Risk management frameworks can teach risk professionals valuable lessons about what a risk management program should look like. We are encouraged to begin by making a list of the threats to, and vulnerabilities of, our organizational assets, including the controls that are meant to protect them from harm. The next objective is to assess the risk this poses to our objectives and, ideally, quantify that impact using a model such as the Open Factor Analysis of Information Risk (FAIR) standard. Finally, we must choose a risk treatment option: avoid, mitigate, transfer or accept. These terms may vary by framework, or even include another option (e.g., sharing), but the sentiment is the same: We can choose to avoid a thing, thereby bypassing the risk altogether; we can implement some controls to mitigate that thing, thereby lessening the impact of the risk; we can employ risk transfer to help limit damages, perhaps by employing insurance to limit loss exposure; or we can do none of those things, forge ahead and accept the consequences.
This is usually where the lessons end, but upon review, there is more to these 4 options than can be taught in a Risk 101 class. This workflow of risk assessment and treatment works fine—so long as we do not consider a realistically complex risk scenario. This is because the unit of measure of the input is not equivalent to the unit of measure of the output. Consider the following example: If the risk scenario consists of cybercriminals exploiting application vulnerabilities to steal customer data, we can easily assess the threats to, and vulnerabilities of, our assets and even the risk this scenario poses to business objectives. Then it comes down to our choices about what to do in response. This is where the problem lies.
Implementing the risk responses described above requires the involvement of different layers of granularity in the organization. For example, mitigating this scenario may be as simple as ensuring there is a regular vulnerability management program in place to keep applications up to date. But sometimes managing the risk is more complicated. If the business requires a legacy version of an application, this can make patching difficult, if not impossible. In such cases, there are other technological controls that can help (e.g., segmenting and firewalling), but this typically requires the business teams to agree to the modifications.
Avoidance can be difficult for a technology team to implement, as it usually involves pulling out of a strategic endeavor altogether (e.g., ceasing to do business online or halting the collection of sensitive personal data through a mobile application). The impact of this extends beyond the particular risk scenario at hand, and as such, requires multiple levels of buy-in from business teams. Likewise, acceptance typically requires a sign-off at higher levels in the organization, as the technology team may not be authorized to accept risk on behalf of the business teams. Transference, however, is an option that requires an aggregate level of response. For example, one cannot purchase a cyberinsurance policy to cover just a single scenario. Instead, such policies necessitate an organizationwide perspective. While the risk of this particular scenario may be covered by such policies, there is still the need for continuous monitoring at the aggregate level to ensure that such minor and routine risk scenarios do not cause an unpredictably large or sudden shift in risk posture, such that any cyberinsurance policies are no longer protecting the organization sufficiently.
Because the granularity of the risk treatment options is not available at the same level as the scenario under analysis, we need to be careful about appearing unintentionally cavalier about the ability of the organization to fix something or find other options for dealing with a risk scenario. At the very least, we need to be certain we are involving the right members of the organization in the decision-making process to ensure the best outcome for cyber, technology and business leaders in terms of enterprise risk. Best practice involves regular risk monitoring to ensure that aggregate loss exposure does not overwhelm the organization's risk appetite.
Ultimately, it is important to remember the basics, but once they are put into practice, additional skill sets may be required to ensure success.
Jack Freund, Ph.D., CISA, CISM, CRISC, CGEIT, CDPSE, is head of cyberrisk methodology for VisibleRisk, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, ISSA Distinguished Fellow, FAIR Institute Fellow, IAPP Fellow of Information Privacy and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.