Chapter 4. Risk-Informed System
At the beginning of this book, we discussed a few unprecedented and increasingly unpredictable risks enterprises face in a world that’s intricately interconnected by digital communication and collaboration technologies—and the critical importance of addressing those risks via a formal cyber risk management program (CRMP).
Despite all the attention we’ve been giving to digitalization and its impacts, it’s important to recognize that digitalization isn’t the problem that a CRMP is meant to address. In fact, it isn’t necessarily even a problem at all. Digitalization definitely presents risks, many of them unimaginable just a few short years ago, but it also presents extraordinary new business opportunities. The fundamental problem this book addresses is that current approaches to security, and the immaturity of current risk management practices, leave an enormous gap in enterprises’ ability to protect themselves against emerging risks while at the same time taking advantage of new business opportunities rapidly and effectively. That requires a clearly defined CRMP based on four key components. The preceding chapter discussed the first of those components, Agile governance. Now we move on to the second: a risk-informed system.
We’re going to turn to what may be the most important program component of all: the information enterprises use to make risk management decisions. We detail how that information must be acquired, assessed, managed, and communicated in a systematic process that ensures that business leaders can make timely, informed risk decisions.
Why Risk Information Matters—at the Highest Levels
A long series of court decisions—including but by no means limited to the cases we’ve already discussed—have established that enterprise decision makers at the highest levels are responsible for risk failures and, even more importantly, for the failure to be informed about risks. This applies to anyone who is making or should be making risk decisions, and that definitely includes boards of directors, CEOs, and senior executives. The courts have made it clear that “I didn’t know” or claiming the information was sporadic are not sufficient excuses when things go wrong. The failure to have an effective system for acquiring, assessing, reporting, and escalating risk information leaves all these roles open to serious legal liability, both civil and (as you saw in the case of Boeing’s CSO) criminal. And the problems don’t end there. The bottom line: the failure to establish a systematic process for getting risk information to the right individuals in a timely manner introduces its own very serious set of risks: legal, regulatory, financial, and reputational.
A quote from the court judgment in the Boeing case makes it clear that risk responsibility for critical functions, accountability, and liability reside at the very highest levels of enterprise decision making: “for mission-critical safety, discretionary management reports that mention safety as part of the company’s overall operations are insufficient to support the inference that the Board expected and received regular reports on product safety. Boeing’s Board cannot leave ‘compliance with [airplane] safety mandates to management’s discretion rather than implementing and then overseeing a more structured compliance system.’”1
Risk and Risk Information Defined
Let’s begin by defining the terms and talking about what risk information is, and especially what it isn’t. The National Cyber Security Centre defines risk information as “any information that can influence a decision.”
Most enterprise decision makers with risk management responsibilities believe they know what risk is, but unless they’re making their risk judgments using a systematic, approved, and formalized process, their understanding of risk is likely to be incomplete, inconsistent, and in many cases simply wrong. This is especially true of security practitioners—even the most senior and most experienced among them. Let’s start there.
A security professional is, understandably, likely to think of risk in terms of threats and vulnerabilities and the controls or capabilities in place to address them: malicious insiders, unpatched software vulnerabilities, and data protection. These issues are all obviously important, and information about them is important, even essential—but it isn’t risk information. Why? Because it isn’t fully properly embedded into the business context.
Before we go deeper into risk information, let’s take a step back and define what we mean by risk itself. Here’s a very straightforward definition, presented as a simple equation:
Risk = Likelihood × Impact
Let’s break it down a bit further:
Risk = Likelihood (of a threat exploiting a vulnerability) × Impact (on an enterprise process, asset, or objective)
The likelihood of a threat exploiting a vulnerability matters because the threats facing the enterprise and the resulting residual weaknesses (vulnerabilities) are impossible to count, much less respond to completely. One example of the scale of the cyber threat environment: Microsoft identified 1,212 vulnerabilities in its systems in 2022 alone. Most enterprises run complex, heterogeneous IT environments, and many are finding it increasingly difficult to have a clear understanding of what systems and applications they have in place. But understanding the asset is critical to understanding the potential impact if attacked and if there is a likelihood of a potential threat exploiting a vulnerability (weakness).
Here’s a simple example. A zero-day exploit targeting Microsoft SQL Server is a serious problem for an enterprise using that platform to support a critical web application, but it’s probably not a matter of concern for a web application that is being decommissioned and not public facing.
A threat alone is not a risk—and threat information itself is not risk information.
