SIEM Systems: Cybersecurity Command Center Formulas (New Zealand) | ORBITECH

ORBITECH AI Academy

Risk Assessment and Impact Analysis

Quantify cybersecurity risks and financial impacts for New Zealand organizations using standard risk formulas

Risk Score Formula approximation

R = T \times V \times I

Symbole	Signification	Unité
`R`	Risk score Normalized between 0 and 100	(dimensionless)
`T`	Threat level Normalized between 0 and 1, e.g., 0.8 for high threat	(dimensionless)
`V`	Vulnerability level Normalized between 0 and 1, e.g., 0.7 for medium vulnerability	(dimensionless)
`I`	Impact score Normalized between 0 and 1, e.g., 0.9 for critical impact	(dimensionless)

Exemple : For a Wellington hospital system with T=0.85, V=0.75, I=0.92, the risk score R = 0.85 × 0.75 × 0.92 = 0.5865

Annualized Loss Expectancy (ALE) law

ALE = SLE \times ARO

Symbole	Signification	Unité
`ALE`	Annualized Loss Expectancy Expected yearly financial loss from cyber incidents	NZD/year
`SLE`	Single Loss Expectancy Financial loss from a single incident	NZD
`ARO`	Annualized Rate of Occurrence Expected number of incidents per year	(occurrences/year)

Dimensions : $[N Z D]$

Exemple : A Christchurch retail chain has SLE = 250 000 NZD for ransomware and ARO = 0.15. ALE = 250 000 × 0.15 = 37 500 NZD/year

Single Loss Expectancy (SLE) definition

SLE = AV \times EF

Symbole	Signification	Unité
`SLE`	Single Loss Expectancy Financial impact of a single security incident	NZD
`AV`	Asset Value Value of the asset in New Zealand Dollars	NZD
`EF`	Exposure Factor Fraction of asset value lost (0 to 1), e.g., 0.4 for 40% loss	(dimensionless)

Dimensions : $[N Z D]$

Exemple : A Hamilton logistics company's delivery tracking system is valued at AV = 1 200 000 NZD. If EF = 0.25 during a cyber incident, SLE = 1 200 000 × 0.25 = 300 000 NZD

Security Incident Metrics

Key performance indicators for measuring SIEM effectiveness in detecting and responding to incidents

Mean Time Between Incidents (MTBI) definition

MTBI = \frac{T_{total}}{N}

Symbole	Signification	Unité
`MTBI`	Mean Time Between Incidents Average time between security incidents	hours
`T_total`	Total operating time Total monitoring period in hours	hours
`N`	Number of incidents Total incidents during monitoring period	(dimensionless)

Dimensions : $[T]$

Exemple : A Wellington university's SIEM monitored for $T_{t} o t a l$ = 8 760 h (1 year) and recorded N = 24 incidents. MTBI = 8 760 / 24 = 365 h ≈ 15.2 days

Mean Time To Detect (MTTD) definition

MTTD = \frac{\sum_{i = 1}^{N} t_{d, i}}{N}

Symbole	Signification	Unité
`MTTD`	Mean Time To Detect Average time to detect a security incident	minutes
`t_d,i`	Detection time for incident i Time from incident occurrence to detection	minutes
`N`	Number of incidents Total incidents with detection times recorded	(dimensionless)

Dimensions : $[T]$

Exemple : An Auckland bank's SIEM recorded detection times of [12, 45, 22, 33, 18] minutes for 5 incidents. MTTD = (12+45+22+33+18)/5 = 26 minutes

Mean Time To Respond (MTTR) definition

MTTR = \frac{\sum_{i = 1}^{N} t_{r, i}}{N}

Symbole	Signification	Unité
`MTTR`	Mean Time To Respond Average time from detection to containment	minutes
`t_r,i`	Response time for incident i Time from detection to incident containment	minutes
`N`	Number of incidents Total incidents with response times recorded	(dimensionless)

Dimensions : $[T]$

Exemple : A Christchurch government agency's SOC recorded response times of [30, 45, 25, 60, 35] minutes for 5 incidents. MTTR = (30+45+25+60+35)/5 = 39 minutes

Security Incident Rate definition

R = \frac{N}{T} \times 100

Symbole	Signification	Unité
`R`	Incident rate per 100 days Standardized incident frequency metric	(incidents/100 days)
`N`	Number of incidents Total incidents during monitoring period	(dimensionless)
`T`	Monitoring time in days Total monitoring duration in days	days

Dimensions : $[T^{- 1}]$

Exemple : A Dunedin tech company recorded 24 incidents over T = 180 days. Incident rate R = (24/180) × 100 = 13.3 incidents per 100 days

Log Management and Data Volume

Calculate storage requirements and data volumes for SIEM log collection in New Zealand environments

Daily Log Volume Calculation approximation

V_{daily} = E \times 86400 \times S

Symbole	Signification	Unité
`V_daily`	Daily log volume Total log data generated per day	bytes
`E`	Events per second Average event rate across all monitored systems	events/s
`S`	Average log size Average size of each log entry in bytes	bytes

Dimensions : $[L^{3}]$

Exemple : A Tauranga cloud hosting provider generates E = 5 000 events/s with S = 256 B per log. $V_{d} a i l y$ = 5 000 × 86 400 × 256 = 110 592 000 000 B ≈ 110.6 GB/day

