Risk Assessments Should Build Credibility, Not Destroy It
By: Justin Silbert
There are many different types of risk assessments. Some organizations adhere to an industry standard such as Risk Management Framework (RMF), COBIT, or ISO. Other organizations perform a penetration test, fix their holes (or not), and then assume they are secure. Few assessments, however, achieve the stated purpose, to convey risk information in order to advise decision makers.
If your risk assessment does not assist leaders to make better decisions, then your assessment needs a tune-up.
Let’s take for example, the RMF standard. This approach has many benefits. It is a framework, which is customizable to the organization. It addresses thousands of individual controls and details whether an organization is compliant with each control. But at the end of the assessment, which can take hundreds or, even thousands of man-hours to complete, the end result is a list of compliant and non compliant controls, leading to a High, Medium, or Low level of risk.
As many of us have experienced, a CEO or CFO doesn’t have much use for a “Medium” risk rating with a “High” impact. The executives are worried about intellectual property, regulatory penalties, loss of revenue, and reputation. It is our job to communicate in their language. Executives want to know three things:
- What will it cost if we experience an incident?
- What is the probability we will experience an incident?
- What will it cost to prevent or minimize an incident?
Let’s start with cost of an incident, which could vary depending on the details of the event. While it is impossible to predict the exact costs, certain costs may be static, such as regulatory fines, legal fees, investigation costs, and customer service center expenditures. Many of these can be previously negotiated when a company is in a better bargaining position, thereby reducing price.
Although the probability of experiencing an incident cannot be exactly defined, risk can be communicated in terms of confidence level. Confidence level is how our intelligence agencies convey accuracy of their conclusions. For example, if a high number of your users are clicking on phishing emails, you can state that you are 90% confident that a your organization will experience a ransomware incident in the next 12 months. Or if you are confident in your security controls on your Point of Sale devices, then you can state only a 10% chance of POS malware infecting the network in next 12 months. While you cannot perfectly estimate the probability of an incident, framing the message in this method better aligns with the way executives understand other types of risk.
Of course, additional controls or mitigations can be put into place to lower the probability of experiencing an incident, and/or the subsequent costs. This can be technology, staff, training, processes, pen tests, etc. In many cases, the cost to prevent or minimize an incident may not be pecuniary, but rather dedication of time to improving processes or performing a simulation exercise. With the proposed actions, it is essential to communicate the effects of the decision and, maybe more importantly, the potential effects of non-decision.
Overall, there is nothing wrong with the existing methodologies in use. They perform critical analyses of an organization’s compliance to best practices. But they fall short by not properly informing the decision makers on how to allocate resources. Learn to speak the language of these decision makers, and you will be rewarded with trust.