For a long time, humans have used various organisms to help them detect dangerous environmental conditions. Animals used for this purpose are called ‘Sentinel Species’ by scientists -- the best example is the use of caged canaries to detect dangerous levels of carbon monoxide in coal mines.
Because canaries need such large quantities of oxygen to fly and to do so at altitudes that would make people ill, they developed air sacs that allowed them to hold extra oxygen in their bodies. These sacs make them highly susceptible to carbon monoxide poisoning. Eventually (and relatively recently) the use of canaries has been phased out in favor of electronic devices that detect noxious gases (called electronic noses).
In reflecting on the use of sentinel species it's clear that they play an important role in managing risk as a leading key risk indicator or KRI (if the bird dies, you better leave the mine or put your respirator on).
Are KRIs Indicators or Measurements?
I’ve long taken a literal interpretation of KRIs; namely that they are indicators of risk. Note in the canary use case, neither the miners nor the mine operator have experienced a risk event (dead miners) when the canary died. They may have an availability or productivity loss (the mine becomes inoperable until it can be appropriately vented), but not such a serious loss as involves employee death.
This distinction may seem self-evident, but I think it’s an important conversation for us in cyber security. When you reflect on your own KRIs for cybersecurity, are you using them as a measure of risk or an indicator of risk?
Many risk practitioners use KRIs as substitutes for quantitative risk assessments, not as supplements to them. This use goes against a literal interpretation of KRIs above (as an indicator of risk, not risk itself).
To go back to our sentinel species example, the death of the canary would be considered the loss event not any subsequent loss of human life. It’s like being upset when you drop your cellphone and the protective case breaks but the phone is unharmed. The purpose of the case was to absorb the damage to the benefit of the cellphone; that control worked exactly as designed.
The Right Way to Use KRIs
Proper use of KRIs would be to choose metrics that correspond to variables in the risk calculation. Often in quantitative assessments we translate quantitative risk values back to verbal risk labels (high, medium, low) that results in range compression. What you would like to avoid is a scenario where you report medium risk quarter after quarter but suddenly jump to high in the latest quarter to the dismay of executives.
KRIs can help avoid this communications gap by relaying subtle changes in the risk environment that as yet have not cause risk values to exceed a threshold. Examples of metrics that are good candidates for KRIs include those associated with threat community changes (such as the threat’s frequency and appetite for risk), loss potential (such as changes in legal and regulatory actions, rising rates on key response and investigation contracts, etc. are good fodder here), and changes in controls (often called Key Control Indicators, KCIs.).
KRIs are at their best when they appear regularly in front of risk governance committees and the Board of Directors. Whatever reporting cadence your organization uses (monthly, quarterly, etc.) showing these KRIs and corresponding trending will give executives a sense of how the risk landscape for their organization has changed over time and prompt questions about the need for proactive action.
It’s important to have a very clear understanding of the risk ecosystem when communicating with executives. Conflating the use or risk ratings and risk indicators can cause confusion amongst those we are ethically bound to assist with making well-informed decisions. It’s important that our executives don’t mistake the canary for the coal miner.