In the second part of this series on quick-and-dirty risk management, I outlined a three-step approach for creating a risk management plan. In this third part of this series, I want to take a closer look at how to accomplish those steps.
Quantifying risks
The first step is to quantify the risks that the IT organization faces. Some of these are digital – malware or the attempted theft or alteration (either malicious or accidental) of sensitive data. Some are physical – fire, flood, and earthquake, or terrorist act. And some are personnel risks – theft by dishonest employees, damage by disgruntled, careless, or incompetent personnel, or the unexpected loss of a key person in the organization.
Many of these risks are already subject to mitigation efforts. For instance, every IT shop has firewalls and other security technology in place to mitigate the exposure to malware and malicious penetration of enterprise databases. Other risks may not be mitigated today, and some may be beyond the organization's ability to mitigate and must simply be accepted as business risks.
The first step in quantifying each risk is to estimate the potential business loss that each could cause. Several kinds of business loss need to be considered. Direct business loss is the cost of repair or replacement of damaged equipment, facilities, or data resources. Personnel costs may include the cost of covering medical treatment for individuals injured in an event and the cost of transporting and housing key personnel at a backup location during a regional disaster. Indirect costs include the loss of brand value caused by an event such as the theft of personal data of customers. In some cases estimating these losses is fairly straightforward. In others it is not, and the IT security officer may need the help of others outside IT. For instance, the security officer should consult the SVP or marketing and sales concerning potential loss of brand value due to various threats and may have to settle for a range of values or rough estimate of cost.
Second, the probability of each event over the planning period (usually the next fiscal year) needs to be determined. For instance, if the threat is a 100-year flood, then the probability is 1%. It is important in both cases to determine the value and probability of loss as altered by existing mitigation strategies. For instance, the probability of attempts to penetrate corporate databases is 100%. But what is important is the probability of a successful attempt, which in most organizations today is very low due to firewalls, database security, data encryption, and other mitigation strategies already in place. Similarly, a 100 year flood may cause a great deal of physical damage. But if the company has flood insurance, much of that loss may already be covered.
Identifying neglected risks
Once those values are determined, then a comparative loss value can be determined by multiplying the potential net business loss by the probability of that loss. Threats should then be ranked according to that value. This may lead to some surprises, which is the whole point of the exercise. Often IT is so focused on the daily battle with malware and external data threats and on disaster recovery that it loses sight of other exposures. Personnel exposure, and particularly the problem of dishonest, misguided, or disgruntled employees, is a prime example. A great deal of industrial (as well as national) espionage involves recruiting or placing such people to spy on competitors. The problem here is that usually the enterprise being victimized does not realize anything is wrong. It is very hard to detect data theft when the thief has legitimate access to the data. Often the first indications are when a competitor continually seems “one step ahead of us” in the marketplace, and even then it may be very difficult to determine the source of a leak.
A famous true story from the 1960s illustrates this. The head of HR at a company in the Philadelphia area noticed two Rolls Royces parked next to each other every day in the employee parking lot. This made him curious, and he had a police contact run their plates. They were owned by two people in the company IT department. As he started investigating, the two employees in question discovered the investigation, packed up their families, and left the country permanently. Obviously they had been doing something illegal, but the company, even after an intensive investigation, was never able to discover what.
Risk Comfort Levels
Another issue that must contribute to the final ranking of risks is the organization's comfort level with different kinds of risks. This is more difficult to estimate. Everybody's initial instinct is to say that risk should be eliminated, but in fact that is impossible. We live in a risky world. Everything we do has risk attached, and that risk can never be completely eliminated. The question is how much risk we are willing to take. Some people and organizations thrive on risk. Others may accept high levels of risk because they have no choice. And in some cases the very effort to eliminate risk can lead to disaster – France in 1939 hiding behind its Maginot Line as the German Panzers moved through the Ardennes Forest to go around the end of the fortifications is the classic example.
In general, risk comfort levels vary widely. Highly entrepreneurial companies routinely take large business risks, while financial institutions are traditionally very risk averse. And the level of comfort can vary greatly depending on what risk is being considered. An entrepreneurial company that is comfortable making a large investment in developing a new, emerging market may be very conservative about protecting customer data. Senior management should be consulted in areas where corporate policy is unclear, but even then management may say one thing when considering the cost of protecting against a theoretical event and something very different when faced with the reality of a loss. Certainly the CIO should be involved in this discussion both because she is IT's main contact point with senior management and because her job (along with the IT security officer's) will be on the line in the event of an unacceptable loss.
Developing mitigation strategies
Once the risks are ranked according to their net negative business value, the security officer needs to develop cost-effective strategies for reducing those that are identified as high priority issues. IT by its nature tends to focus on technical solutions, but other strategies also exist and are more cost-effective for mitigating some risks. In business, for instance, “risk management” usually means buying insurance against the potential loss, and this can be an effective tool in the data center as well. For instance, one risk to every data center is a regional disaster or terrorist action. Certainly insurance to cover physical losses is a logical part of the mitigation strategy. But IT might also want to consider insurance to cover losses from employee malfeasance.
In some cases, outside experts need to be involved. Certainly HR and, potentially, a security consultant, should be involved in developing a plan to mitigate personnel risks, where often technology does not offer good answers.
Overreaction, on the other hand, is also something that should be guarded against. Each mitigation strategy has a cost in terms of direct expense and disruption of business activities, and the law of diminishing returns applies. The object of the overall risk mitigation plan is to get the most value for the investment and in particular to avoid spending more on mitigation that the value of the potential loss. So for instance, subjecting each employee to annual lie detector tests may discover a spy in your midst, but it is guaranteed to create large amounts of resentment and apprehension among the vast majority of basically honest employees. At the CIA, that cost is considered justified. In businesses it is not.
Developing and communicating a risk mitigation plan
The object of this effort is to develop a risk mitigation plan that identifies the risks that need attention, the potential loss each may cause, the cost of each potential mitigation effort, and finally where the available resources should be invested for maximum value. The reality is that you will never have the resources to do everything in a given year, and since risks change over time, this means that the job of risk management will never be finished. Thus the final plan should determine what mitigation efforts will be done this year and what risks will have to be left to another year.
Once this plan is drafted it needs to be reviewed, first by the CIO and then by senior management and, in larger enterprises, also by the heads of lines-of-business. Senior management needs to be aware of the risks that the enterprise faces, and these risks need to be expressed in monetary amounts – dollars, Euros, Yen, etc. That is how business people think, and without those dollar amounts attached, the risks will be too amorphous for them to understand.
At each stage in the review, the security officer should expect questions and changes. Part of the point of these presentations is to engage business leaders in risk management, to make them aware of the risks the organization faces. Response is a sign of success, therefore.
Action Item: Action Item: A strong risk management plan is the key to focusing limited security resources on the most cost-effective mitigation strategies for the most urgent security exposures. Without one, IT risks neglecting some exposures altogether, a recipe for unpleasant surprises.
Footnotes: