Managing risks is very important for a company to succeed. It’s a key part of cybersecurity and includes things like finding and analyzing risks. Risk management is a bit like trying to stop your cat from climbing on the kitchen table. You know it will probably do it anyway, but you can at least try your best to stop it.
By managing risks proactively, companies can see their weak points and make sure they follow important rules. This process also helps them use their money and resources wisely. This helps protect the company from problems, keeps its reputation safe, and prevents the loss of trust from clients and investors.
In short, managing risk is the best way to protect a business and ensure its future.
Why Risk Management
There are several key benefits to implementing effective risk management practices. Firstly, it leads to reduced vulnerabilities by enabling organizations to identify and address weaknesses in their systems, processes, and practices, thereby decreasing the likelihood of security breaches and data compromises. This also facilitates cost-effective security, as resources can be prioritized and allocated based on risk assessments, ensuring security measures are deployed where they are most needed, thus optimizing cybersecurity investments and minimizing unnecessary expenditure. Furthermore, proper risk management ensures that organizations meet legal and regulatory cybersecurity requirements, helping them to avoid costly fines, legal actions, or reputational damage. Organisations also gain improved incident preparedness through risk assessment and planning, making them better equipped to respond to cybersecurity incidents, minimise downtime, and reduce financial loss.
A significant benefit is enhanced business continuity, as effective risk management includes strategies to maintain essential business functions during or after a cyber incident, ultimately reducing disruption and financial impact. Protecting an organization’s reputation is another crucial aspect, achieved by preventing or mitigating security incidents that could erode customer trust and confidence. Risk assessments also provide strategic decision support, offering valuable insights that enable informed choices about technology investments, partnerships, and growth opportunities, while thoroughly considering potential cybersecurity risks. Lastly, continuous improvement is fostered, as ongoing risk management ensures organizations can adapt to evolving threats and vulnerabilities, constantly refining and strengthening their cybersecurity measures over time
Managing risk is very important for all businesses. Learn more about cybersecurity risk management
Types of Risks
Understanding the various types of risk is essential. External risks originate from sources outside the company, such as cyber attacks, malware, or phishing attempts, all of which can impact an organization’s cybersecurity. Conversely, internal risks stem from within the organization, often caused by employees or insiders, and can include accidental data leaks or insider threats. Legacy systems pose risks due to outdated or unsupported technology and software that may have unpatched vulnerabilities. Multi-party risk arises from vulnerabilities linked to dependencies on third-party vendors, suppliers, or partners, where their security issues could impact the organization. IP theft risk refers to the potential loss of valuable intellectual property, like patents and proprietary data, through cyber espionage or insider threats. Finally, software compliance and licensing risks relate to non-compliance with licensing requirements or the use of unlicensed software, which can lead to legal and financial penalties.
Knowing these risks helps keep companies safe. Read about cybersecurity risk management best practices
Risk management decisions
Information for risk management decisions can come from internal sources like audits, known issues, and previous security incidents. This internal data can augment threat intelligence, providing context on attack frequency, costs to the company or competitors, and insights into emerging threats, bad actors, targets, and attack methods based on industry, technology, and geography.
Risk management itself is defined as the identification, assessment, and prioritization of risks, along with their mitigation and monitoring. In the context of computer hardware and software, it’s also known as Information Assurance (IA). The approach to risk management often depends on the company’s risk tolerance, which can vary significantly between, for example, a government entity and a tech start-up, as well as the value of the data at stake.
When discussing risk, it’s important to differentiate between inherent risk and residual risk. Inherent risk is assessed before any risk mitigation measures are implemented, providing a baseline understanding of the risk’s natural state. Residual risk, on the other hand, is what remains after risk mitigation measures have been put in place; it’s the remaining risk an organization faces despite efforts to control and reduce it.
There are multiple ways to manage risk:
- Acceptance: Deciding to accept certain levels of risk and deal with issues if and when they occur, often based on a cost-benefit analysis where the cost of protection outweighs the potential damages, although intangible factors like reputation might still lead to protection
- Transference: Pushing the risk off to a third party, such as an insurance company or a hosted provider (e.g., moving servers to the cloud to transfer maintenance and security risks)
- Mitigation (or Deterrence): Implementing controls to reduce risk as much as possible. The acceptable level of reduction varies by company and industry. This involves a “defense in depth” approach, putting multiple layers of security in place
- Avoidance: Choosing not to engage in a specific activity, industry, or project because the risk is deemed too high. Examples include deciding not to patch an old, unstable system or avoiding the launch of a new, high-risk platform
Organizations also have a distinct risk appetite, which dictates their willingness to take on risk
- Expansionary organizations are willing to take on higher levels of risk, prioritizing growth and competitiveness, often investing in new ventures or disruptive technologies, similar to a technology start-up seeking rapid growth
- Conservative organizations are the opposite, prioritizing stability, security, and asset preservation, thus being risk-averse. They emphasize financial security and steady returns, avoiding ventures that could jeopardize their financial well-being or reputation, like a well-established bank focused on stability
- Neutral organizations strike a balance, taking calculated risks while maintaining caution. They assess risk on a case-by-case basis, aligning decisions with specific objectives, and demonstrating flexibility and adaptability, like a diversified conglomerate taking calculated risks in new markets but remaining cautious with core business segments
Risk assessment, different approaches
When conducting a risk assessment, different approaches can be taken. Ad hoc assessments are irregular and conducted as needed, often in response to specific events, concerns, or requests. They lack a predefined schedule and are useful for immediate or unexpected risks, such as security incidents or evaluating new projects. Recurring assessments are conducted at regular, predefined intervals (e.g., monthly, quarterly, annually), providing a consistent and ongoing evaluation suitable for monitoring threat landscape changes, tracking compliance, or identifying trends. One-time risk assessments are performed on a single occasion for a specific situation or project, without a regular follow-up. These are appropriate for unique scenarios like assessing risks for a one-time event, system implementation, or a merger/acquisition. Continuous assessments are ongoing and dynamic processes involving real-time monitoring of risks, threats, and vulnerabilities. They continuously collect and analyse data to identify and respond to changing risks, providing up-to-the-minute insights and often utilising automated tools and threat intelligence feeds.
