The two factors that comprise any cybersecurity organization’s concept of risk, for the purposes of a risk management plan, are vulnerability and threat. The simplest quantitative definition of “risk” there is, in the cybersecurity business, is represented by the formula:
risk = vulnerability x threat
also expressed as:
risk = probability x impact
where “likelihood” may be synonymous with probability.
Sometimes risk management professionals throw in a divisor or a coefficient or two, but in most (good) explanations, the two concepts you must understand when embarking on any full assessment of risk are where the vulnerabilities lay, and to what extent these vulnerabilities constitute threats to the organization.
The resolution to the first factor of either equation (“Where are we vulnerable and to what degree?”) may be determined scientifically, using cybersecurity tools and platforms. The answer to the second may be revealed through an intensive process of interaction and information sharing with all the stakeholders in an organization, and in the projects it produces, both exclusively and jointly with other companies. The first takes measurement, the second takes conversation. The first often requires calculation, the second often demands intuition. The first insists upon precision, the second may call upon others to trust your best guess.
Your ruthless pursuit of accuracy and your willingness to trust your instincts may be your two best virtues in the production of a successful risk management plan. And even if you’ve done this before, as you embark upon your next planning process, what would be nice to have is a plan for how best to plan. Here are five suggestions for what you can do now to make this next risk management planning process more productive and more effective.
1. Prototype the risk communication plan first
Experts say the first step in producing a risk management plan for an organization is to identify its current risks. If risk, whichever formula you choose, is a product of probability and magnitude, then one way you can appreciate magnitude is by perceiving risk from the perspective of stakeholders both inside and outside the organization who are just now being informed of the risk’s existence.
If a course of action or decision of your organization carries with it the possibility of negatively impacting a business unit, department, or team, how would you inform them? A risk communication plan would have you identify all of your stakeholders. It would have you set forth a mission statement that explains the entire risk management process using language that will give stakeholders a positive impression. A risk communication plan would call upon you to articulate the different scopes of impact that each risk embodies. It just so happens these are the same principal elements of a risk management plan, so if you can envision how these elements would be communicated, you will have a clearer idea of how they should be established.
Your first and most prominent sentence for any risk communication plan will be its mission statement. What is the paramount goal you intend to accomplish with risk communication? That goal, in essence, is encapsulated by the mission statement for your risk management plan. By envisioning your stakeholders and how they would receive and respond to your risk messaging, you formulate a crisper, more proportionate assessment of what it means for your organization to be impacted by a risk event. This exercise calls upon you to use your intuition in foreseeing how the risk communication process itself would serve in mitigating the impact of a risk event such as a cybersecurity breach. You are sketching the concept of the steps you would need to take when you have a working risk management plan in place.
2. Produce a risk assessment questionnaire for stakeholders
A proper risk management plan must take into account the perspectives of all stakeholders who may be impacted by a risk event. One frequently shared suggestion for how to go about this involves setting up a brainstorming session with stakeholders, supplying them with decks of sticky notes and brightly colored pens, and giving them all free rein to come up with descriptions of events that may qualify as risks, though which might also include problems, worries, and a few pet peeves.
The problem with brainstorming sessions, wherever they may occur, is that an organization typically conducts one when it does not have a plan. If you are bringing in stakeholders for brainstorming, you are very likely communicating to them directly that you do not have a plan, and also you might not be currently aware of what would comprise a plan. There is always a cost to communicating your own cluelessness to any directly or indirectly involved party. Indeed, this sudden awareness could itself be classified as a risk event, instantly distorting the urgency with which stakeholders will characterize any other risk event they may submit to you as worthy of your consideration for a plan.
An alternative to brainstorming, while probably less enjoyable and without the opportunity for snacks and drinks, is to use a questionnaire. For this task, you are not forced into reinventing the proverbial wheel. There are multitudes of examples of practical, functional templates for quickly developing questionnaires that would supply you with stakeholder information that meets the criteria of major information security standards such as ISO 27001.
SimpleRisk offers a template-based questionnaire generator called Risk Assessment Extra that lets you assemble questions from as many as 190 different frameworks. You can quickly build questionnaire models and test them out by performing self-assessments. The information from these questionnaires may immediately be enrolled into your risk register, whose purpose is exactly embodied by the official first step of any risk management plan: Identify the risks.
3. Implement a risk contingency budget
Risk is about uncertainty. Defining risks will not make you more certain about what they are. The risk management process would have you quantify the degree of uncertainty there may be for any risk event — a factor represented by likelihood or probability of occurrence. The risk management planning process is itself an exercise in uncertainty, so it only makes sense that you also take account of just how uncertain your plan may be, and integrate a plan for contingency.
