In this video, Kip Boyle discusses how to analyze an organization's current information security risk. Learn how to measure the cyber resilience of an organization.
- We start answering the question, how resilient are you now, by first focusing on your target scores. For me, that means going to the second level of the NIST Cybersecurity Framework. Items at that level are called activities and you can see all 22 of them here, clustered into these five functions. Now just as I have 22 activities for reporting purposes, if you can, group your controls for reporting purposes then calculate the simple, or the mean average score, for each reporting group.
For me that means I'll have 22 activity scores representing all 98 lower-level controls. I can also average the activity scores to generate a mean score for each of the five higher-level functions. Now subtract your mean scores from your target scores to measure your gap. This gap represents your risk of the control failing to do its job. Next, we're going to visualize the gaps. Using Excel or another data visualization tool, create a radar, or spider chart.
We'll use the chart to answer some preliminary questions like where do I have a large activity gap, and where do I have small activity gaps, and how clustered are the gaps? Here you see I've mapped my target scores in orange and connected these scores to make the outer ring, then I mapped my actual scores in blue to make the inner ring. By inspecting the radar chart, I can learn a few things about how resilient my organization is now. In Excel, this chart is called Radar with Markers.
I made my by selecting the three columns shown here and then I used the Insert Chart commands. Depending on your original scope of measurement you could generate more radar charts using a different data series to make other comparisons, for example, how wide are the gaps between offices and what are the different lines of business, or, how wide are the gaps at the highest risk reporting level? Think about other ways you would like to visualize data that could be helpful here and then play around with charting for a while.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance