Risk assessment methodologies such
as InfoSaaS are based around calculating levels of risk, and comparing the
result against pre-defined levels determined by the organisation as being their
“risk appetite”. But what does this term actually mean, how it is calculated
and how does it become a pragmatic yet effective foundation to your Information
Security Management System?
From the outset, having an
appetite for risk is a strange concept to many, who quite reasonably believe
that nobody would willingly accept a risk if it was in any way avoidable, or
similarly how can there be a value applied to risk which is, by its very
nature, very difficult to assign a number to? To put these opinions into
context, information security risk management unfortunately has to deal with a
wide selection of potentially “bad things”, from power outages to credit card
fraud and component failure to employee theft (amongst many, many more). It is
easy to see, therefore, that the effort involved in managing risks is always
going to incur cost and effort, as the best result that you can hope to achieve
is the predicted events not happening, or business as usual.
Risk appetite is built around the
reasonable assumption that not every identified risk should be dealt with at
all costs: some will be disproportionately expensive to resolve, and some will
have such a low impact on your organisation that implementing complex controls as
directed by a policy may be assessed as simply not being an appropriate use of
time and money. So how can you determine risk appetite in a pragmatic fashion?
Firstly, how would your
organisation like to assess the impact if something bad were to happen? For
many this has a direct currency alignment – “we have contingency to fix things
if the cost is below £10k, but above that we’d have to divert funds from live
operations”. The latter would affect ongoing business if live operations are
impacted, so in its crudest form we’ve determined the sort of events that would
be acceptable to the organisation, vs. those where we need to simply take a
little more care to make sure that they can’t happen. Another method could be
to assess the negative impact on the organisation’s credibility or brand
reputation for certain events, and identify which need to be avoided at all
costs, as a matter of business survival, vs. those that events that customers
won’t even notice.
Next, to add some justification to
these decisions, by looking at probability and impact. Probability can be
assessed by looking for similar events in comparable industries, or assessing
media reports of incidents and breaches to see if your organisation could be
similarly affected in the future. As noted in the previous paragraph, impact
can be measured in hard cash (cost to put right) but is also likely to factor
in unwanted negative publicity and resultant competitor advantage.
Most risk assessment methodologies
employ a probability vs. impact comparison to determine whether a risk is
acceptable – i.e. does the calculated risk fall above or below the organisation’s
risk appetite? Within InfoSaaS we use a 5x5 matrix, with corresponding values
between 1 and 25. An event that is extremely likely to happen, and even if it
did nobody would notice or be affected would be graded as “1”. However, a
negative event that is definitely going to happen, and when it does the
continued operation of the business is called into question would be graded as “25”.
In our experience, the Senior
Management of most organisations will set an acceptable risk limit (or have a risk
appetite) of somewhere between “7” (very cautious) through to “12” (more
bullish), although we have seen values either side of these. Our own ISMS
operates as a “10”. In its simplest form, numbers below 10 (lower probability,
lesser impacts) will be accepted as part of the risks of delivering normal business,
whilst anything above 10 (more likely to happen, with a greater impact) needs
to be carefully looked at to see if better security controls can be
implemented, or whether existing security controls need to be delivered in a
more effective way.
If your organisation is struggling
with delivery effective risk assessments, you should consider taking a free
trial of InfoSaaS to see how our solution helps achieve meaningful results. If
you would like to find out more about us, please visit our website at www.infosaas.uk
or call 0203 474 1290.