Now for the impact. It begins with an inventory of what is of most value to the business in terms of business assets, which might include the enterprise’s trade secrets and other intellectual property (IP), sensitive customer data, or the underlying code for its e-commerce platform. From there, the potential downstream effects a threat or vulnerability could have on the enterprise’s systems, applications, operations, and processes become clearer. Without a comprehensive understanding of the assets impacted, and the resulting consequences or effects, it’s impossible to truly understand the risk the enterprise faces—and, of course, impossible to define and execute the appropriate response.
This process of determining the relationship between threat likelihood and impact is obviously relied on heavily in shaping risk information, and it’s an essential step in understanding what comprises risk information. The UK’s National Cyber Security Centre (NCSC) offers a simple but useful definition: “Risk information is any information that can influence a decision.” The NCSC adds, “Some organisations have a tendency to only accept certain types of information as legitimate risk information. Such limitations increase the chance of something important being missed.”2 The clear message: a comprehensive approach to risk information—rather than, say, a narrow focus on a standalone threat or vulnerability—is essential to real-world risk management.
A risk-informed decision system takes these concepts and applies them systematically, repeatably, and consistently. Using a trusted and approved methodology, the enterprise and its leaders can trust the risk outputs and make informed decisions to find the appropriate balance between risk and reward.
The CRMP framework we’ve been introducing in this book is used here to identify the key underlying principles that will factor into establishing an effective risk-informed system integrated as a part of the broader CRMP. For more detail on the comprehensive framework itself, see the Appendix. For more information on specific implementation considerations, see Chapter 7. For the specifics related to a risk-informed system, see Table 4-1.
|See “Seven Principles of Agile Governance”.
|See “Five Principles of a Risk-Informed System”.
|Risk-based strategy and execution
|See “Six Principles of Risk-Based Strategy and Execution”.
|Risk escalation and disclosure
|See “Five Principles of Risk Escalation and Disclosure”.
Five Principles of a Risk-Informed System
This book lays out a CRMP, which is a formal, systematic, cyber-specific set of practices for addressing the challenges and opportunities of a rapidly changing risk environment aligned with the demands of the authoritative sources we’ve been discussing. We describe best practices for ensuring that that program is informed by timely, appropriate risk information. There are five key principles that must be in place for any risk-informed decision-making process to be effective and appropriate to an enterprise’s specific needs.
Principle 1: Define a Risk Assessment Framework and Methodology
A risk framework and methodology must be defined and executed on to identify, assess, and measure cyber risk within the organizational context.
A systematic approach to identifying, assessing, and measuring cyber risk is critical, because it provides the governance body we discussed in the last chapter with the trusted and repeatable information it needs to make appropriate risk-informed decisions. The security organization is central to this effort, providing the governance body and the enterprise as a whole with the information it needs to make risk decisions, but it doesn’t make the decisions, and it’s neither responsible nor accountable for them.
The security organization’s role isn’t to make risk decisions—it’s to guide the enterprise through a risk-informed decision-making process.
The information the security organization provides in collaboration with other parts of the organization should all be considered as part of a cyber risk-informed system that educates and guides the governance body and business stakeholders. This information may include enterprise risk information, identification of IT, operational technology (OT), Internet of Things (IoT) assets, threat intelligence, defined enterprise risk appetite, business priorities, future business strategies, existing mitigation efforts, and lessons learned.
But why does a framework and methodology need to be in place? Many enterprises—and security organizations—already have practices and processes for identifying risk, but these tend to be ad hoc, done as siloed efforts, or conducted only at long intervals and then more or less forgotten. They also tend to be derived from past incidents, like data breaches and virus outbreaks, or control failures. (And if the hyperspeed changes of the digital age have taught us anything, it’s that the past alone is never an adequate guide to the future.) Risk information and identification practices must be conducted in a regular cadence that’s defined and approved by the decision makers, because the failure to receive ongoing risk information is itself a risk.
An approved framework and methodology replace this essentially ad hoc or reactive approach with a systematic means of gathering data to inform acceptable risk levels, identifying emerging and potential risks and managing or mitigating risks that actually occur. It’s important to note that while metrics play an important role in this process, they must be the right metrics—not operational or compliance metrics, but risk metrics that provide accessible, actionable information that’s appropriate to the business context.
