodologies are often used independently of or in conjunction with methods like FAIR to complement or supplement a risk management approach.
For example, compliance-first and checklist approaches systematically address cybersecurity based on a list of known security requirements. These approaches lend themselves well to benchmarking, particularly for goal setting and evaluating. They do this by identifying gaps in controls and comparing against other organizations, or by evaluating the quality of processes, goal setting, and progress evaluation. However, keep in mind, not all methodologies are useful for understanding the tangible impact of risk or the various nuances associated with it.