Log Retention Requirement definition

V_{total} = V_{daily} \times D

Symbole	Signification	Unité
`V_total`	Total storage required Total storage needed for log retention period	bytes
`V_daily`	Daily log volume Log volume generated each day	bytes/day
`D`	Retention period in days Required retention period per compliance framework	days

Dimensions : $[L^{3}]$

Exemple : PCI DSS requires D = 365 days retention. With $V_{d} a i l y$ = 110.6 GB, $V_{t} o t a l$ = 110.6 × 365 ≈ 40 369 GB ≈ 40.4 TB

Log Compression Ratio definition

C = \frac{V_{uncompressed} - V_{compressed}}{V_{uncompressed}} \times 100

Symbole	Signification	Unité
`C`	Compression ratio Percentage reduction in log storage size	percentage
`V_uncompressed`	Uncompressed volume Original log file size before compression	bytes
`V_compressed`	Compressed volume Log file size after compression	bytes

Dimensions : $[1]$

Exemple : A Wellington ISP's logs compress from 500 GB to 125 GB. C = ((500 000 - 125 000)/500 000) × 100 = 75% compression ratio

Compliance and Audit Scoring

Score cybersecurity compliance against standards like NIST CSF and PCI DSS for New Zealand organizations

Compliance Score definition

C = \frac{P}{T} \times 100

Symbole	Signification	Unité
`C`	Compliance score Percentage of controls satisfied	percentage
`P`	Controls passed Number of controls meeting requirements	(dimensionless)
`T`	Total controls Total number of controls in framework	(dimensionless)

Dimensions : $[1]$

Exemple : A Hamilton manufacturer assessed 92 out of 100 NIST CSF controls. Compliance score C = (92/100) × 100 = 92%

Audit Finding Severity Score definition

S = \sum_{i = 1}^{N} w_{i} \times s_{i}

Symbole	Signification	Unité
`S`	Severity score Weighted severity of audit findings	(dimensionless)
`w_i`	Weight factor for finding i Importance weight (e.g., 3 for critical, 2 for high, 1 for medium)	(dimensionless)
`s_i`	Severity level for finding i Severity score (e.g., 5 for critical, 3 for high)	(dimensionless)
`N`	Number of findings Total audit findings	(dimensionless)

Dimensions : $[1]$

Exemple : A Christchurch hospital audit found 2 critical (w=3, s=5) and 4 high (w=2, s=3) findings. S = (3×5 + 3×5) + (2×3 + 2×3 + 2×3 + 2×3) = 30 + 24 = 54

PCI DSS Compliance Coverage definition

P_{PCI} = \frac{R}{12} \times 100

Symbole	Signification	Unité
`P_PCI`	PCI DSS compliance percentage Percentage of PCI DSS requirements met	percentage
`R`	Requirements satisfied Number of PCI DSS requirements satisfied (out of 12 families)	(dimensionless)

Dimensions : $[1]$

Exemple : A Queenstown payment processor satisfied 10 out of 12 PCI DSS requirement families. $P_{P} C I$ = (10/12) × 100 = 83.3% compliance

Incident Response Timelines

Measure and optimize response times for security incidents in New Zealand SOC environments

Incident Response Time SLA definition

T_{response} = t_{detect} + t_{contain} + t_{eradicate}

Symbole	Signification	Unité
`T_response`	Total response time Total time from incident detection to eradication	minutes
`t_detect`	Detection time Time from incident occurrence to detection	minutes
`t_contain`	Containment time Time to contain the incident and prevent spread	minutes
`t_eradicate`	Eradication time Time to remove the threat and restore systems	minutes

Dimensions : $[T]$

Exemple : A Napier winery's ransomware incident had $t_{d} e t e c t$ =15, $t_{c} o n t a i n$ =45, $t_{e} r a d i c a t e$ =240 minutes. $T_{r} e s p o n s e$ = 15 + 45 + 240 = 300 minutes (5 hours)

Mean Time to Recovery (MTTR) definition

MTTR = t_{recover} - t_{detect}

Symbole	Signification	Unité
`MTTR`	Mean Time to Recovery Time from detection to full system recovery	minutes
`t_recover`	Recovery time Time when systems are fully restored	minutes
`t_detect`	Detection time Time when incident was detected	minutes

Dimensions : $[T]$

Exemple : A Wellington university detected a phishing incident at $t_{d} e t e c t$ =09:30 and recovered at $t_{r} e c o v e r$ =14:15. MTTR = (14×60+15) - (9×60+30) = 855 - 570 = 285 minutes

Incident Escalation Time definition

T_{escalate} = t_{assign} - t_{detect}

Symbole	Signification	Unité
`T_escalate`	Escalation time Time from detection to incident assignment	minutes
`t_assign`	Assignment time Time when incident is assigned to response team	minutes
`t_detect`	Detection time Time when incident was detected	minutes

Dimensions : $[T]$

Exemple : An Auckland bank detected a DDoS attack at 10:00 and assigned it at 10:22. $T_{e} s c a l a t e$ = 22 minutes

Risk Assessment and Impact Analysis

Security Incident Metrics

Log Management and Data Volume

Compliance and Audit Scoring

Incident Response Timelines

Sources