The Importance of Risk Assessments and Risk-Informed Decision Making

Sourya Biswas
Author: Sourya Biswas, CISSP, CISA, CISM, CCSP, CRISC, CGEIT, Technical Director, NCC Group
Date Published: 3 June 2021

Recently, I wrote about the concept of “just enough security” and mentioned how “striking the balance between too much, not enough, and just enough security is no cakewalk.” In this blog post, I’m going to discuss further what organizations should initially focus on in order to achieve security that is “just enough.”

What is security’s role in business?
For starters, it’s important to understand that the role of security is to “meet the needs of the business.” This is a statement that is not commonly understood, especially if the organization’s culture does not support cybersecurity as a business driver. Without a culture to support cybersecurity efforts, the security team is constantly obligated to operate in a preventative mode, which affects its ability to meet business goals, and security is perceived as a sunk cost. Blanket proclamations like “no data breaches” are commonly thrown out, but recent history has shown us that it’s impossible given the resources and motivation on the part of the attackers. Even if the CISO were to try and reduce the probability to an extremely low number, the same business stakeholders will balk at the cost. So instead, cybersecurity must be a strategic component of an organization’s business model/values. It has the critical role of protecting the organization’s assets, intellectual property, sensitive data, marketplace presence, and brand reputation. Whether just starting a new business or focusing on global expansion, the development of cybersecurity programs to further business objectives as a force multiplier are critical.

Developing a risk-aware culture
The first step in establishing a culture that treats cybersecurity as a business goal is to speak a common language. The best method for achieving that is through the establishment of a formal risk management program. The purpose of a risk management program is to identify true risks to the organization and reduce risk to an acceptable level. Business stakeholders, such as risk management, strategy and operational teams, typically have a greater understanding of what “acceptable risk” is and are accustomed to decision making based on risk. Overlaying risk information with cost to attenuate the risk provides all the data required to determine “just enough security” for the organization.

The process of determining inherent risks in an organization is via a risk assessment. While there are multiple best practices and frameworks (ISO 27005, NIST SP 800-30, FAIR) around conducting a risk assessment, the basics can be captured in the following steps:

Figure 1

  1. Identify assets.
  2. Determine the critical level of assets.
  3. Identify the threats to each critical asset.
  4. Identify the existing countermeasures / controls.
  5. Determine the vulnerability level of each critical asset.
  6. Determine the risk level of each critical asset.
  7. Recommend security upgrades to reduce high levels of risk.
  8. Perform a cost-benefit analysis in support of upgrade recommendation if possible.

Source: http://facilitiesmanagementadvisor.blr.com/security/8-step-risk-assessment-facilitys-security/

Risk assessment in action
The following five examples from my own consulting experience can help illustrate risk assessment in practice:

  • Client A is a bank that stores, processes, and handles large amounts of financial data (critical assets). While it desires its systems to be up and running continuously, it’s more concerned that financial data doesn’t leak out. From the CIA (Confidentiality, Integrity, Availability) perspective of security, Client A has a much lower acceptance threshold for anything that threatens the Confidentiality of its critical assets. Therefore, when conducting a risk assessment, Client A prioritizes such risks and decides on implementing additional controls at additional cost.
  • Client B is a Content Delivery Network (CDN) provider that serves publicly available websites to its customers’ end users through its servers across the globe. While it wants to ensure the Confidentiality and Integrity of such website data, Client B is more concerned about ensuring 100% uptime, or Availability. This is reflected in how such risks, once identified during a risk assessment, are treated.
  • Client C works at the cutting edge of science in quantum computing. They undergo a risk assessment and find that hostile state actors would be very interested in their intellectual property (IP), and the likelihood of such a threat attacking them is high. Via a controls assessment, they also determine that their existing preventive controls are insufficient to protect against such a threat and decide to make additional investments in this area.
  • Client D is a payments processor that finds itself at a high risk of a ransomware attack due to the large amount of Personally Identifiable Information (PII) and Payment Card Industry (PCI) data that it stores, processes, and handles. Determining its existing recovery controls to be lacking, it decides to implement weekly full backups and daily incremental backups.
  • Client E is a software developer operating in a highly-competitive space. A risk assessment identifies insider threats as a top concern because of the ability to steal its IP and a controls assessment finds existing access controls and monitoring controls to be inadequate to address this threat. Corrective action plans are put in place to address these gaps on a priority basis.

As is evident from the above, different organizations with different business needs will make different decisions based on their risk assessments.

Risk-informed decision making
Risk mitigation takes effort and costs money. Moreover, organizational culture plays a big role in the success or failure of a cybersecurity program. Discussions around risk can help to bridge the gap and position cybersecurity as a business driver. While sometimes it makes sense to address the risks that have the greatest impact on operational viability, at other times incremental steps to get to the low-hanging fruit first may work better. However, without a risk assessment in place, an organization will be operating blind and making uninformed decisions on security. The net result can be wasting money on unnecessary security controls until a high risk is realized and a security incident renders the organization operationally unviable.

Contrary to the old proverb, “What you don’t know CAN hurt you.”