Duty of Care Risk Analysis (DoCRA) and reasonable security are two sides of the same coin. They are the closest things to a definitive legal answer to “how much security do I need?” These approaches are changing risk management for organizations by connecting security decisions to legal defensibility, business practicality, and people’s safety.

Achieving reasonable security through DoCRA can advance an organization’s security program by:

  • Reducing “analysis paralysis”. Stakeholders can stop endless debates about appropriate controls to make hard decisions about risk tradeoffs, legal defensibility, and spending versus protecting sensitive information. Organizations will have a solid roadmap to prioritize mitigation efforts or proactive safeguards to strengthen the risk profile.
  • Making cybersecurity understandable to executives as a balance of business risk, legal defensibility, and threat avoidance. Cybersecurity is not just an IT issue.
  • Aligning internal teams and external stakeholders around a single standard of care for security decisions. Practicing duty of care brings together a strategy, based on an organization’s mission, objectives, and obligations.

 

Why is DoCRA Good for Risk Management?

Duty of Care Risk Analysis (DoCRA) is the process of identifying and assessing cybersecurity risks through the key perspectives of those who could be impacted by a breach.

  • The Organization: costs, operations, mission, and strategy.
  • The People the organization’s risk could potentially harm – customers, employees, partners, and the public.
  • Regulators and courts: what judges and regulators expect to be “reasonable” when assessing negligence.

DoCRA applies an industry-recognized, well-accepted, and repeatable methodology to cybersecurity risk analysis and management.

 

How does DoCRA help in Risk Management?

DoCRA is essential to manage cybersecurity and risk, as it:

Establishes Legal Defensibility

DoCRA aligns directly to the standards that courts use when evaluating negligence: Was the organization’s security posture “reasonable” given the foreseeable risk? In the event of an incident, DoCRA helps document and show how your risk decisions were measured, documented, and justified. It is based on a standard of care, not arbitrary, ad hoc, or negligent

 

Balances Protection with Business Impact

Traditional risk assessments often fail to account for, or even include, the organization’s costs, interests, and potential business impact. DoCRA requires organizations to ask: Does mitigating this risk cost more than the harm it prevents? This helps organizations avoid overspending, underspending, and decisions that materially harm the business.

 

Creates Board-Ready, Business-Ready Risk Reporting

Executives understand duty of care, liability, business impact, and budget decisions. Boards need security risk to be translated into plain-language, outcome-based, defensible decisions. DoCRA makes this possible, supporting everything from governance to budgeting and accountability.

 

Aligns Internal Teams and Stakeholders

DoCRA enables consistent discussions internally and externally. No more endless debates about risk, “high risk” definitions, and “reasonable controls” based on opinions, vendor influence, or shifting priorities. Instead, all teams and stakeholders can use the same framework to define “high risk,” “acceptable risk,” “reasonable controls,” and when to escalate.

Reasonable DoCRA

 

Why Is “Reasonable Security” So Important to Risk Management?

Almost every modern cybersecurity and privacy law and regulation in the US requires some form of “reasonable” security. It’s a key component of the FTC Act, SEC regulations, HIPAA, GLBA, CCPA/CPRA, plus state privacy and security laws. Reasonable security is important because it:

Determines Liability After a Breach

Courts rarely ask, “Was the company secure?” Instead, they look for reasonable steps taken to prevent foreseeable harm.  If an organization cannot demonstrate the decision-making and risk reduction process above, it faces lawsuits, regulatory penalties, and reputational damage.

 

Aligns With How Regulators Enforce Security

Federal and state regulators expect organizations to be able to show they:

  • identified risks
  • evaluated the potential for harm
  • considered the costs of controls and their potential to mitigate risk
  • considered alternatives when selecting controls

Courts and regulators want to see cybersecurity decision-making, not just a list of implemented controls. DoCRA directly supports each of these requirements.

 

Ensures Controls Are Proportionate

Reasonable security avoids the two extremes:

Too little security = negligence

Too much security = operational drag, waste, and unjustifiably tight budgets

Reasonable security supports the selection of controls that are efficient, sustainable, and can be explained and justified.

 

Builds Trust With Customers and Partners

Reasonable security shows that your organization treats sensitive data and information with accountability and that the protections match the level of risk.

 

How DoCRA and Reasonable Security Work Together

DoCRA gives you the “how.” Reasonable security is the “what.”

Implementing DoCRA, you can achieve reasonable security and create a cybersecurity risk program that is defensible, repeatable, and documented. It protects your organization and the people it serves. It also meets regulatory and legal requirements. Organizations using DoCRA can confidently demonstrate how they arrived at risk decisions, making it far easier to stand up to legal, audit, and regulatory scrutiny.

 

Review Your Security and Risk Posture