Security Framework 5 : Managing Risk
5.5 METRICS AND KEY PERFORMANCE INDICATORS
Business decision makers should monitor reports on the security of their IIoT systems from the moment the systems are conceived , through their design and creation , and throughout their operation . This should be at the same depth as they monitor other characteristics such as performance , throughput , cost and efficiency . The correct measures and metrics inform decision makers , operators and other stakeholders . The interests and needs of key stakeholders , legal responsibilities from laws , regulations and contracts , as well as norms of behavior in the industrial sectors of the system , should all be taken into consideration in establishing appropriate metrics and baselines ( metrics define quantitative results against a baseline and measurements describe an absolute observation ). All of these considerations should be reviewed periodically for possible adjustment .
Some of the metrics and measures will be common across verticals ; others will be unique . As an example of the former , most industries track security metrics such as the number of detected attack attempts , and the breakdown of those attempts , as well as characterizing successful attacks , incidents , close calls , policy violations and anomalies that have merited investigation . For the latter , in the utility and energy industry , it is important to collect metrics on remote terminal units ( RTUs ) and sensor outages . The function of those metrics is to identify an outage in an RTU quickly , visualize it on a display and set up a process to investigate whether the outage was malicious or an accident .
Clear and accurate representations ( dashboards and other visualizations ) of security metrics , including data sources , communications and system capabilities , as well as key performance identifiers allow operational and business personnel to make improved business decisions . Security then becomes a valuable part of the operational process , and its value can be quantified in terms of the costs saved by averting wrong decisions .
Security metrics can set up a continuous feedback loop to identify areas of risk , increase accountability , improve security effectiveness , demonstrate compliance with laws and regulations and provide quantifiable inputs for effective decision making . Such metrics help identify security problems early and assist in faster and more efficient management and governance . Key performance indicators selected for each application also improve the quality of service as issues such as the number of times a capability is disrupted can be identified early , and corrective or compensating measures taken . Dashboards and other visualizations displaying security metrics collected through continuous feedback loops are desirable , but not essential to conduct periodic risk assessments .
5.6 MANAGEMENT CONSIDERATIONS
Managing risk balances the threats against the IIoT system with the security responses that counteract those threats and the risk they represent . Risk management involves ongoing action for making the appropriate decisions based on the security evidence from metrics and key performance indicators ( KPIs ) as well as monitoring data to prioritize security tasks . Building out a feedback loop to identify security issues attest that those issues have been correctly addressed is highly recommended .
IIC : PUB : G4 : V1.0 : PB : 20160926 - 34 -