Skip to content

The CARE Standard for Cybersecurity

As mentioned in Gartner’s overview of CARE (Consistent, Adequate, Reasonable and Effective),

Traditionally, cybersecurity priorities and investments have been largely based on achieving a capability, such as the implementation of tools, to avoid an outcome, like security incidents. Moving forward, cybersecurity priorities and investment need to be based on achieving a set of outcomes that are consistent, adequate, reasonable and effective (CARE).

The CARE standard was developed in order to provide a framework to assess the credibility and defensibility of an organization’s cybersecurity program. The CARE standard builds upon the concept of reasonable steps, often used by regulators and legal proceedings to determine if the standard of due care has been met. Listed below is a set of example metrics that reflect how to better assess your information security program against this framework:

DescriptionExample Metric
ConsistentDo your controls work the same way over time across the organizationPercentage of systems scanned for vulnerabilities, percentage of employees enrolled in phishing simulation program.
AdequateDo you have satisfactory controls in line with business needPercentage of endpoints with current anti-malware definitions
ReasonableDo you have appropriate, fair and moderate controls?Average delay when reviewing third or fourth party vendors
EffectiveAre your controls successful in producing the desired or intended outcomesAverage or maximum number of hours taken to detect security incidents.