Risk assessment helps organizations identify, reduce and manage risks to prevent their re-occurrence. To do this, they need to spend a large amount of their IT budget on technologies and processes to find and assess those risks, determine their impact and spend considerable effort to fix them.
Additionally, the increased reliance on third-party vendors to provide risk ratings, vulnerability scans and internet surface scans produces a significant amount of fear, uncertainty and doubt about the organization’s security posture. Trying to assess actual risks against all of that noise requires a new way of thinking about risk, how to address those risks and how to engage in proactive risk management going forward.
What is a risk assessment?
C-suite executives need to answer a set of questions about how much to spend on removing, preventing and reducing risks and how to do this intelligently. Note that risk is usually defined as a function of the probability of a (negative) event times the magnitude (cost) of its occurrence. Ask:
- How can risk appetite be adjusted, given the increasing number of threats?
- How should we allocate our energies and resources to address these threats?
- What should we spend our limited IT risk or cybersecurity budget on?
- What are the cost/benefit trade-offs of our security spending?
- Where will we get the biggest risk reduction value for the dollars spent?
Quantitative risk assessment opens doors for security
Cyber risk quantification provides a data-based means to better decision-making. Risk quantification, a proven approach used in managing credit risk, market risk and operational risk, is now being applied to IT and cybersecurity risk. It provides decision-makers with the ability to understanding the likelihood of an event occurring (as well as the potential frequency), the value of assets that are at risk and the cost of the potential impact. Additionally, risk quantification can provide decision-makers with the ability to compare the value and impact of various mitigation strategies by providing a comparison of costs and expected risk reduction.
Different approaches to risk management
Let’s look at several typical approaches to IT risk management.
A popular approach for conducting a risk assessment is to determine whether the organization has the proper controls in place to manage risk. This requires conducting an assessment against industry standards such as the International Organization for Standardization’s ISO/IEC 27002:2013, the National Institute of Standards and Technology’s Cybersecurity Framework, the Unified Compliance Framework or the Cloud Security Alliance’s Security Guidance.
In many cases, the prompt for this type of assessment is a regulatory requirement, internal audit or compliance program. Performing a control assessment is often part of a strong security and compliance governance program. However, determining whether the right controls are in place is addressing only one dimension of the problem. It doesn’t necessarily identify top risks or the material impact of those risks. It is critical that organizations, particularly those in regulated industries, identify whether they have control gaps. These are key to understanding whether those controls are effective. Are they actually preventing or mitigating risks? Do they identify how much risk there is or how to reduce that risk?
Is a maturity assessment right for you?
Another popular risk assessment approach is to examine the overall maturity of a cybersecurity or IT risk program. Maturity assessments are popular because they are an effective way to benchmark an organization against industry peers and the desired state of operations. The Capability Maturity Model Integration methodology has been adopted by many companies across multiple industries. Organizations are realizing that while they may have controls in place, they have questions about their effectiveness, whether their team has the needed skills and knowledge and whether they are leveraging technology and automation in an optimal way. Do they have institutional practices and the ability to leverage data to make fact-based decisions? Are the processes running in an efficient and standardized manner?
Maturity assessments can address these questions. However, they are limited because they produce a qualitative and subjective analysis. While they are a good step forward and allow organizations to reflect on areas for improvement, they do not enable prioritization of improvements based on fact-based decision criteria. These types of assessments do not provide decision-makers with an appreciation of how much risk exposure they currently have. Additionally, they fall short in answering whether organizations have the right level and appropriate allocation of spending. Organizations still need to address the question of whether their cybersecurity spending is actually reducing risk exposures and expected loss.
Quantitative approach to risk management
To address that question, move to a more quantitative approach to identify and reduce risks. These approaches use advanced threat intelligence technologies, collaborative services and vulnerability analysis to identify top risks. To better understand risk exposure and expected loss, companies need to understand their threats. From there, the security team understands threat actors better, and organizations can better assess their capabilities, asset targets and potential impacts.
Once organizations align on their top risk exposures, they are able to address the second challenge associated with risks. What is the material impact if the risk should be realized? Note the definition of risk discussed before. Risk management is about reducing uncertainty surrounding the loss or negative impact of an event. To manage risks, business leaders need to understand how much risk they have, the likelihood of the event and the impact if the risk were to arise.
To better reduce uncertainty, adopt a quantitative approach to risk management. One such approach is based on the Factor Analysis of Information Risk model. This approach addresses the two key components of risk: the probable frequency and probable magnitude. By quantifying the risk, you can make fact-based decisions using cost/benefit analysis about which investments provide the best security return on investment (reduction of risks). In a time of increasing threats, increasing noise about threats and reduced budgets, adopting a risk quantification assessment approach is quickly becoming the preferred approach to managing risk.
Source: The FAIR Institute
By adopting a quantitative risk-based approach, organizations are better equipped to focus their investments, address critical skill gaps, assess the effectiveness of their control frameworks and provide a business justification for their security spending. This method results in actual risk reduction and focuses investments on the top problems. By quantifying the risks, teams can understand the actual costs of exposures and the expected loss if those risks come to pass. More fundamentally, chief information security officers and chief information officers can use these data points. They can provide their board members and executive risk committee members with the following data-based answers:
- We know our top risks and have quantified them.
- We understand the degree of uncertainty with respect to a threat coming to pass.
- We have a basic idea of the material impact if the risk event occurs.
- We know the expected loss, given the current residual risk.
- We can predict the likelihood of an event occurring.
- We can provide a data-based business justification for managing those risks.
Security: A business problem and a technical problem
Cybersecurity is no longer simply a technical issue; it is a business issue. The more organizations can address security risks and challenges in a quantitative manner, the more they will be able to incorporate a broader set of key stakeholders in reducing risks. Organizations can now align their risk thresholds with an understanding of their actual risks and the impact of those risks. After all, the goal of risk management is to make better decisions under conditions of uncertainty to reduce risks.
Vice President, IBM Security, Europe
Global Leader - Security Strategy Risk & Compliance, IBM