See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/368247512

A report on the efficiency of business KPIs for understanding cyber risks

Article · February 2023

CITATIONS READS

0 33

1 author:

Luis Soares
Glyndwr University
3 PUBLICATIONS   0 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Artificial Intelligence and The Singularity View project

Cyber Risk Management View project

All content following this page was uploaded by Luis Soares on 04 February 2023.

The user has requested enhancement of the downloaded file.

 A report on the efficiency of business KPIs for
understanding cyber risks
Luis Henrique Soares
North Whales Management School
Wrexham Glyndwr University
Wrexham, United Kingdom
luishsr@outlook.com
Abstract—The objective of this paper is to critically evaluate
and report, through its findings, if current business key
performance indicators (KPIs)are efficient for understanding
cyber risks. Security technologies are considered, along with the
problems and issues with information security, their risks, and
the current strategies for management to mitigate them. The
Enterprise Risk Management (ERM) framework is one of the
most prevalent risk management frameworks adopted by
companies and supported by regulators. It proposes an
organisation-wide strategy towards identifying, assessing,
planning responses, implementing mitigation approaches, and
monitoring performance using KPIs. Cyber risks mainly target
the three pillars of confidentiality, integrity, and availability.
Security tools at disposal to prevent attacks and threats include
user access control and encryption for protecting
confidentiality, hashing algorithms for addressing integrity, and
fault tolerance and redundancy for ensuring availability.
Despite the benefits of KPIs for measuring performance, setting
clear expectations, and helping with decision-making, their
effectiveness in managing cyber risks faces significant
challenges in the context of the information security domain.
The critical evaluation and the findings presented in this study
suggest that the business KPIs typically adopted for managing
business risks only partially allow for understanding cyber
threats and the challenges that stem from information security
risks.
Keywords— enterprise risk management, cyber risks, business
KPIs
I. INTRODUCTION
The pace of technology evolution and the extent to which it
permeates almost every business domain in the modern world
has taken security concerns to a higher level. High reliance
on software, the internet, communication infrastructure, and
cloud computing increases risk exposure to cyber threats and
information security vulnerabilities. In a 2022 IBM Security
research report [1] titled "Cost of a Data Breach Report
2022", the technology company reports that data breach costs
have reached $4.24 million by that year. With such losses,
information security risk management has become a critical
component of enterprise risk management. This paper
critically evaluates some of the common risk management
approaches in business and to which extent they may be able
to understand information security risks.
II. BUSINESS RISK MANAGEMENT AND METRICS
The Enterprise Risk Management (ERM) approach [2] is
one of the most common risk management frameworks
adopted by businesses and supported by regulators. ERM
proposes an organisation-wide strategy towards identifying,
assessing, planning responses, implementing mitigation
strategies, and monitoring performance. Key Performance
Indicators (KPIs) are essential to ERM and traditional risk
management frameworks. KPIs within ERM's context are
intended to measure and demonstrate an organisation's
compliance with risk management objectives and gauge and
improve its effectiveness. Examples of KPIs [3] for managing
risks include the number of hazards identified, the level of
severity, incurred costs with incidents, time to response, and
the percentage of risks mitigated.
III. RISKS IN INFORMATION SECURITY
The domain of risks in Information Security revolves around
safeguarding three critical pillars: confidentiality, integrity,
and availability [4]. Confidentiality relates to the capacity of
an organisation to keep its data accessible only to allowed
users. Integrity means securing that data is not manipulated
or compromised by any means. Finally, availability concerns
keeping data continuously available to its authorised users.
Any failure or successful attacks against these three pillars
results in business losses; therefore, organisations must adopt
security tools, processes, and response plans to prevent such
attempts. Examples of security technologies commonly
adopted for that matter include user access control and
encryption [5] for protecting confidentiality, hashing
algorithms [6] for addressing integrity, and fault tolerance [7]
and [8] redundancy for ensuring availability.
IV. CHALLENGES IN APPLYING BUSINESS RISK KPIS FOR
UNDERSTANDING CYBER RISKS
Despite the benefits of KPIs for measuring performance,
setting clear expectations, and helping with decision-making,
their effectiveness in managing cyber risks needs to be
addressed in the context of the information security domain.
Three of these challenges are briefly examined in this paper.
The first challenge is that although EMR takes a holistic
approach to manage risks and encompasses technology-
