What is Risk?
Risk is a description of a probable future event that involves the potential for loss or injury. We utilize risk processes to anticipate all kinds of possible futures. As a society we stockpile resources like food to avoid shortages, support a defensive military to deter conflict, build levees to manage flooding, and develop construction standards to reduce the likelihood and impact of catastrophic fires. We want to prepare for and prevent undesirable future events. We work to “colonize the future” (Mohun, 2016).
Taking risks is also important. A decision that involves a chance for loss or injury also has a chance for reward. Investors often need to consider both the upside of taking a risk and the downside. Developing a successful investment strategy involves establishing what an investor’s risk tolerance is. They need to clarify how much money they are willing to put at risk of loss to have the opportunity to gain (How to Determine, 2017). An investor who refuses to invest or who blindly invests everything they have, is probably not going to make any money. This makes the ability to determine the right amount of risk valuable.
Manufacturing Risk
Risk is not a creation of nature, however. It can not be picked from trees. It does not fall from the sky like rain. Just like the cellphone and the airplane, risk is a human creation to be manufactured. We must collect the information and ideas necessary to imagine potential futures and outcomes. Then we must select those outcomes that concern us and develop ways to describe them to others. In the absence of risk, there are only incidents or events which are happening in the present. We cannot manage the future if we cannot first manufacture it.
We also have varying abilities to manufacture risk. People envision the future using different sources of information. If those information sources or estimations are not correct, then a poorly manufactured risk will result. We sometimes use shortcuts to estimate the future. For example, if an event happened this year, we may simply assume it is less likely to occur next year. We may assume that something is less likely to occur because we don’t remember or have access to information about how frequently it does occur. We get comfortable and assume that all potential futures are acceptable because the present and recent past have been acceptable (Lavino & Neumann, 2010). For these reasons and more, our natural and untrained ability to create and manage risk is often not very good.
The natural inability for individuals to manufacture high quality risk and manage it effectively is why risk management frameworks and programs are so important. A risk should be made of high-quality materials (accurate information), be functional (related to a probable future), and reproducible (many other people could create the same risk). Standardizing a risk management approach for an organization is important to ensure that there is risk quality. Unfortunately, not all types of risks are manufactured and managed the same way. There are many different types of risk management frameworks and programs.
Manufacturing Information Security Risk
To make an information security risk, we need to identify probable events with the possibility for loss or injury. Due to frequent news media reports (Satter & Siddiqui, 2023), government warnings (Official Alerts & Statements, n.d.), and legal notification requirements from various states (Breach Notice to Consumers, 2023), we know that data breaches are probable events that involve the possibility of loss. We can lose time and money if this event occurs.
What if we want to pursue some amazing opportunities where the potential for data breach is involved? Just like an investor, we need to identify our risk tolerance. How likely are we to have a data breach if we pursue a business opportunity? What is the impact if one does occur? Does it outweigh the benefits to be gained?
Determining Frequency
We need good information about how frequently data breaches occur to establish probabilities. Unfortunately, organizations don’t always report data breaches. The details of these events are often confidential. Organizations are also typically eager for people to forget. It is also very possible that an organization had a data breach they never discovered. This makes the broad collection of data breach probability data difficult.
For this we may need to rely on risk communities. SUNY can share information about occurrence across the system to help establish likelihood data. There are information security companies that summarize their customer information, like the Verizon Data Breach Investigations Report (2023). These reports can help establish some probabilities within their customer communities. Insurance companies providing cyber coverage require specific controls we can use to infer some idea of likelihood (Cyber and Privacy, 2015).
When constructing risk, we don’t always have high quality probabilities to work with. In practice we often use the following criteria:
- Unproven. Theoretical (Lowest).
- Proven by researchers.
- Occurring in the world.
- Occurring in our industry.
- Occurring in our University System.
- Occurring in our University.
- Occurring in a University Department.
- Occurring to me (Highest).
As we move closer to 8, we should be more concerned. For example, we would consider risk realization in another SUNY University to represent high probability of occurrence in our own organization. This is probabilistically suspect as a methodology, but lacking complete and accurate data, this idea of closeness is often substituted. There are quantitative models that look better than guessing, but usually the numerical inputs to the models are qualitatively derived by using values like low, moderate, high and converting them arbitrarily to number values like 1,2 and 3. In practice we often just use qualitative methods instead of rigorously disguising subjective judgements in indisputable looking quantitative models which appear to originate from objectively accurate numerical data but do not.
As a side note, I have observed that Department B often doesn’t consider a risk realized in Department A, until it then occurs also in Department B. Lacking probabilities is a limitation, but closeness can also be useful. We should typically consider an information security risk realized in one department as likely in another.
Determining Impact
We also need to know the impact of a data breach. How much time or money will we lose because of this event? This will depend on how much data is breached, what type of data is breached, where the data was breached from, how well documented the systems and processes are, which firms are engaged in remediation, the length of time operations are suspended, and more. It can be very difficult to anticipate the total impact of a data breach.
