By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services
Anyone who knows me or has subjected themselves to my writings knows I have some uneasiness with today’s role of risk. It’s not the process, but more of how there is so much focus on risk as if it were a science – but it’s not. Not even close.
Risk management is, of course, extraordinarily important to a security program, but I regularly see it positioned as “the” security program — with all things stemming from risk measurements as if it were an absolute. One of the things I hear a lot is “risk appetite,” and I’ve even used this phrase myself many, many times. But what is it?
Risk management is a tool that can help take in vast amounts of information and process it to a point where you can begin to make sense of it. From there, it can support decisions, actions and investments. Risk management boils down to finding a balance between threats and assets by the allocation and management of controls. That balance is ultimately based on risk appetite, or more specifically, the amount of risk you are willing to accept for a given potential event. And the level of risk appetite will inexorably govern the response, not necessarily only the level of risk measured.
Therefore, one could argue that risk management is not much more than an exercise without a quantified understanding of risk appetite.
Security risks are subjective and as such, they cannot be objectively rationalized or accurately measured. The problem is far too fluid and unbounded; there is imperfect knowledge with security risks, and, more importantly, they don’t present any actuarial data to derive any form of meaningful predictability. Although certain elements can be forecasted with some reasonableness to determine general impact from specific experience, there remains the framework of the formation of estimates and rankings. Therefore, not only is risk open to interpretation, but the very risk model chosen for evaluation will greatly impact the outcome. Risk – at best – is a guess.
I must state that this does not mean that risk management is completely pointless — far from it. In lieu of anything better and more accurate, today’s risk processes are what they are. However, risk must be used cautiously since there is significant room for error.
So what is appetite, really? In short, it is an opinion — and an opinion at a point in time. It is individualistic and mostly related to internalized (i.e., your own) risk philosophy. The oldest example used in discussions of this nature is the fear of flying, and a preference for driving as an alternative, when driving clearly represents substantially more risk. In other words, risk is very personal.
For example, if you say that there is a risk that could lead to an executive going to jail as opposed to something that represents far greater risk overall, the level of risk appetite will be far less with the former because it hits closer to home. Additionally, risk philosophy can apply to groups creating scenarios where each layer of the business will experience different levels of risk appetite for the same risk — and no two shall be the same.
Further exacerbating the issue is the interpretation of risk treatments. Even when there appears clear alignment between an identified risk and a security control, the interpreted effectiveness of the control will influence risk appetite a great deal.
Check back on this SecureThinking site later this week for Part 2 of this article, in which we’ll briefly cover gaining more visibility into risk appetite and emerging examples for measurement.