related risks, organisations tend to focus more on after-the-
fact, historical information. That limits the outreach for
identifying future risks and properly mitigating them. In an
article [9] titled "Six ways companies Mismanage Risk", R.
M. Stulz highlights the issues with relying on historical data
to forecast risks, examining how such an approach from
financial institutions in the United States had a critical
influence on the 2008's global financial crisis. The second
obstacle comprises the dynamics of cyber security risks and
its key domains [10]; namely, the physical field represents
software, hardware, and network; the information domain
includes monitoring, storage, and visualisation; the cognitive
part relates to how information is interpreted and used to
support decision-making; finally, the social environment
comprises organisation preparedness to deal with cyber risks,
the social influences from governmental policies,
macroeconomics, cultural, and international relations areas.
That said, mitigating cyber risks requires, at the same time,
real-time monitoring of vulnerabilities and potential threats
while investing time into proactively fostering security
readiness practices. A final and even more critical challenge
in applying KPIs for understanding cyber risks relies on risk
identification.
V. THE SUBTLETIES IN IDENTIFYING INFORMATION SECURITY
RISKS
In the paper "Comparing risk identification techniques for
safety and security requirements", C. Raspotnig and A.
Opdahl [11] present relevant examples of risk identification
techniques in the field of information security, which helps to
illustrate the subtleties of identifying and monitoring such
risks in comparison to risk identification and mitigation in
business practices, and are summarised here. The Functional
Hazard Assessment (FHA), derived from the aerospace
industry, focuses on recognising the different systems
components, their usual failure model, rate, operational
model, causal factors, and effects. The Preliminary Hazard
Analysis (PHA) elicits and documents system development
hazards and lessons learned from failed attempts to identify
such risks in previous developments. The HAZard and
OPerability (HAZOP) model aims to identify operational
threats in a system. Other risk identification techniques [4] in
information systems focus on mapping vulnerabilities in the
domain of information technology infrastructure - the user,
workstation, internal and external networks (e.g., Local Area
Network, Wide Area Network), remote access, and system
application domains. Although the techniques mentioned
earlier list are not exhaustive, it brings to the surface the deep
and, at the same time, broad threats and vulnerabilities
elements that are specific to information security and how they
differ from typical business risks, forming a multi-layered
outlook encompassing systems, their internal mechanics, the
threats they might pose to users, and the interconnectivity
between them.
VI. CONCLUSION
The critical evaluation and the findings presented in this
study suggest that the business KPIs typically adopted for
View publication stats
managing business risks only partially allow for
understanding cyber risks and the challenges that stem from
information security risks. Correctly understanding and
mitigating cyber risks demand a multi-layered approach that
considers the intricate elements of software, technology
infrastructure, people, and their use of them.
REFERENCES
[1] “Cost of a data breach 2022,” *IBM*, Jul-2022. [Online]. Available:
https://www.ibm.com/uk-en/reports/data-breach. [Accessed: 02-Feb-
2023].
[2] P. Bromiley, M. McShane, A. Nair, and E. Rustambekov, ‘Enterprise
Risk Management: Review, Critique, and Research Directions’, *Long
Range Planning*, vol. 48, no. 4, pp. 265–276, 2015.
[3] Ekai, “Kpis for Risk Management,” *Risk Publishing*, 02-Jan-2023.
[Online]. Available: https://riskpublishing.com/kpis-for-risk-
management/. [Accessed: 02-Feb-2023].
[4] D. Gibson, *Managing risk in information systems*. Sudbury (Mass.):
Jones & Bartlett Learning, 2011.
[5] M. E. Smid and D. K. Branstad, ‘Data encryption standard: past and
future, *Proceedings of the IEEE*, vol. 76, no. 5, pp. 550–559, 1988
[6] S. Debnath, A. Chattopadhyay, and S. Dutta, ‘Brief review on a journey
of secured hash algorithms’, in *2017 4th International Conference on
Opto-Electronics and Applied Optics (Optronix)*, 2017, pp. 1–5.
[7] V. P. Nelson, ‘Fault-tolerant computing: Fundamental
concepts’, *Computer*, vol. 23, no. 7, pp. 19–25, 1990.
[8] [8] D. J. Taylor, D. E. Morgan, and J. P. Black, ‘Redundancy in data
structures: Improving software fault tolerance’, *IEEE Transactions on
Software Engineering*, no. 6, pp. 585–594, 1980.
[9] R. M. Stulz, “Six ways companies Mismanage Risk”, *Harvard
Business Review*, 01-Aug-2014. [Online]. Available:
https://hbr.org/2009/03/six-ways-companies-mismanage-risk.
[Accessed: 03-Feb-2023].
[10] Z. A. Collier, I. Linkov, and J. H. Lambert, ‘Four domains of
cybersecurity: a risk-based systems approach to cyber
decisions’, *Environment Systems and Decisions*, vol. 33. Springer,
pp. 469–470, 2013.
[11] C. Raspotnig and A. Opdahl, ‘Comparing risk identification techniques
for safety and security requirements’, *Journal of Systems and
Software*, vol. 86, no. 4, pp. 1124–1151, 2013.