Using key status indicators as decision-making tools
As part of the risk assessment process, for quantifying the exposure to risk, Gartner mentions the use of KRIs (key risk indicators): metrics for the level of exposure to a current operational risk.
KRIs help monitor the overall risk exposure of a company and the specific risk of each operational unit. This enables decision makers to make decisions based on how much risk exposure they are willing to accept. However, from a security perspective, KRIs alone fail to give a complete picture as to the efficacy of the security system itself and is therefore an incomplete solution.
To overcome the problem of overdependence on KRIs, Gartner recommends the use of KCIs, key control (mitigation measure) indicators – how well each given control is meeting its intended objectives – in order to present a measurable assessment of the control systems, including any control failures.
Since KRIs constantly change, there is a corresponding need to constantly monitor and update the network security. Applying KCI metrics adds a focused approach to the risk-assessment process and allows for pinpointing specific weak spots and failures. More importantly, KCIs act as an early detection system for possible security threats, as changes will become apparent sooner than with the use of KRIs alone.
The combination of KRIs and KCIs (for risks and controls, respectively) allows developing key performance indicators (KPIs) that measure performance or the achievement of targets, as an overall a measure of how well the security system does its job.
In practice, each key risk indicator is assigned a data source and key control indicators, resulting in a comprehensive map of the OT network’s threats (using data pulled from threat intelligence and other sources) and vulnerabilities. The ability to automate the threat database update process is key to ensuring the system’s ability to “intercept” and account for upcoming threats, thus ensuring the continued operation of critical, high-stake industrial operations.