What Are Protection-Level Agreements in Cybersecurity and How to Use Them

In cybersecurity, bridging the gap between technical performance and business priorities is critical. Protection-Level Agreements (PLAs) offer a structured approach to achieve this by aligning cybersecurity objectives with measurable outcomes that resonate with leadership and drive meaningful change.

What Are Protection-Level Agreements?

A Protection-Level Agreement (PLA) is a contract between executives and CIOs/CISOs that outlines a target protection level for a planned cybersecurity investment. It represents a concrete expression of an organization’s risk appetite and establishes defensible decisions for the business.

PLAs are built on outcome-driven metrics (ODMs), which define desired security outcomes and the associated costs to achieve them. For instance, a PLA might specify a 30-day patching cadence with a projected annual cost of $1 million. Executives agree to support this investment, understanding that incidents may still occur within the defined protection level.

PLAs are agreements that define clear, outcome-driven metrics, setting expectations between cybersecurity teams and executives. Unlike traditional performance metrics that often focus on technical outputs, PLAs aim to:

• Translate technical achievements into business-relevant results.
• Ensure accountability for achieving predefined security outcomes.
• Build a shared understanding of cybersecurity’s role in organizational success.

By focusing on outcomes, PLAs help bridge the communication gap between technical teams and business leaders, fostering trust and alignment.

Why Are PLAs Important?

Protection-Level Agreements play a significant role in aligning cybersecurity efforts with business objectives. By clearly defining the scope and expectations, they enable organizations to make informed decisions and maintain transparency. PLAs address several key challenges in cybersecurity governance:

1. Establishing Risk Appetite: PLAs provide a defensible framework to articulate and manage an organization’s tolerance for security risks.
2. Balancing Cost and Value: They require CIOs and CISOs to allocate resources efficiently, aligning security initiatives with budgetary constraints while maximizing impact.
3. Driving Governance and Accountability: PLAs ensure that all stakeholders—from business units to security teams—understand their roles and responsibilities in achieving the agreed-upon outcomes.

For example, a PLA might address cost overruns by presenting options, such as adjusting targets or reallocating budgets, fostering productive discussions that lead to actionable solutions.

In many organizations, cybersecurity metrics fail to capture executive attention because they often focus on technical details without showing their relevance to broader organizational goals. PLAs address this challenge by clearly connecting cybersecurity performance to tangible business outcomes, ensuring that leaders understand the value and necessity of these efforts:

1. Providing Clarity: They clarify what success looks like in measurable terms, such as reducing phishing incidents by 30% or cutting remediation costs by 40%.
2. Driving Accountability: Teams are held responsible for achieving specific outcomes, creating a culture of ownership.
3. Securing Executive Buy-In: By tying cybersecurity performance to business benefits, PLAs help secure the necessary funding and support from leadership.

Key Components of a PLA

A Protection-Level Agreement incorporates several critical elements that ensure clarity, alignment, and measurable outcomes. These include:

A well-designed Protection Level Agreement should be comprehensive, addressing both technical and business perspectives to ensure alignment and measurable success. It should include:

• Outcome-Driven Metrics: Success in cybersecurity requires measurable results. Reducing phishing simulation click rates reflects improved awareness and threat recognition. Increased reporting of suspicious emails shows readiness to address real threats. A decrease in repeat offenders highlights the effectiveness of training and secure behavior reinforcement.
• Current Operational Delivery: Establishing baseline performance levels is crucial. These benchmarks provide a clear starting point, helping organizations track progress and identify areas needing improvement.
• Agreed Protection Levels: Achievable targets are vital for maintaining focus and engagement. For example, a goal like improving phishing reporting rates by 20% ensures measurable progress while remaining practical and motivating.
• Business and Cybersecurity Benefits: Implementing a PLA delivers tangible benefits. Proactive measures help reduce costs tied to incident response. Enhanced resilience strengthens an organization’s ability to recover from threats, while a solid reputation fosters trust with stakeholders.
• Review and Adjustment Mechanisms: Regular reviews keep the PLA aligned with changing risks and priorities. Periodic evaluations ensure it stays effective and relevant to the organization’s evolving cybersecurity needs.

Implementing PLAs: A Comprehensive Roadmap

Achieving success with Protection Level Agreements requires a well-defined process that integrates technical expertise, executive alignment, and cost management. PLAs create a foundation for governance, ensuring that security priorities are both realistic and aligned with business needs. Here’s how to implement PLAs effectively:

Achieving success with Protection Level Agreements requires a structured approach that balances technical expertise with clear communication and strategic alignment.

This section provides a detailed step-by-step guide to ensure PLAs are implemented effectively, from engaging stakeholders to monitoring and refining metrics over time.

1. Engage Stakeholders Early: Begin by collaborating with executives to understand their priorities and concerns. This ensures the PLA aligns with organizational goals and secures leadership buy-in for its implementation.
2. Define Baseline Metrics: Analyze historical performance data to establish a starting point. Baselines help identify key areas for improvement and serve as benchmarks for tracking progress over time.
3. Set Clear Objectives: Create measurable, realistic targets that align with business priorities. Objectives should focus on delivering tangible value, such as reducing risks or enhancing operational efficiency.
4. Communicate the Value: Illustrate the benefits of achieving PLAs through compelling narratives and case studies. Keep stakeholders informed by providing regular updates on progress and demonstrating how these efforts impact the organization positively.
5. Monitor and Refine: Continuously evaluate progress against the agreed-upon metrics. Adjust goals and strategies as necessary to ensure the PLA remains aligned with evolving business needs and cybersecurity challenges.

