Security executives routinely have to make tough decisions about which risks to mitigate, which to avoid or transfer and which to accept. Your security budget has its limits. You have a finite amount of cash to spend on people and technologies to keep your business' risk to an acceptable level, so you have to make your decisions wisely.
Making these decisions and presenting them to company leadership requires a thorough understanding of the impact of the risk, knowledge of available safeguards and sometimes the guts to make a tough call. The goal of this article is to arm you with an approach to help guide you in these difficult risk decisions.
Measure the impact
If the way you measure risk is not aligned with the business, then the way you treat risks is likely not going to be either. If you still measure risks using the age old qualitative Low, Medium, High scale, then how do you know if risk decisions are aligned with business needs? How will you describe to senior executives or board members what the impact of these risks may have on the business and how will you make sense of the investments that are needed in security sufficient to convince them of the value in taking action? When asked by leadership what the ROI is for security, how will you answer?
To arm yourself with answers to these questions, you first have to properly measure the impact that a given risk has on your business. To understand the impact, you will need to know which assets will be affected by the risk (if it occurred), how extensively the assets will be affected and the cumulative business value of the impacted assets. When calculating business value, it is important to consider information assets as well as infrastructure assets. The value of your information assets may not be as obvious as with infrastructure assets. A recent Forrester Research report provides some clarity by stating that, "...the value of information is a percentage of the current and future revenue the information will produce, less the direct and indirect costs to produce, manage and protect it."
If a given risk occurs, the impact to your business then will be a combination of the cost of the exposure plus lost revenue while the asset is unavailable. The Ponemon Institute offers some useful guidance as to the cost of an exposure of personal data (e.g., personally identifiable information) on a per record basis. Leverage this guidance, but also calculate the revenue your business will lose if the impacted asset(s) become unavailable. When applying value to a risk, express that value in terms of money. In so doing, you will be able to compare both business value and risk value using the same measuring stick. This is the essence of risk monetization. Monetizing your risks in this manner will provide you with the ability to align your security program to business objectives. Businesses exist to make money, so putting your risk valuations into terms of money will help you measure them according to their impact on the business. Executives understand bottom lines much better than they do security risks. When explaining your reasoning for mitigating (or not) a given risk, they will be able to make more informed decisions since it is in a context they understand.
Monetize your key risks
The process of monetizing risk requires thoughtful insight, therefore you won't want to go through this exercise for every system or network security risk that you have. Focus instead on monetizing only your higher value risks such as those that could impact a critical business asset and affect company productivity, for example. To determine the monetary value of a risk, we will need to understand the likelihood of the risk occurring as well as the impact to your business.
To determine likelihood, focus on the specific controls that your organization has in place to help reduce the effects of the risk, versus the controls that you've determined are needed to mitigate the risk. By creating a ratio of the controls in place and those we feel are needed to address the risk, we are closer to gauging the likelihood of occurrence. It's important to note that we are focusing only on the specific controls that address the given risk (we are certainly not talking about including every control within your organization). Also, some controls are more valuable than others in different situations, so weight each of them according to the scenario. When you later go through this exercise to monetize other risks, realize that both the applicable controls and their respective weights may change.
Let's say the risk you are monetizing is 'preventing a data breach' within your company's ERP (a critical business application in this example). You've identified nine specific controls that you believe satisfactorily address the risk of a data breach. For each of the controls, assign a weight from 1-10 (10 being the most valuable). During an assessment of the controls, you identified which of these are in place and which are not .
By adding the values of the controls in place (your numerator) and dividing this by the controls that are needed (denominator), the result is a risk ratio of 53/79. Next, factor in ease of exploitation, to more accurately estimate the likelihood of the risk occurring.
"Ease of exploitation" points to the difficulty a given risk is to exploit when considering the skills, time and resources needed by an attacker. These values are represented in the following illustration.
If in our ERP example, we estimate that the ease of exploitation is relatively High (.8), then our completed likelihood formula is.
The last component to plug into our risk monetization formula is impact, which is the sum of the cost of an exposure of personal data plus the lost revenue while the affected asset(s) are unavailable. By leveraging available Ponemon Institute findings, we know that the average data breach in 2014 costs $194 per record (in the U.S.). If we assume you suffered a data breach and lost 20K personal data records, then the cost of the exposure of this information would be $3.88M. Add to that the revenue loss you experienced while the affected asset(s) were unavailable and this is the impact calculated.
Let's say your organization has 2K people who require your ERP application to be up and running to do their daily jobs. If an exploit resulted in your ERP application being unavailable for two business days and the average employee represents $500/day of revenue to your business, the lost revenue impact would be $2M. When we add these two impact valuations together we end up with a total impact of $5.76M. We can now plug these values into our risk monetization formula.
Therefore in our example, the monetized risk of a data breach within your ERP application is a little more than $1.5M. What is intentionally not included in the above calculation is the cost attributed to breached intellectual property or potential damage to your brand name if a breach is publicized. These are data points you will also have to consider, since they are as unique as your business.
The next question is, when considering the risks that could impact your most critical assets, which will you choose to address and how will you address them?
Risk decision making
Now that you've monetized your key risks, prioritizing them should be more straightforward than perhaps it ever was. You can opt to order them by highest monetized value first, or intersperse with those of lower impact. Whatever your approach, be mindful that when making risk decisions, compliance is a cost of doing business. So while risk monetization results won't necessarily indicate whether or not to mitigate a compliance-based risk, there still is an important benefit since you will have a better understanding of cost of compliance.
Identifying when to mitigate, and when to manage, transfer, or avoid a risk is the most difficult decision and, frankly, the one that could either make you a superstar in the office or drive you to polish up your resume. You will need to have a very good idea of your organization's risk appetite (willingness or not to live with more or less risk). As a guide, a variation on Pareto's principal (also known as the 80/20 rule) seems to be an uncanny fit (fig. 6).
By applying the above 80/20 rule to risk decision-making, you are stating that you require a 4:1 ratio of benefit-to-cost. You can adjust this benefit-to-cost ratio according to your organization's particular risk appetite. After applying this thinking, you will be able to show executive management that your decisions follow a logical, methodical and consistent thought process. As a result, recommendations will be better rooted in the business' objectives.
When we plug our ERP example into a cost benefit analysis formula (fig. 7), the monetized risk valuation ($1,552,320) is substituted for Cr and (.25) is substituted for Cmr since a 4:1 benefit-to-cost ratio implies our mitigation cost should be 1/4th the cost of the monetized risk. Then in solving for Cm, we end up with a good mitigation cost guideline to address this risk.
If you therefore choose to mitigate this particular risk, you should spend no more than approximately $388K. Based upon your desired risk appetite, the following (fig. 8) illustrates when you should mitigate a risk versus when you should choose other risk options. Increasing the slope of the line indicates your risk appetite is lower, since mitigation occurs more often. By decreasing the slope of the line, you demonstrate a higher risk, since you mitigate less often. If you think about past 'risk appetite measurements' and where risk decisions fell on the graph historically, the business intelligence this data provides is both interesting and valuable.
Making a decision to mitigate or manage a key risk can be difficult. Risk mitigations must be right-sized for your business by not costing too much or taking too long to implement.
By monetizing key risks, you will be able to convey impact in a more meaningful way. By providing consistent and methodical risk guidance, executives will be able to more effectively collaborate with you to improve alignment between business objectives and security.
Curtis Dalton is SVP, Chief Information Risk & Security Officer at Pactera US