I’m continuing my long series of posts that describe how to implement an information security program. Currently, we’re in the section called “How to Measure Cyber Risks.”
Last week, I described how you can create a simple yet effective way to turn expert opinions into numbers that we can use to determine the top risks.
Now, let’s prepare to collect scores from your experts. We’ll start by setting up a single place to record the scores you’ll gather. This is your working document, and not meant to be a questionnaire. In a future post, I’ll explain the workflow for collecting the data.
Start by associating each expert’s name with the controls they will score in your spreadsheet.
In the diagram below, you see I have the Recovery controls from the NIST cybersecurity framework listed by their unique codes in the first column called “ID.” Then in the second and third columns to the right, I’ve listed two experts by name along with their titles.
Notice Bob will not score three of the controls, so I’ve colored the intersecting cells black and will not include them in the calculation of the summary scores.
Because I’m using the NIST cybersecurity framework, the three columns to the right are labeled Outcome, Activity, and Function, which are the three levels of controls defined in that framework.
Since you already know who will be providing scores for each control, making your score sheet should take you about 2 hours unless you have dozens of experts to interview.
This is what your data might look like after you collect all the scores:
Notice the colors of the cells follows along with the score key. In Excel, you can use conditional formatting to make that happen automatically. Also, notice the scores in the three right-hand columns are calculated as simple averages, also called the arithmetic mean.
Let’s step through the rollup of the averages:
- The Outcome average is the mean of Alice and Bob’s scores for each Outcome.
- The Activity average is the mean of the Outcomes in each Activity.
- And the Function average is the mean of all the Activities.
Next week, we’ll continue with part 2.
Cyber Risk Opportunities provides middle market companies with cost-effective Cyber Risk Managed Programs to prioritize and reduce your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.