Example PLA Metrics

Protection Level Agreements are only as effective as the metrics they are built upon. By focusing on actionable, outcome-driven goals, organizations can ensure that their PLAs resonate with both technical teams and business executives.

This section outlines several key examples of metrics that can be incorporated into PLAs to drive meaningful change and demonstrate the value of cybersecurity initiatives:

1. Phishing Susceptibility: Reducing the click-through rates in phishing simulations to below 5% is a critical component of improving cybersecurity awareness. This decrease minimizes the likelihood of data breaches caused by social engineering attacks, protecting sensitive organizational information and reducing overall risk exposure.
2. Incident Remediation: Shortening the average time to remediate cybersecurity incidents by 30% can have a significant impact on operational efficiency. Faster response times lower the costs associated with downtime and recovery, ensuring business continuity and reducing the impact of potential threats.
3. Behavioral Change: Increasing the reporting rate of suspicious emails by 40% fosters a culture of vigilance and proactive security. This behavioral shift enhances the organization’s ability to detect and address threats early, minimizing potential damage and strengthening overall resilience.

Other Protection-Level Agreement Examples

Below, we explore some other examples of PLA metrics and their cybersecurity benefits using data-driven insights:

1. Phishing Email Reporting Rates

PLAs aim to increase the percentage of employees reporting real phishing emails. For example, the current average reporting rate may be 5%, while the PLA target could be set at 20%.

Cybersecurity Benefit:

Higher reporting rates reduce the likelihood of phishing attacks leading to data breaches by ensuring timely identification and mitigation.

2. Phishing Simulation Click Rates

Reducing the click rate on phishing simulations is another common PLA metric. The current click rate may stand at 25%, with a PLA goal of reducing it to 5%.

Cybersecurity Benefit:

Lower click rates demonstrate improved employee ability to recognize phishing attempts, minimizing risk exposure.

3. Phishing Simulation Repeat Clicker Rates

Tracking and reducing the percentage of repeat offenders who fail phishing simulations is crucial. A current average of 12% repeat clickers might be targeted for a reduction to 8% under a PLA.

Cybersecurity Benefit:

Identifying and training repeat offenders lowers the chance of external phishing attacks succeeding and allows preemptive action.

4. Phishing Simulation Reporting Rates

This protection level agreement often focuses on improving the percentage of employees reporting simulated phishing emails. For instance, the reporting rate may increase from 10% to a PLA goal of 40%.

Cybersecurity Benefit:

Higher reporting rates improve the organization’s ability to identify and address phishing threats before they escalate.

5. Discretionary Training Completion

Increasing optional security training completion rates is a valuable metric. For example, the current participation might be 10%, with a PLA target of 40%.

Cybersecurity Benefit:

Boosting training completion rates strengthens security culture, leading to a 400% improvement in advanced security awareness knowledge.

6. Phishing Simulation Coverage

This protection level agreement often aim to ensure all employees participate in phishing simulations. For example, coverage could improve from 90% to full participation.

Cybersecurity Benefit:

Comprehensive simulation coverage provides a more accurate measure of organizational susceptibility to social engineering attacks.

7. Security Training Coverage

Expanding the reach of mandatory security awareness training is critical. For instance, current training coverage of 50% might be increased to a PLA target of 90%.

Cybersecurity Benefit:

Improved training coverage leads to an 80% improvement in employees’ core security awareness knowledge, reducing human-driven cyber risks.

By implementing a protection level agreement and monitoring their metrics, organizations can establish clear goals and track progress in strengthening their cybersecurity posture. These benchmarks ensure that employee behaviors evolve, reducing vulnerability to phishing and other cyber threats.

The Business Impact of PLAs

Protection-Level Agreements enable organizations to elevate their cybersecurity governance by aligning investments with risk management priorities. By abstracting the complexities of tools, processes, and personnel, PLAs focus on how well an organization is protected rather than the mechanisms behind that protection. This approach drives several business benefits:

• Enhanced Decision-Making: PLAs create a direct line of sight between security outcomes and business priorities, enabling executives to make informed decisions.
• Defensible Investment Strategies: By clearly linking costs to desired protection levels, PLAs provide a credible basis for budgetary discussions and resource allocation.
• Improved Risk Governance: PLAs offer a structured approach to managing and communicating risk appetite, fostering trust between stakeholders.

For example, a PLA specifying a 30-day patching target at a defined cost ensures that all parties understand the investment required and the expected outcomes, creating accountability and reducing ambiguity.

When implemented effectively, Protection-Level Agreements (PLAs) serve as a powerful tool to translate complex cybersecurity efforts into tangible business value. By bridging the communication gap between technical teams and leadership, PLAs achieve the following outcomes:

• Highlight the return on investment for security initiatives.
• Build trust between cybersecurity teams and leadership.
• Align cybersecurity objectives with broader organizational goals.

By focusing on results that matter, PLAs help organizations move beyond technical jargon and deliver outcomes that strengthen security and business resilience.

Implement Protection Level Agreement with Keepnet Human Risk Management

Looking to implement effective PLAs in your organization? Keepnet Human Risk Management provides tools and insights to craft outcome-driven metrics that bridge the gap between cybersecurity and business priorities. Empower your team to secure executive buy-in and deliver measurable results. Discover how Keepnet can help you achieve your security goals today!

Watch our Youtube below to learn how you can leverage PLA in executive reports.