Early on in my security career, while studying for my CISSP certification, the author of the book I was reading presented a concept of how to treat risk once it is known. Management has the choice of treating, accepting, deferring, or denying the risks that are found or identified.
While most all security frameworks require a risk assessment, few actually call out a risk treatment program. Once a risk assessment is completed, you are left with a list of risks that your organization must now attend to. These risks are generally risk ranked from high to low.
Ok, so now what… How does one know which risks or threats need to be addressed? Do you address all highs? What if your finances or resources do not permit risk treatment of all high, or even mediums? The answer is based on your organization’s risk appetite.
Assessing Your Risk Appetite
A part of any risk assessment program is for the leadership team to identify your organization’s thresholds for risk (i.e., risk appetite). These thresholds can be based on money, resources, company brand, or employees. Really, a risk is anything that can disrupt your organization or its ability to service/serve customers.
Each organization has a threshold for the level of impact they can adsorb without impacting their core business objectives. Anything outside of this threshold should be placed into one of four risk categories:
- Risk Treatment. Risk treatment is the process where the organization changes the people, processes, or technologies to reduce the level of risk against a specific business attribute to a level that is no longer a concern. An example of this would be anti-malware. An organization installs a prophylactic on systems or border firewalls to stop the spread of malware. This risk treatment prevents infection from known viruses. While organizations are not 100% immune from infection, they have reduced the risk to an acceptable level that they can still operate. This risk treatment methodology needs to be measured and weighed against company resources to make sure that there is a return on investment.
- Risk Acceptance. Risk acceptance is where the organization understands that there may be a risk; however, there may be sufficient resources in place to sustain the realization of a risk without an undue burden on the ability to deliver services or products to your customer base. For example, many organizations are subject to reduced staffing because of weather. While service levels to the client base may not be at 100%, a 50% loss of staff may be acceptable; no actions would need to take place. If their risk appetite denotes that they maintain a 25% SLA, they would need to address the staffing levels during this time. They have accepted the risk of a 50% loss of staff.
- Risk Deferral. Risk deferral is the process of making someone else responsible. In many cases, this is where cyber insurance comes into play. Insurance organizations are not going to completely indemnify you from a breach; however, they can help soften the financial impact to the organization. These policies generally require that you have a security program operational and that you implement standards of due care around a security program before they will pay out a claim. The cost of the policy is generally variable based on the amount of coverage and a chosen deductible. Risk deferral becomes applicable to an organization once they have conducted a formal risk assessment and have applied their risk treatment program, but there still is a significant impact to the core business directives defined by leadership. These policies are meant to allow the business to still be operational and cover the unforeseen costs that may occur due to a realized breach.
- Risk Denial. In many situations, it’s better to have not performed a risk assessment than to have performed one and then ignored those high-risk items. Where a risk assessment is a leadership activity, the results of the risk assessment must provide a comprehensive evaluation of risk. The worst thing that can be done is that the identified risk be denied or ignored. This is where we find the organizations that make headline news. Risk denial is the method of, well, basically ignoring your risk. Identified risks are not unlike your teeth; if you ignore them, they do not go away.
Where many security frameworks require that a risk assessment be done, few actually require that you address these risks. Should an event occur, your leadership will likely be called to answer for their actions, or lack thereof. Once a risk assessment is completed, a management documented response should always include any risk that cannot be addressed for any various reason.
Understand that not treating the risks that have exceeded the company’s appetite for risk becomes an additional liability that needs to be managed as well. If risk is denied, it needs to be for legitimate business constraints and stand up to legal scrutiny should leadership be called to answer for their lack of action. Don’t be THAT company!
As part of your risk management program, understand each of the four attributes discussed above and how your company is managing the possible impact to their business objectives. In addition, the ability to service customers’ needs to be understood and managed in the event of a breach. It all starts with a clear understanding with your ability to define the company’s risk appetite.
Need to conduct a risk assessment and not sure where to start? ControlScan Security Consulting can help! Just give us a call at 800-825-3301, ext. 2 to learn more.