I was recently reviewing some risk mitigation plans with an organization and I was told I could close a particular item for which we had been tracking progress for quite some time. This particular item was going to require some management and technical controls implemented for closure so I was encouraged that so much progress had been made. When I asked for the details of the mitigation I was told the function had been outsourced to a third party so the risk for that particular function had likewise been transferred. No residual risk remained. But was that true?
When we look at actions to address risk they can be placed into one of four categories; accept, avoid, mitigate, and transfer. Let’s review these briefly before we return to the scenario above.
Accept the risk. This is a common way to address risk, just accept it and move on. Is it an appropriate action to take? It could be. If your risk analysis determined that the potential loss magnitude and probability of occurrence was inside your organization’s risk tolerance than the appropriate action is to accept the risk and move on. Perhaps your organization is willing to absorb a loss of $30,000 per year in this area. Your analysis determined that this particular risk could result in no more than $20,000 of loss in any single year. In other words it carries an annualize loss expectancy (ALE) of $20,000. That’s less than the $30,000 you organization is willing to absorb so the proper action is to accept the risk. This example is greatly simplified, if only things were this straightforward, but you get the idea.
Avoid the risk. This is a methodology that you may not be as familiar with, or at least have not considered as a way to address risk. Put simply, if a particular activity carries too much risk, stop doing the activity. For example, if your analysis shows that allowing your employees to access your company network from home carries too much risk, you could stop remote access for your workforce. This is perhaps an extreme example for which there are other options for addressing the outstanding risk but you get the point. As with all options to address risk, and especially this one, you need to ensure your risk treatment plan aligns with your business objectives. If one of your business objectives is to increase workforce efficiency by extending information system accessibility then avoidance may not be the preferred option here.
Mitigate the risk. Mitigation is the risk treatment which most of us think of first, what do I need to do to “fix” the problem that is leading to the unacceptable risk. Most focus on a technical solution, and many vendors are happy to sell you one. But a mitigating action is anything that can be done to lower the resultant risk. In addition to patching a vulnerability can you decrease your exposure to the threat or perhaps limit the potential loss? There are many opportunities in this area.
Transfer the risk. The idea here is simple, have another entity assume your risk. The example most people can readily identify with is automobile insurance. You satisfy certain requirements of your insurer, such as paying a premium and operating your vehicle within the law and in return they promise to pay for some level of repairs if your car is in an accident. In a business the risk transference could occur through services you outsource or even through the execution of a cyber insurance policy. But notice, I earlier said the other entity must assume your risk. Too often I’m told an organization has transferred its risk for a particular operation, let’s say web hosting, to an outside provider so they have transferred all associated risk to that provider as well. This is about the time alarm bells start to go off in my head and I begin to ask some probing questions. For example, does the organization’s contract or service level agreement with the web hosting service state the host’s responsibility in the case of a data breach impacting customer data? If not, then the business may still be responsible for any and all actions and losses resulting from the breach. These are the types of questions you need to ask when determining how much risk you have actually transferred to another party. Finally, keep in mind, it is very difficult to outsource the risk to your company’s reputation. It is a very hard sell telling your customers it is not your fault their personal information was stolen but the fault of the vendor you selected to manage their data. You can probably guess some of the what-if exercises I ran with the organization in my opening paragraph.
The truth of the matter is none of these risk treatments typically exist in isolation. To address a single risk you may combine two or more of the above activities. You may patch some vulnerabilities (mitigation) bringing your risk down to a level where a cyber insurance policy is able to cover all the remaining potential loss (transference) except for a portion, your deductible, which is within your risk tolerance level (acceptance). It’s through this blending of methods where your IT risk program can really best address your business objectives.
Over the next several weeks I want to spend a bit of time revisiting each of the above methodologies and provide you a few nuggets to think about as you develop or improve your organization’s cyber risk management program. But before we can look further at methods to address risk we first need to take a step back.
Next: A deeper look at framing your risk…