One of the most common challenges enterprises face in implementing and executing on risk-informed processes is that they have too much data—or the wrong kind of data—and they struggle to contextualize that data so that it’s actionable and relevant to their risk decisions. Another challenge is to translate the data into terms and language that will be clearly understood by the intended audience and with the intended purpose. The board of directors and senior executives, for example, will be looking for a high-level set of insights into the most urgent risks or related business concerns, the enterprise’s risk appetite, budget impacts, and other business concerns. A chief information officer (CIO) or business leader may be better-served by more granular data appropriate to their decision-making needs. The granularity of this risk-informed system is part of defining the risk-informed framework that needs to be discussed, developed, and approved by the business. This will necessarily be an ongoing process, and it will require ongoing monitoring and reporting against baseline results, so that it’s possible to identify and respond to emerging trends. (The reporting should align with the established process for budgeting and prioritization, which is discussed in the next chapter.) And all these measures have a single overarching purpose: to ensure the effective integration of cybersecurity as part of an overarching enterprise-wide risk management system.
The following industry guidance is especially important here:
- SEC Regulation S–K Item 106(b)—Risk Management and Strategy
- The essence of this item is ensuring companies have systematic processes to assess and identify material risks from cybersecurity threats. It reinforces the principle that organizations need an established framework to navigate the complexities of cyber risk, especially in the context of its broader business strategy and financial implications.
- 2023 NACD Director’s Handbook on Cyber-Risk Oversight Principle 1, 4, 5
- For cybersecurity to be viewed as a “strategic risk” as the NACD states, cyber risks must be viewed through the enterprise context, not just through an IT lens. This underscores the importance of the previous component as well, “Agile Governance,” and the need to work with the business to understand their concerns to be able to identify, assess, and measure risk within the enterprise context.
- 2023 Draft NIST CSF 2.0 GV.RM, ID.RA
- NIST provides perspective across these categories, providing guidance and underscoring the need for an established framework and methodology.
- ISO/IEC 27001:2022 6.1.2, 6.1.3
- ISO/IEC 27001 adopts a risk-based approach. Top management is responsible for ensuring the organization’s risks are identified, assessed, and treated appropriately, which includes defining the risk assessment methodology that fits the organizational context. Clauses 6.1.2 and 6.1.3 call for risk assessment and risk treatment processes. Additionally, ISO/IEC 27005 provides more detailed guidance on information security risk management.
- 2017 AICPA CRMP Description Criteria DC11
- This accountancy standard calls for a process for identifying cybersecurity risks and environmental, technological, organizational, and other changes that could have a significant effect on the entity’s cybersecurity risk management program and assessing the related risks to the achievement of the entity’s cybersecurity objectives.
Principle 2: Establish a Methodology for Risk Thresholds
An approved and repeatable methodology for acceptable risk thresholds—both appetite and tolerance—must be established.
Several methodologies exist for establishing acceptable risk levels, but we’ll discuss three here. Whatever methodology you’re utilizing should find acceptable levels of risk appetite and risk tolerance for specific enterprise environments and, crucially, ensure that those risk levels are approved by the risk owners and any other senior decision makers. The methodology that is adopted or developed may vary widely, but whatever methodology is used, it should address five functions:
- Defining current-state risk levels
- This means evaluating the risks the enterprise currently faces and the effectiveness of the risk mitigation measures that are currently in place.
- Defining and agreeing on desired future-state risk levels
- A definition of acceptable future risks—developed in collaboration with the governance body—makes it possible for the enterprise to prioritize its risk management endeavors to deal with changing and emerging risks.
- Using the accepted future-state risk levels to develop an overarching risk strategy and execution model
- This is crucial, not only because it aligns the enterprise’s risk appetite and tolerance levels with its overall business strategy, but also because it makes it possible to develop and defend appropriate budget allocations. (This issue will be covered extensively in the next chapter.)
- Monitoring the execution of risk strategy
- This must be an ongoing process, overseen by the governance body, to determine its effectiveness and to ensure that the enterprise remains within acceptable risk parameters.
- Continuous monitoring based on the agreed-on cadence
- An appropriate cadence for reviewing, assessing, and monitoring risk appetite and risk tolerance at set intervals (see “Principle 4: Agree on a Risk Assessment Interval”) will make it possible to anticipate and adapt to changes in the risk environment.
The need for effective, appropriate risk measurement is driven—and supported—by a broad array of standards and protocols, including:
The NIST Cybersecurity Framework 2.0, which emphasizes that risk appetite and risk tolerance should be determined and communicated based on the organization’s business environment.
