The Persistent Nature of Risk, and Why it Matters

So you’ve worked hard to develop, implement, and continually improve your organization’s cyber security program. You’ve been successful in obtaining increases in cyber spending that have allowed you to purchase and deploy the most modern security technology. You’re feeling confident and optimistic about the outcome of a recently completed cyber risk assessment, and then you see the report… What are all these risks? How can there still be risk when you’ve thoughtfully implemented the strongest controls available? Don’t worry! You are not alone! Let’s take a look at some of the misconceptions that can lead to this confusion and frustration.

Misconception #1: All Risk Is Bad

Those of us in the Risk Management industry tend to think of risk only in a negative light. In reality risk is often quite necessary to allow for innovation, progress, and organizational success. Imagine an educational institution that decides to take every conceivable step to remove all risk from their IT environment. “The internet presents risks – shut down access!”   “Data sharing via removable media presents risks – block all storage devices!”  “Mobile computing presents risks – take back all laptops!”  You can see how attempting to completely eliminate risk could be quite impractical and detrimental to achieving organizational goals. Mature cyber risk management programs will identify unacceptable and acceptable risk, rather than focusing only on the elimination of all risks.

Misconception #2: Risk Can Be Eliminated

It is tempting to believe that risk can be eliminated through the implementation of strong controls. In reality, there is no way to completely eliminate risk, and as I pointed out above, that’s ok. We couldn’t eradicate risk even if we were willing to suffer the negative consequences. There are several factors that contribute to risk which are important to understand. Here are some basic definitions that will facilitate this understanding:

  • threat is any circumstance or event with the potential to do harm or have an adverse impact.
  • vulnerability is a weakness that could be exploited by a threat source.
  • A risk represents the potential for loss or damage when a threat exploits a vulnerability. Risk is often expressed as a function of the likelihood of a threat event’s occurrence and the potential adverse impact should the event occur.
  • Inherent risk represents the amount of risk that exists in the absence of controls.
  • Residual risk is the amount of risk that remains after controls are accounted for.

Ok, so what do all these definitions really tell us? Here are a couple of examples. In order to eliminate the risks related to earthquakes you would need the power to control the movement of tectonic plates. In order to remove all risk related to a state-sponsored hacker you would need to be able to persuade them that hacking is bad, or… eliminate them altogether. Of course, I’m being a bit facetious, but I hope I’ve illustrated the point. There are risks that cannot be removed without the power to eliminate associated threats and threat actors.

Misconception #3: Performance Assessment = Risk Assessment

The objective of many security assessments is to identify the degree to which controls are in place, operating as intended, and producing the desired results. This type of assessment is particularly good at identifying areas of non-compliance with applicable standards and policies. However, if the assessment stops there it is missing a very important element – risk. Let’s look at an example.

During the course of a security assessment it is determined that a healthcare organization has implemented robust malware detection technology to identify known and unknown attacks. The anti-malware tools are updated with new signatures and behavioral heuristics in real-time and sensors are placed throughout the organization’s external-facing and internal network. This sounds like a pretty strong control implementation. The organization might assume that they have a fairly low level of malware-related risk and choose to take no additional actions. But what happens when we consider other factors?

The healthcare industry creates, processes, transmits, and stores vast amounts of protected health information (PHI). PHI is one of the most valuable data types on the black market and is therefore the target of intense and frequent hacking attempts by well-funded and highly capable, malicious actors. To get a better understanding of risk we should take into consideration factors such as the capability, determination, and motivation of potential attackers, as well as the frequency and impact of successful attacks. These characteristics lead us to an estimation of inherent risk. In our example the inherent risk is likely quite high. Considering this high level of inherent risk, we may determine that a medium level of residual risk remains, despite the strength of the anti-malware control implementation.

This presents a potential conundrum. You might be thinking, “The healthcare organization in your example has done everything they can. How are they supposed to respond when they are told that they are still at risk?” There are a few things that an organization in this situation may choose to do. In our example, the organization may:

  • Place additional monitoring and alerting functionality around their standard anti-malware control implementation,
  • Increase the ingestion of threat intelligence information related to malware attacks,
  • Increase staffing for SOC analyst positions,
  • Require SOC analysts to attend additional training on how to identify and respond to the latest malware attacks, or
  • Take no action, which is a perfectly acceptable response when all other reasonable steps have been taken.

In conclusion, risk is a constant. One of the primary tasks of cyber risk management professionals is to determine how best to respond to risk. Effective risk management requires us to recognize that some risks are not only necessary, but beneficial to success. We must also realize that while it may sound like a worthwhile goal, attempting to completely remove all risk is futile. And finally, the days of getting by with compliance-focused, checklist-style assessments have passed.

This is why the CyberGRX assessment provides risk-prioritized data that allows you to make informed decisions about what risks are acceptable and what risks must be addressed. Our assessments go well beyond a traditional compliance checklist so that you can see how industry, attack scenarios, and real-time threat data affect your third parties.

 

DAVE STAPLETON

SENIOR RISK ASSESSOR

 

Leave a Reply