What should Susan track to predict high-risk areas in her organization?

Tracking key risk indicators (KRIs) is essential for predicting high-risk areas within an organization. KRIs are defined metrics that provide early warning signs of increasing risk exposure. These indicators are often derived from historical data and can help monitor trends over time, allowing Susan to understand where potential vulnerabilities may arise.

By focusing on KRIs, she can identify patterns or anomalies that signal a rise in risk levels. This proactive approach enables organizations to implement measures to mitigate potential threats before they manifest into tangible issues, thus enhancing their risk management capabilities. Key risk indicators may include metrics such as incident response times, employee training completion rates, and frequency of security policy violations, among others.

In contrast, while yearly risk assessments, penetration testing results, and SIEM event logs all offer valuable insights, they serve different purposes. Yearly risk assessments provide a snapshot of risk at a particular point in time, which may not capture ongoing trends. Penetration testing results evaluate the effectiveness of specific security controls but might not encompass broader risk areas. Similarly, SIEM event logs are crucial for real-time monitoring and incident response, but they primarily deal with immediate security events rather than proactively foreseeing vulnerabilities or risks. Hence, tracking KRIs is a more effective strategy for Susan to identify