How's Your Appetite: Tips for Setting and Measuring One for Organizational Cyber Risk
By Jon Murphy, CISO, Ocwen Financial Corporation
Significant business-as-usual interruptions are increasingly occurring due to cyber-attacks. Daily, more organizations are becoming cybersecurity (cybersec) risk apprehensive. Consequently, the demand to manage the risk, establish appetites, and measure effectiveness of defenses seems almost insatiable for the ever-complex world of information security.
As we say down here in the South, “No one with a lick of sense” would argue that having appropriate metrics for an organization’s information security program is a prudent move. Generally accepted better practices for risk management dictate that organizations should strive to fully understand their risk appetite for all types of relevant risk and measure that risk in relation to their stated appetite. But, who is responsible? Ultimately, the board of directors and an organization’s top executive management should define and set the organization’s appetite to take on appropriate risk in the face of its strategic objectives. These days, it seems these groups need some help in that chore and we are hoping this article may help.
Information/cyber is part of operational risk that can impact other areas of risk like compliance, financial, reputation etc. When it comes to information/cyber, as with most all risk categories and types, one prerequisite is that both top management and the Board fully realize and accept that completely eradicating all cyberrisk is NOT possible. Then, the organization needs to create a risk appetite statement. A simple example might look something like, ‘This organization has some tolerance for cybersec risk that will allow it to achieve its business objectives however we specifically will not tolerate any loss of our business and customer data.’
With a risk appetite statement in place, the next task is to set the risk tolerance with quantitative or qualitative parameters. These can be changed over time, either as the risk evolves; controls and treatments improve, or as operational requirements dictate. There is no right or wrong level if the requisite stakeholders are aware and buy in.
So how do you go about establishing an information security risk appetite? How do you measure that appetite for information security risk? Let’s start with a ground leveling definition. Cyber risk appetite is defined as “the amount of non-static risk related to information security, on a broad level, that an organization ties to objectives and is willing to accept in pursuit of value.” Perhaps, one of the simplest expression of an appetite might be to say, that the organization is comfortable living with risks rated medium or low (by an external party, Internal Audit, Risk Department?), but not comfortable with any (or some other number; 5, ≤2, etc.?) risk rated high or critical.
"Risk appetites can vary between industries, organizations and even business units or processes within the same organization"
Remember, risk appetites can vary between industries, organizations and even business units or processes within the same organization. For example, in the financial sector, the risk appetite might be higher (more risk embracing) in more mature processes than in fledgling business processes or those undergoing major overhaul. Conversely, where fraud and unethical behavior are concerned, the appetite is probably far lower (more risk averse). Here below are four potential options for addressing risk appetite:
Option 1: By type of exposure
One might naturally ask, what is the appropriate definition for “low”, “medium”, and “high” levels of appetite? That is where an impact and likelihood matrix (see graphic below) can help determine those values relative to each organization’s own valuations.
Option 2: All exposures by Intent and origination source
For a less mature enterprise, this four-vector approach could make sense to start. Internal malicious sources could deliver far more devastating acts or actors than external because they potentially have greater insider knowledge and access.
Option 3: All exposures by adequacy of security control element per a framework a la NIST/ISO/SANS
This approach might win some favor with Internal Audit as well as your IT department. These groups are or should be familiar with these frameworks because they are or should be working within them all the time. Each of these control vectors is highly defined within their respective frameworks or standard. Standards that might possibly lend themselves to this type of approach could include PCI, COBIT/COSO, or perhaps GDPR.
Option 4: Exposures by classifications and characteristics
This approach considers areas or causes of risk and gets more specific to the entities within your organization that could be adversely impacted. The risk register and its accompanying risk matrix might be a reliable source with which to build out this approach. The action can be as detailed or generic as desired, with or with time sensitivity, for instance “remediate immediately” or “include SLA changes in next renewal”.
Obviously, the four examples above are not all inclusive. They are intentionally somewhat generic for broad illustration purposes. Again, what will work for your organization, culture, industry, etc. may not be a fit for others.
A caveat before we part. While metrics can be vital to accomplish goals, they can also be grossly overdone. Internal Audit or the Risk Department, unchecked, might run amuck and crank out hundreds of reports on risk from all over the enterprise. Neither the CRO, any other executive, nor any Board can possibly consume such granular or copious amount of details. Use some common sense. Keep the metrics at a level and quantity that add value but does not overwhelm those consuming and having to produce these metrics.Bon Appétit!.