Security Think Tank: Financial loss as a key security risk indicator

What should be the key cyber security risk indicator for any business?

Key risk indicators (KRIs) are measurements that help monitor an organisation’s risk and inform how it can be minimised to acceptable levels. As a reporting tool, KRIs enable the security team to capture the attention of executive management and other key stakeholders. If the indicator cannot be measured, then it cannot be used to track risk. If executive management is not concerned with the information that the indicator discloses, it is unlikely to be acted on.

Financial loss represents a common language used across and within organisations, as well as with external parties such as regulators and insurers. Executive management speaks finance and fears loss. Loss can be measured, tracked and adjusted. By modelling and simulating financial loss as part of a quantitative risk assessment, it becomes the key indicator for an organisation’s cyber risk.