fbpx Skip to main content

How to Set Target Scores

For each cyber risk you want to measure, you’ll need to set a target score.

This score represents how well the organization needs to be able to perform the cybersecurity controls in order to meet its information security program goals.

The target score will be used later to calculate gaps based on the measurements you collect.

Aim for The Green Zone

You want the target scores to be somewhere in the “green zone.”

Let’s review the choices:

  • 5 is the minimum target, where you can expect the control to work reliably with minor flaws or occasional re-work
  • 6 and 7 are mid-points where the control is easier to operate and more reliable
  • 8 is optimal (world-class) where the control is barely noticed by users and can be expected to be reliable and effective over longer periods of time unless your threats become more lethal

Make Every Target an Eight?

As you can see, the higher the target, the more reliable you expect the control to be.

But higher numbers also mean greater time and money will be needed to achieve the score and then maintain it.

Also, depending on the changes your organization experiences both internally and externally, your actual score may drop over time, so please realize hitting your targets once doesn’t mean you’ll stay there forever.

Once an Eight, Always an Eight?

Sadly, no.

For example, dealing with malicious code has been getting tougher over time. A few years ago, if all your computers ran highly-rated anti-virus software that was always up-to-date, you probably would score a 7 or an 8.

But as time went on and the need to regularly apply security patches became just as important as conducting anti-virus scans, your score would eventually drop below a 5 unless you started doing patching, too.

Target Score Options

Based on how you scoped your measurements, you can set your target scores:

  • At the individual control level
  • Or by grouping the controls into categories, or functions
  • Or by line of business
  • Or by geographical location of your offices
  • Or you could set a single target score across the board

Some Examples

Let’s walk through some examples of setting target scores.

Here’s an excerpt from the NIST cybersecurity framework showing the five topmost functions. As a reminder, there are about 25 second level functions (Activities) and nearly 100 functions (Outcomes) at the third level.

In this example, you’ll notice each top-level function has a target score of 5. This is the minimum acceptable score in our range.

As a cyber risk program strategy, setting out to achieve a minimum score across the board is reasonable depending upon your industry, customer expectations, and your organizations’ maturity.

What do I mean?

Industry

If you are a bank, then this strategy of meeting the absolute minimums would not be reasonable, particularly over several years.

Why?

Because your peers probably do not set such a low bar. In the eyes of the Federal Trade Commission (FTC), staying at a 5 would be unreasonable.

In fact, you could be charged with unfair trade practices!

In contrast, if “5” is your first years’ target scores and you are in an industry with low cyber risk, then you might be considered reasonable.

Customer Expectations

No matter what your industry, if you are entrusted with the secrets of your clients, a new client might balk at trusting your team with their sensitive data if you only aim to meet the bare minimum of cybersecurity. However, you may not need to be an “8” across the board.

Organization Maturity

As we’ve discussed previously, a good cyber risk program can provide you with a competitive differentiator.

When the NotPetya disk wiper struck European companies in 2017, FedEx/TNT suffered great losses of profit ($300mm) and customers.

Because DHL was only slightly harmed by NotPetya, they were able to keep delivering on-time and captured thousands of defecting FedEx customers with little additional effort.

“Strong Castle” Strategy

For years, organizations commonly set a target score of “6” or “7” or “8” for their Protect function while leaving their other functions at a “5”.

Their target scores look something like this:

This is still the current practice of many organizations across many industries.

The idea is to know where your “crown jewels” are and put lots of protection on them. Done well, this strategy should minimize the need to have optimal cybersecurity in the other functions since they assumed that only minor incidents would occur.

With little margin for error, though, their effective scores in other functions would sometimes drop below a “5” depending on external events and other internal priorities.

“First Responder” Strategy

Organizations that are suffering increased cybersecurity incidents from ransomware and other highly sophisticated, often silent, attacks have evolved their strategy to increase their ability to quickly respond to whatever cyber incidents occur.

Their target scores look something like this:

Having a “Respond” function as an 8 is a benefit because a fast, high-quality response will mitigate having relatively lower target scores in the four other functions.

“Big City” Strategy

A very mature perspective on cybersecurity is to see your company’s data network more as a modern city than as a medieval fortress. So, you need a police and fire department that can rapidly deploy when trouble erupts. And, supportive services to enable fast clean up and repair.

Their target scores look something like this:

“World Class” Strategy

If you’re large enough to afford it,

Their target scores look something like this:

Being world class at cyber risk management is very expensive and difficult unless you are narrowly focused on a single, extremely high-value asset (the Coca-Cola secret formula) or a highly sensitive government operation that can spend whatever is needed to achieve this level of cybersecurity.

Don’t Be Too Ambitious At First

Whatever targets you choose, it’s unlikely you can become an 8 in all five functions right away, so some trade-off analysis is probably required as you build your organizational capabilities over time.


Cyber Risk Opportunities provides middle market companies with cost-effective Cyber Risk Managed Programs to prioritize and reduce your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.

Get in touch today to learn more and take advantage of a free 30-minute Q&A session with one of our cyber risk experts. Call 253-332-7867, or email us at info@cyberriskopportunities.com.

Leave a Reply