So when looking to make single / annual loss expectancy (SLE / ALE) as subjective as possible it helps to have some metrics (i.e., KPIs / KRIs).
While vulnerability scanning / DAST / SAST / pen test findings can help, the best examples are from either honeypots or via red team exercises, to include: social engineering, phishing, whaling, and / or compromised digital assets.
Such metrics will help with the providing the (estimated) annual rate of occurrence (ARO) needed to determine the SLE * ARO = ALE.
Finally, while subjective, annual net sales / days of expected outage always helps w/ determining the SLE for ERP / EMR / EHR / ICS / CRM / SFA systems.
No comments:
Post a Comment