The Cybersecurity Metric for Business Leaders

• Traditional control metrics do not resonate with business leaders because they are not tied to cyber-related business risks.  

• Contribution to Risk Reduction (CoRR) is a new metric generated by a risk-informed, control analytics model.  

• CoRR shows how each currently deployed and proposed control contributes to overall cyber defense against the cyber-related loss events of concern to business leaders.

• In addition, CoRR helps security teams prioritize control investments.

The problem with traditional cybersecurity control metrics

Business leaders recognize that cyber risks are business risks. However, they are not keen on learning about the traditional technical metrics we use because they are not effective indicators of risk reduction.

However, business leaders set cybersecurity budgets. Therefore, we must find ways to collaborate with them on the value of control investments—people, processes, and technologies—from the standpoint of risk reduction.

Cybersecurity is a team game, and controls are the players. We all agree that attackers must execute a series of steps to achieve their goals. Therefore, defenders have multiple opportunities, via multiple controls working collectively across thousands of overlapping attack paths, to detect and block threats before they escalate into severe loss events.

The problem with traditional technical control metrics is that they are calculated for each control independently. They do not take loss events or their related attack paths (kill chains) into account.

A control metric to collaborate with business leaders

To address this issue, we at Monaco Risk invented and developed a risk-informed, control analytics model that credibly calculates each control’s Contribution to Risk Reduction (CoRR). This is the control metric that is meaningful to business leaders.

Monaco Risk’s control analytics model software, the Cyber Defense Graph™, calculates the collective effectiveness of the set of controls related to the loss events of concern to business leaders and each control’s Contribution to Risk Reduction.

This does NOT mean that technical metrics are unimportant. They certainly are. In fact, we use them as one of the inputs for calculating CoRRs.

Prioritizing control investments

A second related use case for the Contribution to Risk Reduction metric is helping security teams prioritize control investments. Given budget constraints, trade-offs must be made. The complexity of cybersecurity and the variety of potential controls make prioritizing control investments challenging. 

We face hundreds of threat types (defined by MITRE ATT&CK®), dozens of threat actors, thousands of vulnerabilities, tens of thousands of overlapping and interleaved kill chains, role proliferation, and under and misconfigured controls.

How do we choose between network vs. host, identity/access vs threat prevention, across attack stages, and among people, processes, and technologies?

Contribution to Risk Reduction provides the metric necessary to compare the value of all the controls we have deployed and those we are considering for the future. CoRR meets this requirement by normalizing the individual performance metrics of disparate control types.

In summary, Monaco Risk’s control analytics model generates a Contribution to Risk Reduction metric for every deployed or proposed control, helping prioritize control investments and communicate their value to business leaders.

Originally published on LinkedIn on February 20, 2025