In the early 2000’s, I was seemingly always having discussions with peers, friends, and customers on the meaning of InfoSec (aka cybersecurity) risk. Speaking beyond the dozens of models, methods, and practices and looking to really understand the elements of risk in corporations. Later I would write extensively on the topic, eventually evolving into the Adaptive Security Management Architecture book (pub 2010). I was speaking with an old friend the other day and the topic of risk appetite surfaced. It reminded me of this article I wrote in late 2006. Enjoy.
Counting security calories won’t help
Anyone who knows me or has subjected themselves to my writings knows I have some uneasiness with today’s role of risk. Assessing risk, managing risk, all of it. It’s not the process, but more of how there is so much focus on risk as if it was a science, and it’s not. Not even close. Risk management is, of course, extraordinarily important to a security program, but I regularly see it being positioned as “the” security program with all things stemming from risk measurements as if it were an absolute. One of the things I see and hear is “risk appetite” and I’ve even used this phrase many, many times. But what is it?
Again, risk management is beyond important. It’s a tool that can help take in vast amounts of information and process it to a point where you can make sense of it. From there, it can support decisions, actions, and investments. I’m not “attacking” risk management as a practice, philosophy, method, or strategy. What I am saying is that it’s not a science and as such it must act as part of a security program, such as governance, compliance management, and information management frameworks to provide an “aspect” or input as part of a security perspective for decision making processes.
Risk management boils down to finding a balance between threats and assets by the allocation and management of controls. That balance is ultimately based on risk appetite, or more specifically the amount of risk you are willing to accept for a given potential event. Therefore, one could argue that risk is not much more than an exercise without a quantified understanding of appetite.
Security risks are subjective and as such cannot be objectively rationalized or accurately measured. The problem is far too fluid, unbounded, there is imperfect knowledge, and, more importantly, no actuarial data to derive any form of meaningful predictability. Although certain elements can be predicted in form with some reasonableness in determining general impact from specific experience, there remains the framework of the formation of estimates and rankings. Therefore, not only is risk open to interpretation, but the very model used for interpretation will greatly impact the outcome. Risk – at best – is a guess.
Before I continue, I must state that this does not mean that risk assessments, measurements, calculations, and management are completely pointless. Far from it. In short, you have to play the hand you were dealt and in lieu of anything better and more accurate, today’s risk processes are what they are. Again, the point is concerning the impression of science within risk and that is simply not the case. Risk must be used cautiously since there is significant room for error.
So what is appetite, really? In short, it is an opinion and an opinion in a point in time. As an opinion it is individualistic and mostly related to internalized (i.e., your own) risk philosophy. The oldest example used in discussions of this nature is fear of flying and a reference for driving as an alternative when driving clearly represents substantially more risk than flying. In other words, risk is very personal. This aspect exists within a corporate environment and many executives will respond very differently when the risk represents something tangible to them compared to when it concerns others or the company. For example, if you say that there is a risk that could lead to an executive going to jail as opposed to something that represents far greater risk over all, the level of acceptance will likely be far less with the former because they will not want to accept a risk that can affect them as an individual.
Further exacerbating the issue of appetite is the interpretation of risk treatments. In other words, will the control have any meaning to the person or persons evaluating risk against their own appetite? Therefore, even when there is clear alignment between an identified risk and appetite the interpretation of the effectiveness of the compensating control will influence a great deal.
The term risk appetite is used quite frequently as a method to generally note that level of criticality must ultimately be interpreted, but rarely is this explored deeply. There is a great deal of effort in defining risk and creating models as opposed providing equal or greater focus on defining appetite, which is arguably the tipping point that determines the overall value of risk management to the organization. The industry is so intensely focused on risk management theories and methods it has virtually ignored the most important aspect and that is how the results will be deduced and applied. This is ultimately the result of risk being seen as a science and the process of quantifying appetite, comparably, is seen as “impossible”, which ironically is no different than the best-guess risk inherently represents. In other words, if you see risk for what it really is there technically no difference in formulating a model for appetite as you do for risk.
What needs to happen is the development of a risk appetite model that defines a process by which appetite can be quantified. Today, this mostly surfaces as evidence used in general discussion of appetite, such as policy statements and regulatory demands. However, these can be seen as surrogates for appetite. For example, how an executive interprets risk (appetite) is “trumped” by a regulation because there are tangible impacts, such as fines or going to jail. But, not all risk results cleanly fit into these situations. If that was the case, we would call risk management “compliance risk management”, which interesting is what many are really practicing, but recognizing it. Also what happens today is less focus on broad risks and focusing on divisional risk so that the results can be interpreted by one person that makes the final judgment call on appetite. This is essentially avoiding the problem by reducing the number of people that have to “make the call” and isolate responsibility. In fact, this practice is typically the security group transferring political risk to a single person who actually made a decision.
Security groups need to tackle the risk appetite measurement as other industries have, specifically the financial industry concerning risk appetite for investors, which is very interesting and has some meaningful formulas that could be used as the basis for security appetite measurement. There have been what I would call attempts in security, such as ISACA’s case study using CobiT to define risk appetite. But as you can see it’s still about measuring risk (i.e., high, medium, low), not necessarily specifically the interpretation of risk. In other security circles it has been suggested to use Myers-Briggs, which is a very interesting and I feel an accurate starting point. But others have suggested a litmus test using hypothetical scenarios to capture a perspective of risk. While I agree with the concept, how the test is performed will determine the value of the data. If the test candidates know they are being tested the results will be skewed – and I’m not too sure executives want to be treated as lab rats.
The good news is people are thinking in these terms, but it has yet to take on legs. I suspect there is a university (potentially several) working models of this nature. I personally haven’t found evidence of this, but that doesn’t mean anything – so if you know about something of this nature I would greatly appreciate a note educating me; I’m convinced this is being worked on or has been done. If not, I think setting up a workgroup to develop a risk appetite model would be quite interesting. If you’re interested on working on something, let me know.