A risk contingency budget is a kind of safety net for your risk management plan that concentrates on the concept of residual risk. Put simply, once every mitigation plan has been enacted and all expenses have been accounted for, what’s left? This budget would account for problems that may remain after mitigation.
Again, this doesn’t have to be guesswork on your part (e.g., “Let’s just say 10 percent”). A well-considered contingency budget takes into account that a risk event such as a data breach may incorporate several identified risks in succession. You can apply a probability factor to a group of risks — for example, an exploited vulnerability followed by a data leak followed by a news report followed by an exposed individual’s identity theft — that would incur an impact factor over and above the sum of the individual risks. You can also take into account that certain mitigation abilities would reduce the probability that successive risk events would occur, so not every event has to touch off a catastrophe that mandates dipping into the contingency budget.
4. Conduct an initial vulnerability assessment
“Every vulnerability is a risk for organizations,” says one prominent vendor. “Not every vulnerability is a risk to your business,” says another.
With a risk management plan, the truth ends up being someplace in the middle. Vulnerability is a component of risk, and an essential element of identifying risk. A professional vulnerability assessment is an examination to ascertain the defects and inefficiencies in a system’s design, as well as whether safeguards and security protocols to protect against these things are sufficient or inadequate. Such an assessment can and should be done before a risk management plan is enacted or updated. Even if an organization’s systems are assessed to be well-protected and relatively less susceptible to exploit, a proper vulnerability assessment will introduce you to the possibilities and opportunities for risk events that you may not have foreseen.
A vulnerability assessment is not a risk assessment. You can only calculate risk once you’re familiar enough with vulnerability. The whole point of a risk management plan is for you to attain familiarity with the aspects of everyday operations that you may never be able to predict. Once you have access to the classes of vulnerability which could impact your operations, you can apply values to these classes: specifically, how likely is that vulnerability to lead to damage, and what would the extent of that damage be?
5. Explicitly define the guidelines for your risk matrix
The other problem with the brainstorming approach to identifying risks is that it presumes the severity levels of the various risks that come up in discussion will neatly sort themselves out. Some risks’ sticky notes will fall to the right of others on the whiteboard, some to the left, et voilà, you have your scale. When your only means of gauging the scale of a variable is relative, there’s no assured means of attaching a hard value to that variable — a value such as cost.
A properly conceived risk matrix scores the urgency of every identified risk according to two criteria: likelihood and severity. Again, once you’re familiar with vulnerability, these criteria make clearer sense.
The way government agencies determine their risk matrices is by estimating their maximum horizons. Start by choosing a single unit of measuring time that can be scaled using decimals — for example, years, in which case “half a year” would be 0.5 years instead of “six months.”
Next, consider how long (or how short) an interval of time would have to be before you can say with some sense of assuredness that a risk event would happen within that time. Would a catastrophic data breach be a once-in-100-year event? In other words, within a century, could you say this event probably will happen once? If yes, try narrowing the horizon. Would it happen once in 10 years? Once every year? You want the category at the bottom of your scale to include enough risk events to still be relevant, yet not so narrow as to force you to classify significant events as unlikely. Once you’ve established the interval for your maximum horizon, you can scale the remaining categories down — for example, once every 5 years, 2 years, 1 year, 0.25 years.
For the other axis, consider impact as describable by loss, but project every kind of loss (for instance, loss of time, reputation, resources, humanpower) on an equivalent scale, preferably a monetary one. If it seems reasonable enough, consider the net worth of your company. Could a risk event cost enough to sink your company? Perhaps that’s your maximum horizon for impact. Then scale that category down for the remaining, less impactful categories.
Now, your 5x5 or 3x3 grid means more than just guesswork and relativity. SimpleRisk will use the risk matrix of your choice, but it’s up to you to establish its guidelines.
You don’t have to go into the risk management planning process without a plan. Risk management is simple enough once you’ve defined your terms, established your guidelines, and asserted your goals.
LEARN MORE FROM SIMPLERISK
Demystifying residual risk: The SimpleRisk approach to smarter risk management by Josh Sokol, CEO, SimpleRisk
Should vulnerabilities and risks be managed in the same place? by Josh Sokol, CEO, and Jeff Gall, COO, SimpleRisk
Normalizing risk scoring across different methodologies by Josh Sokol, CEO, SimpleRisk
