Risk register has become a dirty phrase. It is a catch-all for any concern that keeps an executive up at night. Items such as “insiders”, “the Cloud”, and “data loss” adorn risk registers in organizations across industries. FAIR trained or not, it does not take a risk expert to tell you those items are not actionable.
What would you say if I told you that I had a way to transform the way you and your organization identifies top risks? A way to revamp your risk register to something useful and beneficial in decision making, rather than a wasteland of half-baked “risks”?
I recently wrapped up an engagement with a client to complete a Top Risks Workshop, utilizing Factor Analysis of Information Risk (FAIR) to identify and normalize the top risks the organization was facing. Here are three key takeaways that you and your organization, just like my client from last week, can utilize to improve risk identification and priorization.
Scope Your Risks the Right Way
It is very common for organizations to have a risk register of cybersecurity risks. I would bet that your organization today has some sort of list identifying your own top risks. Common examples are: regulation, phishing, the cloud, fraud, ransomware, and so on. If any of these examples sound familiar to you or are on your organization’s risk register, then you will be surprised to know that none of these examples are true risks. These examples loosely describe aspects of a risk, but do not flush out an entire risk.
If you think about it for the risk listed above “ransomware,” there is a high degree of ambiguity. You have to interpret what the ransomware will do, what it will affect, and how the ransomware will be implemented, causing every reader to interpret the risk “ransomware” very differently.
In order for a concern to be a risk, it must be properly scoped. A properly scoped risk must have a specific asset, threat, and effect associated with it. What this means is that a defined risk needs to identify what asset is at risk, what forms of loss could arise, what threat is involved, and various other aspects in order to flush any possible assumptions to identify a concrete risk. By identifying these components, you can determine the loss event or loss events you and your organization are truly concerned about.
Using the FAIR method as the foundation for identifying your organizations risks, you will be able to define true risks in a clear and repeatable manner.
Christina Dulovich is a Risk Consultant for RiskLens
Pay Careful Attention to Frequency and Impact of Cyber Events
When preforming risk workshop engagements with clients I commonly see that, after the engagement is through, perceptions of impactful risks change quite a bit. More often than not, what you think is high impact may not be. For example, an event of a breach for a key database that would result in millions of dollars of loss would be put on your top risks list. This makes sense, right?
Well, not always. When diving deeper into this scenario you take into consideration that the data is encrypted and has a slew of controls in place, causing the likely frequency of this event to be very low if not virtually non-existent. The last time this database was breached was 10 years ago, and this happened before new and improved controls and encryption were utilized. Diving deeper, you realize that this risk is now relatively low in comparison to others.
Just as common as top risks being pushed down the list towards the bottom, risks that are “small” or “immaterial” can be pushed up to the top of the risk register. For example, mistakes in production code causing various outages for a revenue generating site. When thinking about an event like this happening, it may cause a handful of possible customers to not complete a purchase and buy elsewhere. Not a big deal, right? Well, take into consideration that, based on the last 12 months, these instances happened an average of 5 times a week. A handful of customers not purchasing items upwards of 260 times a year adds up to big impact, pushing this risk up on the list of concerns.
FAIR ensures that all risks identified by an organization are defined in a quantifiable manner. In order to accurately deduce a risk exposure to rank and accurately identify top risks.
Learn more: What Belongs in a Risk Register? by Jack Jones
Compare Cyber Risks Accurately
In order to rank your risks, you need to be able to compare the various risks effectively. This is an easy place for organizations to fall short. Historically, the methods used to measure risk involved ordinal scales or the use of heat maps. Given that these scales and measurements are often based upon personal opinions and or experiences of one or maybe a few experienced employees, they tend to be riddled with bias. This bias and lack of rigor leads to people comparing apples to oranges when looking at multiple risks using qualitative methods. Quantifiable and measurable data however, ensures comparing apples to apples.
Through the use of FAIR methodology, users are able to deduce number ranges for various aspects of a risk, rather than having a list of 15 risks on a severity scale of 1-5, where 7 risks are a “3”, 3 risks are a “4”, 1 risk is a “5” and 4 risks are a “2” on that scale, with the severities assigned based on opinions of three subject matter experts. If there are seven risks that are all at the severity 3 on the 1-5 scale, then how are you supposed to compare those to prioritize them?
Rather than this ineffective method, being able to utilize a rigorous and repeatable process with specific and accurate rationale lets you determine a specific range of loss exposure that is unique to that risk. Being able to say that a risk will likely result in between a $350,000 and $535,000 loss in the next year lets you compare these same metrics with all other risks. Apples to apples.
Simply being able to improve these three aspects of your risk identification: scoping, looking for frequency and impact and accurately comparing risks will transform your organization’s ability to identify true risks and defend analysis results with quantifiable and measurable data.
Learn more: Best Approach to Prioritizing Risks by Jack Jones
The FAIR Institute was recently named one of the three "Most Important Industry Organizations of the Last 30 Years" by SC Media. Join the Institute now (it's free).