The NACD Director’s Handbook on Cyber-Risk Oversight Principle 1, 5. Principle 1 underscores the necessity for cyber risk discussions to align with strategic objectives and business opportunities. To actualize this, a robust methodology is essential—one that fosters business engagement and facilitates risk appetite measurement, as delineated by management and sanctioned by the board. The NACD handbook Principle 5 speaks on how risk appetite statements should be formulated with utmost clarity, objectivity, and measurability, while also considering subjective elements such as the economic backdrop prevalent at the time of initial determination.
Whatever cyber security risk assessment methodology is chosen, it will have certain fundamental common purposes. It will define risk levels, translate them into terms various stakeholders will clearly understand, and align risk levels with different levels of governance—and, if possible, with the enterprise’s other risk functions. It will make it possible to communicate to stakeholders the journey the enterprise is undertaking to achieve risk maturity. And it will deliver outputs with governance functions at all levels.
It’s important to note that achieving the desired and appropriate level of risk assessment takes time and effort. In effect, it’s likely to be a journey, beginning with maturity modeling, then integrating KPI/performance metrics, then moving on to qualitative assessment and finally risk quantification, likely using automated tools.
The ultimate goal of this principle is to ensure that a framework is in place to ensure that the enterprise, and its risk decision makers, use all available data within the selected framework to align on acceptable risk levels and use the output to inform the governance body.
Principle 3: Establish Understanding of Risk-Informed Needs
The governance body should be identified and engaged in establishing a comprehensive understanding of its cyber risk–informed needs.
Cyber security risk management, like all forms of risk management, requires commitment from and engagement by a broad range of enterprise stakeholders, including senior decision makers (we discussed this in detail in the last chapter). This requires effective communication—targeted at different personas and audiences, presented in ways that those stakeholders can readily understand, and aligned with the requirements of the enterprise’s governance body.
The needs of different stakeholders will, of course, vary widely. Security practitioners may need highly technical information, business unit leaders will look for information focused on their areas’ operational performance, and senior executives and boards of directors will likely want only the most high-level information. It’s important to note that this process must be a conversation, not a one-way flow of information from the risk functions to other stakeholders. The ultimate goal is to provide all parties involved with risk information and risk measurements that are appropriate and adequate for them to make risk-based business decisions—and conduct their business activities within defined and established risk tolerances.
NIST has developed a useful cybersecurity-focused methodology for identifying and estimating cyber security risk (see Figure 4-1).
An important element of the development of a risk-informed system is the establishment of a working relationship between the appropriate stakeholders and the desired risk information. This relationship will help define the purpose and structure of the system and ensure that it’s established and formally approved by the business leaders, and not simply the result of information being presented.
These industry standards are additional references supporting this principle:
- 2023 Draft NIST CSF 2.0 GV.OC-02
- This subcategory highlights the importance of identifying both internal and external stakeholders and understanding their expectations in relation to managing cyber risk.
- 2017 AICPA CRMP Description Criteria DC13
- AICPA lays out a process for internally communicating relevant cybersecurity information necessary to support the functioning of the entity’s cybersecurity risk management program, including objectives and responsibilities for cybersecurity and thresholds for communicating identified security events and their resolutions.
- 2020 IIA Three Lines Model Principle 1
- IIA’s Governance principle emphasizes accountability to stakeholders and the focus on identifying and engaging stakeholders to understand risk-informed needs, promoting transparency and communication.
Principle 4: Agree on a Risk Assessment Interval
The risk assessment process should be performed according to an agreed-on interval with its results regularly evaluated.
Risk is not static—it never was, of course, and digitalization has made that truer than ever—and that means that risk management can’t be static, either. For this reason, a risk-informed system must recognize that businesses change and risk changes along with them, and vice versa. This reality requires the establishment of a risk assessment life cycle and cadence steps for assessing risks and the impacts of risk controls on an ongoing basis at set intervals.
Enterprises frequently use risk registers—documents that note various risks and types of risks at a specific point in time—to capture the risks they face. This is a useful tool, and even a necessary one, and in today’s high-pressure digitized business environment, it will usually be part of a risk-informed decision-making process because of its utility as a reference document. But it’s important to recognize that it’s just a tool, and one that must be used consistently and iteratively to reflect the changing nature of enterprise risk. The risk register must be continuously updated as new risks, their likelihood, and their impact are identified, so that new risk responses can be decided on by the governance body and also entered into the risk register. Whenever a new risk response is applied to an item in the risk register, that update represents the new current state in the risk assessment cycle. This allows for timely, regular, and systematic intake, review, and analysis.
