I mentioned in a previous blog post that I had just completed two fairly important projects for ISACA: a white paper titled “Optimizing the response to risksAnd a companion webinar titled “Rethinking the risk response. “
The white paper has been peer reviewed with an academic tone. After reviewing my notes one last time, I decided to write an article with some of my thoughts on the topic and the process, of course, unfiltered and a little saltier than a white paper.
In the wings
I am a member of the ISACA Risk Advisory Group – a group that advises on ISACA webinars, blogs, white papers, journal articles, projects and other products on the broad topic of risk. When the opportunity arose to write a white paper on the subject of risk response, I jumped at the chance. It seemed like a boring old topic that had been around since the earliest formal risk management frameworks. I knew I had to find a unique angle and twist on the topic to make it compelling and give risk managers something new to consider.
First, the literature review. I’ve read the risk response sections of all the major risk frameworks in technology, cybersecurity, operational risk, enterprise risk management, and even a few of financial risk. I also read blogs, articles, and project documents that included topics on risk response. I came out of the literature review with a book full of notes that I summarized in the following four ideas:
The subject of risk response is not settled, particularly in terms of technological / IT risk. “Established” means both standardization bodies and practitioners generally agree on what the risk response is and how to use it.
Risk response is wrongly synonymous with risk mitigation. Risk executives don’t make this mistake, but organizational implementations and practitioners do.
Most risk response frameworks assume the adoption of qualitative risk techniques, making it difficult, if not impossible, to weigh the pros and cons of each option. This is probably why most practitioners default mitigate. Qualitative methods do not allow discrete analysis of the different response options strategically applied to risk.
Using a risk response can have unintended consequences, such as moral hazard, secondary risk, and cyber insurance policy gaps.
Ah, so the angle became clear to me. The central themes of the white paper are:
Focusing on risk mitigation as the only response option is ineffective.
The assessment of each risk response option is an integral part of the risk management process.
The answer to risk does not exist in a vacuum. It’s all part of helping the organization achieve its strategic goals, limited by risk tolerance.
Risk quantification is the tool you need to achieve an effective and optimized risk response, including identifying and responding to unintended consequences.
The above themes have given the white paper a fresh take on an old topic. I also hope that the practical examples of using risk quantification to gain effectiveness will help practitioners see it as a strategic tool and bring them closer to it.
Why the risk response ≠ Risk mitigation
Responding and responding to risk is an ingrained and innate part of the human psyche. All animals have a “fight or flight” response, which can be viewed as risk mitigation or avoidance, respectively. The concept of risk transfer began to form in the 1700s BCE with the invention of low, a type of shipping insurance.
Abraham de Moivre, a French mathematician, changed the world in 1718 with a seemingly simple equation. He created the first definition of risk that associates the chances of something happening with potential losses.
“The risk of losing money is the reverse of waiting; and its true measure is the product of the sum ventured multiplied by the probability of the loss. – Abraham de Moivre, The Doctrine of Chances (1718)
This evolved definition of risk has changed the world and the way humans react to it. Instinctive controls, ‘fight or flight’ and rudimentary forms of risk transfer as bottomry have received the beginnings of an analytical framework, leading to better decisions. New industries are born. First, modern insurance and actuarial science (the first risk managers) emerged in Lloyd’s of London. Many others followed. Modern risk management and analysis has made it possible to analyze response options and use the best or a combination of the best options to advance strategic goals.
All risk management back then was quantitative, except that it was not called “quantitative risk”. It was simply called “risk”. Abraham de Moivre used Numbers in his risk calculation, not the colors. Quantitative methods have evolved over the centuries, adding Monte Carlo methods as an example, but de Moivre’s definition of risk is unchanged – even today. If you are interested in the history of risk and the quantification of risk, read Peter L. Bernstein’s short essay, “The new religion of risk management. “
Something changed in the late 1980s and 1990s. Business management diverged from all other areas of risk, seeking simpler and faster methods. Qualitative analysis (colors, adjectives, ordinal scales) via the risk matrix has been introduced. The new generation of risk managers using these techniques have lost the ability to analytically use all available options to strategically respond to risk. The matrix allows a risk manager to rank risks on a list, but not much more (see my blog post, The elephant in the risk governance room). The resulting list is best equipped for mitigation; if you have a list of 20 ranked risks, you mitigate risk # 1, then # 2, and so on. This is the exact opposite of an efficient and optimized response to risk.
In other words, when all you have is a hammer, everything looks like a nail.
It should be noted that other risk fields does not have diverge in the 1980s and 1990s and still use quantitative risk analysis. (This is simply called “risk analysis”.)
Two examples of too much emphasis on mitigation
Wikipedia article on IT risk management (as of August 16, 2021) mistakenly confuses risk mitigation with risk response. According to the article, how an organization reacts to risk is risk mitigation.
Second, the OWASP risk rating methodology also makes the same logical error. According to OWASP, once the risk is assessed, an organization will “decide what to fix” and in what order.
To be fair, neither Wikipedia nor OWASP are risk management frameworks, but they are trusted and used by security professionals who launch a risk management program.
There are many more examples, but the point is made. In practice, the default way to respond to IT / cyber risk is to mitigate it. This is what we security professionals are programmed to do, but if we do it blindly we are potentially wasting resources. It is certainly not a data driven analytical decision.
Where we are going
We are in a time and age when cybersecurity budgets are widely approved without thoughtful analysis, mostly due to fear. I believe that a day will come when we will lose that last trust that the C-Suite has in us, and we will have to really forecasting, you know, with numbers, like operations, products, and finances already do. Policymakers will insist on how much risk a $ 10 million project reduces, in numbers. I think the catalyst will be an increase in cyber attacks like data breaches and ransomware, with the private sector largely unable to do anything about it. Lawsuits will begin, alleging that companies using poor risk management techniques do not practice diligence to protect private information, critical infrastructure, etc.
I hope the white paper gives organizations new ideas on how to revive this old topic in risk management programs, and this unfiltered article explains why I think the topic is ripe for disruption. As usual, let me know in the comments below if you have any comments or questions.
*** This is a syndicated Security Bloggers Network Blog – Tony Martin-Vegue blog written by Tony MartinVegue. Read the original post at: https://www.tonym-v.com/blog/2021/8/16/risk-response-unfiltered