Last week I presented a topic here at Halock’s blog site on the Hand Rule, also known as the “Calculus of Negligence.” The basic message of the post was that we can use information risk assessments to help us keep our security costs to a reasonable level, but only by describing how we would arrive at the upper limits of a reasonable security cost. Be sure to read The Hand Rule: Managing the Upper Limits of Risk Management in order to understand the full point of this posting.
Today we are interested in how to establish a lower limit of investment in information security safeguards. How do we know if we’ve spent too little to manage our risks to information?
The “lower limit” question is very near and dear to the hearts of people who manage budgets. As long as information security is considered a burden, management will want to drive down security budgets both in terms of investing in security safeguards and in sustaining those safeguards with attention from personnel.
Keep in mind that the risk assessment causes us to calculate our information risks with current safeguards in place as well as intended safeguards. Our laws and regulations for securing personal information remind us that our risk goal is to reach a standard called “reasonable and appropriate.” The Hand Rule helped us determine when a risk control is inappropriately high, so how can we determine when a risk control is inappropriately low?
Let’s start by considering an actual information risk for a sales team.
“My sales people are gathering personal information in the field on their unencrypted pen drives. If the drives get lost, our clients will drop us. We lose pen drives at least once a month, and some of our clients represent $1MM a year in revenue for us. Within the year we could expect to lose a pen drive with one of those high-yield clients. That’s too high a risk.”
“If we encrypt those pen drives then even if they are lost there will be no breach and our clients will stay. The cost of encryption is much lower than the potential loss. That’s a risk I would accept.”
Now let’s look at this in the form of a risk register:
Let’s say that this organization has scored their likelihood and impact using the values below:
Notice in our risk register that we’ve calculated this risk at the value of 20. The way we are calculating risk is by using a common method; by multiplying the likelihood value times the impact value. In this case, because our impact and likelihood value ranges are 1 through 5, we could have risks valued from 1 to 25. Our valuation for the current-state risk is high (20 out of 25), and our planned residual risk is much lower (5 out of 25). Is that a defendable lower limit of a reasonable and appropriate control?
That depends on a few factors. The most common answer we encounter in the field is almost arbitrary. An officer with the authority to declare a risk as reasonable in an organization may decide that the risk is reasonable and may sign-off on it. In effect, they are saying, “We think that if it is not foreseeable that an encrypted, lost pen drive could create a cost impact of $5 Million dollars (or any loss for that matter) then we consider that reasonable. How can we do better than that?”
That officer may also sign off on a “foreseeable” risk of such a loss. Say once per five years a pen drive that was never encrypted may be lost with PII on it (we all make mistakes, right?). Their likelihood score would be ‘2’ and their impact ‘5’ with a risk score of ‘10’ and they may say that they will accept that risk.
I’m not a fan of the arbitrary risk acceptance program. An officer should feel uncomfortable arbitrarily signing off on risks. Those decisions can come back to bite us pretty badly.
Instead, I prefer to help organizations determine a level of risk that they would consider unreasonable to invest against. The answer to this question can help determine a uniform “risk acceptance level” for all risks. And there we have it: the lower level of “reasonable and appropriate.”
If you choose to establish a standard risk acceptance level for your risk assessment, you will want to be sure that you’ve made a few preparations.
First, be sure that your impacts are defined in terms of your organization’s mission. If your mission is to provide goods or services to the public, then a breach to information could create a negative impact to that mission. Similarly, you may have as part of your mission a growth plan, a high value of return to investors, dignified service to the public. Data breaches can create a negative impact on all of these aspects of a mission.
Next, define your impact values based on ranges of impacts to your mission. If part of your mission is ensuring that your customers’ information is never breached, and another is to grow 50% in three years in a competitive market, then maybe your impact values would look like this:
These impact levels must be defined by each organization depending on the tolerances they would set for themselves. No two organizations will have the same impact criteria, but every client we have worked with to define these criteria have come to meaningful definitions. The better you define impacts the more consensus you will have in estimating risks and in arriving at consensus when designing security controls to address those risks.
Before we demonstrate the payoff, let’s first consider likelihood definitions. Remember that the growth plan is a three-year plan. This implies a three-year planning threshold in the organization. So let’s propose these likelihood ranges:
Again, we work with clients to come to a meaningful way to arrive at these Likelihood ranges.
So now we have the essential parts of developing an acceptable level of risk for all risks. Couldn’t we now say the following?
“We could tolerate our customers being inconvenienced short of any harm coming to them, but no more often than once every three years.” That statement is like saying, “We can accept risks that have a likelihood of ‘2’ and an impact of ‘2’?
Similarly, management could decide that the three-year growth plan should not be allowed to drift lower than 10% ever. In that case, they may say, “We can only accept a risk that has a likelihood of ‘1’ with an impact of ‘2’.” That’s a lower tolerance of risk than the previous example.
But again, these all depend on what the organization believes to be important to their mission, whether based upon customer care, the public good, investor returns or reputational considerations.
So while the lower level of risk assessments may be arrived at by the best intentions of a designated manager approving risks one at a time, the acceptable level of risk approach provides a consistent standard that is based on the organization’s mission.