Another important point about the cadence of the risk assessment process is that it’s likely to be different for every enterprise—and the enterprise needs to establish a cadence it’s comfortable with, one that isn’t excessively time-consuming or disruptive. Some may find it adequate to conduct a risk assessment refresh on an annual basis, monitoring its KRIs throughout the year for significant change. For others (e.g., enterprises in highly regulated verticals like financial services), it may be helpful to have an automated cyber risk quantification engine that presents updated risk values on an ongoing basis.
The need for a cadenced risk assessment process is emphasized and necessary to meet guidance by the following standards:
- SEC Regulation S–K Item 106(b)—risk management and strategy
- By focusing on how cyber risks might affect business operations or financial conditions, this item prompts organizations to continually reevaluate their risk posture in the context of evolving threats and business priorities. This enforces the principle’s emphasis on an iterative risk assessment process.
- 2023 NACD Director’s Handbook on Cyber-Risk Oversight Principle 5
- NACD’s call for consistent cybersecurity measurement and reporting emphasizes the importance of the regular, systematic risk assessment process.
- 2023 Draft NIST CSF 2.0 ID.RA, ID.IM.01-03
- ID.RA emphasizes the importance of conducting risk assessments, and ID.IM emphasizes regularly reviewing and adjusting the organization’s risk management processes to ensure they cover the organization’s requirements and adequately address identified risks. Both underscore the need for a proactive approach to cybersecurity, with an emphasis on continual adjustment of strategies based on the evolving risk landscape. Generally, the NIST Draft also aligns with the idea that effective cyber risk management is not a one-time or “check-the-box” effort but should operate as an ongoing program.
Principle 5: Enable Reporting Processes
Reporting processes should equip the governance body with insights on the impact of cyber risks on existing practices and strategic decisions.
A risk-informed system is one with defined policies and established processes, and these processes must include reporting to the governing body and all other relevant stakeholders. The reporting process will alert the governing body, and through it the business, to security events—that is, risks that exceed agreed-on thresholds and require response, acceptance, or other risk treatment. This is especially critical because these alerts will drive levels of reporting and, where required, escalation. (We’ll be discussing risk escalation in detail in a later chapter.)
Reporting is communication, and like any form of communication, it must be accessible, actionable, and specific—in both content and style—to the target audience. Board reporting is a good example of the requirements of effective reporting. It may require that you communicate about a complex technical subject with people who don’t typically have technical backgrounds or deep technical understanding. The directors’ responsibilities are essentially fiduciary—that is, focused on the financial health of the enterprise as a whole. And that means board reporting should communicate cyber risk in business terms that are mapped directly to key business operation processes and metrics. The ultimate goal: to inspire confidence in the board that cyber risk is being managed effectively.
Remember, reporting—whatever the subject, whatever the audience—is essentially storytelling. A fundamental component of effective reporting is crafting a story—a clear, easy-to-follow narrative that makes the target audience feel as well as think. An extensive body of research shows that most audiences—even the most sophisticated—make decisions based at least as much on emotion as on logic. Many of the stakeholders in risk management processes are, however, more accustomed to simply communicating metrics and other data. Technical professionals tend to lead with a mass of data that they understand and know supports the points they want to make but that is likely to be incomprehensible and, worse, unconvincing to a largely nontechnical audience. A far better approach is to begin with a story that has emotional impact—a security flaw that’s been successfully mitigated—and then follow up with supporting data.
The industry standards and protocols most relevant to governance reporting practices are:
- 2023 Draft NIST CSF 2.0 GV.OV-01 through 03
- These subcategories emphasize that organizational leaders should review and assess the effectiveness and adequacy of the cybersecurity risk management performance and its outcomes, which can only be achieved through systematic and transparent reporting processes. This feedback loop allows leaders to adjust strategies as needed, ensuring the organization’s cybersecurity posture remains robust and responsive to the evolving threat landscape.
- 2023 NACD Director’s Handbook on Cyber-Risk Oversight Principle 5
- NACD Principle 5 highlights the need for regular reporting and measurement of cyber risks, particularly in response to changing business environments. This practice allows organizations to stay updated about their risk posture and make informed decisions, which is a key part of enabling effective Agile governance.
- 2017 AICPA CRMP Description Criteria DC13, DC16
- This accountancy standard calls for a process for internally communicating relevant cybersecurity information necessary to support the functioning of the entity’s cybersecurity risk management program. This includes objectives and thresholds for communicating identified security events to the relevant stakeholders, including management and the board, as appropriate.