How can businesses determine and assess risk?

Risk... it’s a word that creates tension for many and excitement for others! Risk is a part of every day life. It’s definitely a part of business and burying heads in the sand is not an option. If we try and eliminate every single risk then we will end up managing risk and not “doing the do” or living life. Business relies on effective risk management.

Below the excellent Tim Pinnell from NQA discusses how to acknowledge and assess risk. He describes that doing this enables you to make informed decisions about the “what next” questions. It’s a great read and will help you review your own risks and your own way forward.

One of the most important elements in an information security audit is the review of an organisation’s information security risks. An organisation that understands it risks can make informed decisions on what actions it might take: whether to treat the risk, or to put up with it, or perhaps to transfer the risk to the insurance policy. An organisation that knows the risks it faces is in a strong position to weather business storms.


Almost all SMEs take information security risk assessment very seriously, despite perhaps not having the expertise. And yet I frequently see organisations that have not been able to articulate their information security risks. But people in business are experts in business risk, making risk decisions every day. So why is there is a difference in understanding between business risk and information security risk?


On closer examination the principles are the same, and it becomes apparent that the problem lies in articulating information security risk.


A risk is made up to two components: something that could happen and the consequences if it does happen. It’s easy to think of business risk examples, such as failed business plans having an impact on the bottom line.


Here’s an example of a poorly described information security risk, and is typical of many of the risk descriptions I see whilst auditing:


Access control failure causes loss of information


How can that help support decision making? There’s so much missing from it: what kind of access control failure (physical or IT), why did the control fail, what asset was it protecting? And then consider the consequences – loss of information might not be an adverse consequence if the information had no value. So we need to know what information was lost and the impact of that loss, bearing in mind that impacts can comprise a number of factors – cost of remediation, fines, loss of customer business, drop in share price, customer rebates etc.


This is a better risk description:


A lack of strong passwords on the file server could allow insiders to delete personnel files, resulting in an ICO fine of up to £10000


Note that there’s no mention of how likely the incident is to occur, so this is an improvement:


There is a 10% likelihood that a lack of strong passwords on the file server will result in insiders deleting personnel files, leading to an ICO fine of up to £10000 and unspecified employee compensation


Likelihood is attempting to predict the future so it’s not an exact science. But the most important thing is to make a prediction and try to avoid the middle ground – it might happen/it might not happen, because that won’t help decision making. And note the change in terms: could has become will. This is necessary because of the addition of likelihood – the risk is a statement of the likelihood of a specific event occurring and the impact of that occurrence.


The important thing to note is that the risk is self-explanatory. Anybody reading it will easily understand it, which is important during the Great Resignation and the constant loss of corporate knowledge. If all the information security risks are similarly articulated then the consistency and repeatability of the process is ensured, regardless of who in the future is following it.


Some organisations break this out into a table which aids comparability with other risks:

Description

Likelihood

Impact

A lack of strong passwords on the file server will result in insiders deleting personnel files.

10%

Fine: ICO £10,000

Compensation: £TBD

And there’s no tech speak involved; bear in mind the people who need persuading to take action are the business managers, such as the CEO and CFO. This then helps top management articulate their information security risk appetite. And their job can be made easier by including the risk treatment cost:

Description

Likelihood

Impact

Treatment

A lack of strong passwords on the file server will result in insiders deleting personnel files.

10%

Fine: ICO £10,000

Compensation: £TBD

Implement strong passwords: £500

By doing the maths the business is carrying a £1000 (10% * £10000) risk that will cost £500 to treat. It’s arguably not worth doing, unless by implementing strong passwords other risks will be treated as well, the lesson being that risks and their treatments should never be considered in isolation.


Many organisations use a High/Medium/Low – RAG method of scoring risks. But these methods need criteria to explain what High to Low is in likelihood and impact, and the finer decision-making detail can be lost, particularly for impact: consider a high profile data breach from the news and all the cost factors that went into remediating it.


Another factor that organisations sometimes get wrong is that implementing a risk treatment doesn’t always mean that the impact is reduced. Risk treatments usually reduce the likelihood – you can make it harder for a ransomware attack to occur, but when it does that hard drive is still going to become encrypted.


There are a variety of risk management techniques, such as ISO 27005 and ISO 31000. Time spent on risk analysis and articulating them in business terms is time well spent.

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

 

The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.