At RiskLens, we’re all about defining and refining “risk” to laser focus on what can be measured (in meaningful ways), prioritized and ultimately managed. When we hear loose use of terminology in the risk field, our antennae go up.
We frequently hear two terms used interchangeably in security: “cyber risk” and “technology risk” (or “IT risk”). They sound like they should mean the same thing but they don’t.
We offer these handy definitions:
What Is Cyber Risk?
We’re talking threat actors maliciously causing harmful events in cyberspace--ransomware, stolen data, and the rest of the uglies. Or non-maliciously, as in fat-fingered employees accidentally emailing out sensitive information.
Strictly speaking in the terms of the FAIR™ standard that powers RiskLens, cyber risk is the probable frequency and probable magnitude (in financial terms) of future losses associated with these events. If there’s a measurable loss event, there’s a risk.
Cyber risk Is a subset of technology risk.
What Is Technology Risk (or IT Risk)?
Includes all of the above, plus software defects and bugs, tripping over power cords, the flood at the data center—or any other security risk to information technology or data or applications that negatively impact business operations.
Technology risk is a subset of operational risk.
A Note on Information Security Standards Compliance and Risk Management
Failures to comply with rules or regulations around digital operations, for instance the HIPAA rules in healthcare or the PCI-DSS rules for companies accepting credit cards, might sound like candidates for technology risk, but managing compliance is only tangentially affecting risk and should probably be treated as a distinct risk domain within organizations.
However, FAIR analysis is recommended to meet risk management requirements in these rules.
What Is Operational Risk?
Any event that affects an organization’s ability to operate.
Note that FAIR is equally applicable to analyze cyber risk, technology risk and operational risk, as long as there’s an analyzable risk scenario:
“Analyze the risk associated with a [threat actor] impacting the [confidentiality, integrity, availability] of [an asset of value] by [some means] resulting in a loss.”
What Do these Risk Categories Mean Functionally for Organizations?
Adopting the hierarchy above means the Cyber Risk group would report up to the Technology Risk Group which would report up to the Operational Risk Group. In practice, cybersecurity and technology risk management are often treated as peers, reporting to Operational Risk.
Jack Jones, creator of the FAIR standard and co-founder of RiskLens (and a CISO veteran) comments that “Information security as a function has been around for decades, whereas technology risk as a formal and distinct focus is relatively new.”
Regardless of org charts, says Jack, organizations need to “normalize how they think about, measure, and communicate risk. If you have Cyber Risk and Technology Risk groups that measure and communicate differently about risk, you have a big problem.”
With the FAIR standard’s quantitative approach as a foundation “an organization can compare apples to apples across risk disciplines, prioritize based on risks and understand the cost vs. benefit of risk management,” says Jack.
The RiskLens platform enables quantitative, financial analysis for risk-based decision support to identify prioritize, communicate and manage cyber risk, technology risk and operational risk.