I’m continuing my long series of posts that describe how to implement an information security program. Currently, we’re in the section I call “How to Measure Cyber Risks.”
Last week, I described how to figure out where you will measure your information risks. Now, let’s see how you can create a simple yet effective way to turn expert opinions into numbers that we can use to determine the top risks.
In order to collect reliable data from experts, you’ll need a consistent approach that guides them to translate their observations into a numeric score. We’ll base our approach on the zero-through-ten scoring system we previously learned about, and we’ll create a score key for the experts to use. We’ll also create a questionnaire for each expert in advance of the data collection to make sure we only ask for the scores that apply to them.
Here’s how you create a score key:
For each numeric score, zero-through-ten, prepare a statement or two that describes how well any given control is actually performed. The number we get from the expert is called the Actual Score, and we record each one in our spreadsheet as we collect them.
Actual Scores are determined by an expert based on how well the organization has performed the control over the past six to twelve months and is expected to continue to do so for the next six to twelve months. Here’s what my score key looks like at the four major scoring points, plus two more choices I’ll describe below:
Remember that I’m using the NIST cybersecurity framework, so my lowest level controls are called “Outcomes” (also called “subcategories”). If the expert agrees with this statement: “Our organization rarely or never does this” then the score is zero.
What if the expert agrees with this statement: “Our organization does this consistently with some minor flaws from time-to-time.” Then the score is five.
An eight means the expert believes: “Our organization does this consistently with great effectiveness and high quality.”
And, a ten means: “Our organization does this at excessive financial cost. People can’t easily get their work done.”
Of course, experts are welcome to choose a score between these numbers. Note there are two other possible responses: Unknown and, Not Applicable. Although based on how carefully we prepared for the interview, these responses should be rare.
Once your score key is ready, prepare one questionnaire for each expert. We’ll look at how to do this in next week’s post.
Cyber Risk Opportunities provides middle market companies with cost-effective Cyber Risk Managed Programs to prioritize and reduce your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.