What Most Organizations Are Assessing Is Not Risk

April 16, 2019  Nicola (Nick) Sanna

The importance of managing cybersecurity risk

Because organizations are so reliant on computing processes to run their business, the need to manage the associated risks has become critical. Several trends are driving the transition from technical, compliance-based approaches to cybersecurity to business-aligned, risk-based ones:

  • Continued Losses: Despite their security investments, organizations continue to suffer major service failures and liability-related losses due to a more organized and dynamic threat landscape.
  • Minimum Security: Current security processes and technologies mostly address compliance requirements, which are critical in defining minimum security standards, but are not sufficient at protecting organizations from ever-evolving cyber threats. Compliance-focused security also tends to be highly inefficient and can result in a waste of resources, limiting the organization's ability to focus on the most critical exposures.
  • Growing Interdependencies: Operational technology, IT, the Internet of Things, and physical security technologies all have growing interdependencies that require a risk-based approach to governance and management.

As a result of this, boards of directors and executive management teams must now understand the cyber risk posture of their businesses and the business underpinnings of risk mitigation initiatives.

When it comes to defining risk, confusion reigns supreme

Despite the importance of the task, many organizations are building cyber risk management programs on a very shaky foundation, as they do not have a clear understanding of what they are assessing and managing. Our customer engagements, even with some of the world's largest companies, reveal that most often there is no common method in place to define, analyze, and manage cybersecurity risk. Evidence of that presents itself in multiple forms:

  • Incongruous definitions: the definition of risk is dependent on the mental model of each risk analyst. You ask different analysts for a definition of risk, and you get different responses.
  • Misclassification of top risks: only few of the items listed as top or high risks are actual risks. The other items can be classified as assets, control deficiencies, threats, or vulnerabilities. These other items can be contributing factors of risk, but are not risks in themselves.
  • Misleading results: risk assessments are either understating or in most cases overstating the actual risk. In several cases, we have seen estimations of risk exceeding the value/liability of the assets, which led to the team presenting the results losing credibility with management.

The cybersecurity industry may be doing more harm than good. Many vendors spice up their marketing message and attempt to make themselves relevant at the business level by touting themselves as a risk management solution and implicitly or explicitly pushing for definitions of risk that help their cause.

However, there are great products out there that can help reduce risk by the increased visibility they provide. What's missing in these tools though, is the risk context; i.e., any meaningful measurement of significance on a finding by finding basis. As a result, users and decision-makers are left to their own devices to interpret the information. Or, too often, these tools inaccurately represent their findings as risk.

What is risk

In order to bring some sanity to the discussion, let's start with a basic definition of risk. The following definition applies regardless of whether you’re talking about investment risk, market risk, credit risk, information risk, or any of the other commonly referenced risk domains.  Risk = the probable frequency and probable magnitude of future loss.

In other words, how often something bad is likely to happen, and how much loss is likely to result. In the cybersecurity arena, these probabilities are derived from the combination of threat, vulnerability, and asset characteristics.

Having established this basic definition of risk, a few key questions have to be answered in order to consistently and effectively manage cybersecurity risk:

  • What are the factors that make up cybersecurity risk?
  • How do they relate to one another?
  • How do we measure risk?
  • How do we model and evaluate the complex risk scenarios we face?
  • How do we articulate risk to the decision-makers who need this information?

Assessing risk in financial terms

The emergence in the last few years of a risk standard such as Factor Analysis of Information Risk (FAIR), and of FAIR-based cyber risk quantification solutions such as RiskLens, have helped organizations answer these questions consistently as well as articulate cybersecurity risk in non-technical terms (i.e. dollars and cents), a language that all stakeholders understand.

FAIR provides:

  • a taxonomy of the factors that make up information risk. This taxonomy provides a foundational understanding of information risk, without which we couldn’t reasonably do the rest.
  • a method for measuring the factors that drive information risk, including threat event frequency, vulnerability, and loss.

RiskLens provides:

  • a computational engine that derives risk by mathematically simulating the relationships between the measured factors.
  • a simulation model that allows users to apply the taxonomy, measurement method, and computational engine to build and analyze risk scenarios of virtually any size or complexity.