Risk assessment, types of analysis
Two primary types of analysis are used in risk assessment: qualitative and quantitative analysis.
Qualitative analysis assigns a numerical value to the probability and impact of a risk, though no monetary value is assigned to assets or losses. For example, assessing the risk of not installing anti-virus on end-user systems might involve assigning a probability of infection (e.g., 99 out of 100) and an impact (e.g., affecting 80% of systems), which when multiplied can indicate a high risk. This method allows for ranking different risks, like a data breach (high likelihood, high impact, high priority) versus a hurricane in an inland location (low likelihood, medium impact, low priority). By assigning numerical values behind the scenes, these can be translated into low, medium, or high priorities, directing resources towards high-priority items first.
Quantitative analysis, by contrast, assigns an exact monetary value to assets and attempts to provide an expected yearly loss in dollars for any specific risk. This enables prioritization based on likely financial losses versus the cost of protection. An example provided illustrates protecting 10 non-critical servers, where the cost to replace them if compromised is €95,000, but the cost to protect them with anti-virus, maintenance, and licensing is €450,000. In this scenario, spending €450,000 to protect €95,000 would be a poor financial decision, though other intangible factors like reputation or downtime might still influence the decision to protect the asset.
Risk Calculation
Calculation involves identifying the likelihood and impact of a threat, as well as how quickly systems can become operational again. Key terms include:
Likelihood of threat: The possibility of a threat initiating, which can be ranked qualitatively or quantitatively
Impact of the threat: The actual consequence if a threat is successfully initiated, such as system unresponsiveness, data loss, destruction of systems, or impact on customer confidence and downstream systems. Quantifying these impacts helps in effective resource prioritization
Annual Loss Expectancy (ALE): A monetary measure of the expected loss in a single year
Single Loss Expectancy (SLE): The monetary measure of expected loss from a single event, calculated by multiplying the asset value by the exposure factor (EF)
Annualized Rate of Occurrence (ARO): The historical likelihood of an event occurring within a year. These terms are related by the formula: SLE × ARO = ALE. For example, an e-commerce company generating €100,000 per hour with a server failure probability of 30% that would cause 4 hours of downtime and €6,000 in repair components, has an SLE of €406,000 (€100,000/hour * 4 hours + €6,000). If the ARO is 0.5 (50%), the ALE would be €203,000 ($406,000 * 0.50), providing a quantitative basis for prioritizing protection resources for that asset.
A risk assessment matrix or risk heat map is also used to prioritize risks based on their likelihood and consequences. It allows organizations to stack rank risks from “rare” to “almost certain” and consequences from “insignificant” to “catastrophic”.
This provides a concrete understanding of where to focus resources (funding, people, process, technology) to mitigate risks. For instance, if something is unlikely to happen but would be catastrophic if it did, it would rank high, requiring attention. If something is likely but its consequences are minor, it would be rated medium. This qualitative assessment helps in directing resources appropriately.
Recovery Planning
Finally, Business Impact Analysis (BIA) uses specific key terminology for recovery planning:
- Recovery Time Objective (RTO): The maximum acceptable downtime an organization can tolerate for a system or service after an incident
- Recovery Point Objective (RPO): Defines the maximum acceptable data loss an organization can tolerate after an incident
- Mean Time to Repair (MTTR): The average time it takes to repair or restore a failed system or service to normal operation
- Mean Time Between Failures (MTBF): The average time between system or component failures.
It is important to note that shorter RPO and RTO typically mean higher costs. For instance, tolerating 12 hours of downtime and 24 hours of data loss is inexpensive, whereas needing near real-time recovery (e.g., 5 minutes max) is extremely expensive, often requiring real-time snapshotting or data synchronization. The appropriate level of investment depends on the value of business operations (e.g., a company making millions per minute will invest significantly more than one making $10 a day).
MTBF calculations are valuable for performing periodic maintenance or component replacements during planned downtime, which is preferable to unexpected outages that can cause significant disruption
Calculating risk means guessing how often a problem happens and how bad it is. Recovery planning sets goals for how fast a company must fix problems and save data. These plans help companies decide how much money to spend on safety. Read about business continuity and recovery
Final consideration
In the end, risk management is a bit like trying to stop your cat from climbing on the kitchen table. You know it will probably do it anyway, but you can at least try your best to stop it.
By using these ideas, we might not get rid of every risk, but we can sleep a little bit better at night. And believe me, that feeling is worth a lot!
