As mentioned in Gartner’s overview of CARE (Consistent, Adequate, Reasonable and Effective),
Traditionally, cybersecurity priorities and investments have been largely based on achieving a capability, such as the implementation of tools, to avoid an outcome, like security incidents. Moving forward, cybersecurity priorities and investment need to be based on achieving a set of outcomes that are consistent, adequate, reasonable and effective (CARE).
The CARE standard was developed in order to provide a framework to assess the credibility and defensibility of an organization’s cybersecurity program. The CARE standard builds upon the concept of reasonable steps, often used by regulators and legal proceedings to determine if the standard of due care has been met. Listed below is a set of example metrics that reflect how to better assess your information security program against this framework:
| Description | Example Metric | |
| Consistent | Do your controls work the same way over time across the organization | Percentage of systems scanned for vulnerabilities, percentage of employees enrolled in phishing simulation program. |
| Adequate | Do you have satisfactory controls in line with business need | Percentage of endpoints with current anti-malware definitions |
| Reasonable | Do you have appropriate, fair and moderate controls? | Average delay when reviewing third or fourth party vendors |
| Effective | Are your controls successful in producing the desired or intended outcomes | Average or maximum number of hours taken to detect security incidents. |