This lack of consistency makes impact quantification very difficult. The impact can range from nothing to catastrophic and involves many factors. Insurance companies providing breach insurance have insight into the claim amounts that are filed related to data breaches. They know how much money their policy holders are spending to work through these incidents. Their data may not be fully inclusive. It may lack unclaimable expenses, and residual incident costs and disruptions. But it is data that can help quantify impact. Unfortunately, again, claim data is often confidential and not available beyond a summary that a particular insurance company may share about their risk community. We don’t have a consistent way to quantify impact or a comprehensive data source on it.
There are also different views related to impact. A malicious actor gaining complete control over all organizational systems and networks is a nightmare scenario, extremely high risk, to an information security professional. From a business perspective, however, we might only consider the impact to be high if the person does something harmful. Their actions must result in actual financial loss or injury. So further in our analysis, we might want to know the likely actions a malicious person will take once they have control. That isn’t a scenario that information security wants to consider though. We don’t want to let a malicious actor take control of all systems, regardless of the actions they may or may not take. We almost always consider that to be high impact which defies estimations of financial loss and injury.
Risk factors are also usually cumulative. The impact resulting from one missing risk consideration might be minimal. For this reason, we may not place any special emphasis on many individual risks, because those risks in isolation are not worth considering. But data breach risk is an aggregation of many smaller risks. This makes calculating probabilities difficult since we may want to consider the probabilities of each contributing risk and their various possible combinations. It also makes impact more difficult to consider. Should we allow lower risks to inherit the impact of the higher possible risk realization that may occur when various risks combine? Will people within the organization understand why seemingly meaningless activities require so much care and concern?
Working with Limited Data
This sounds a bit hopeless. We want to offer a great new service and maybe take a lot of risk of data breach. But we want to take a specific amount of risk. We want 80% risk or 50% risk. Often, however, information security risk management will talk about best practice. We identify risk qualitatively (high, moderate, low), and then apply best practice methods which are considered to reduce risk. It’s not an exact science. It’s very difficult to meaningfully manage risk to a specific decimal point without access to a large amount of quality data.
Should we just give up? This is likely a question that organizations ask when faced with the above realities. We can’t manage risk exactly and we aren’t as in control as we would like to be. We should not give up though. We can know some things concretely that help us. Due to the efforts of researchers and the professional cybersecurity community, we can know if an event is possible, and we can know if it is occurring in the world. We can also get a good idea of impact in terms of losing control of systems and networks. We can’t always know what that means in a business context, but we do generally know what will cause us to lose control of systems.
This is often a major discrepancy between risk management in information security and the management of various risks in an organization. Information security practices are fighting to maintain control of systems but it’s not always straightforward what loss of control will mean. It’s very possible that a loss of control can occur, and nobody will even know. That is a scenario that the organization may not really care about, because it doesn’t technically impact operations. There is no measurable loss. But the difference between nothing happening and a huge crisis is outside the control of the organization at that point. Without control, it’s possible that any or all related risks can be realized.
Closeness and Loss of Control
We need excellent data to manufacture excellent risks, but we often don’t have that in information security. We can still manufacture risks which are good enough. We can make some very objective and effective risk assessments if we consider using “closeness” in place of numerical probability (wherever quality data doesn’t exist) and if we look at impact in terms of various degrees of “loss of control” instead of specifically as the monetary value of loss, or degrees of injury (whenever financial impact or harm to individuals is impossible to accurately determine).
Final Thoughts on the Risk Factory
These concepts may be undesirable in the management of other more established risks, such as financial risk. This is why we must consider the manufacturing and management processes differently across the various types of risk. Information security risk is likely unique because we must consider risk aggregation more deliberately. We also lack the concrete data required to reasonably estimate probabilities related to participation in a globally connected network of infinite numbers of systems and participants which are combined and recombined in increasingly complex ways without any meaningful limitations. It is quite possible that straight forward quantitative risk analysis will be forever elusive because it’s simply too difficult to create a human understandable and objectively accurate model of this infinite environment. We may need to embrace qualitative methods in this risk area for much longer. Despite the information security risk factory looking different, it still works well enough that it should be used.
References
Cyber and Privacy Insurance Application Form. (2015). ACE Insured. https://www.eqgroup.com/Pdf/Chubb/CHUBB-Cyber-Privacy-Insurance-Application.pdf
Breach Notice to Consumers. (2023). AudienceView. Security Breach Notices | Office of the Vermont Attorney General
Froot, Kenneth, David Scharfstein, and Jeremy Stein. “A Framework for Risk Management,” 1994. https://hbr.org/1994/11/a-framework-for-risk-management.
How to Determine Your Risk Tolerance Level | Charles Schwab. (2017, March 30). https://www.schwab.com/learn/story/how-to-determine-your-risk-tolerance-level
Lavino, J. G., & Neumann, R. B. (2010). Psychology of risk perception. Nova Science Publishers.
Mohun, A. P. (2016). Constructing the History of Risk. Foundations, Tools, and Reasons Why. Historical Social Research / Historische Sozialforschung, 41(1 (155)), 30–47. JSTOR.
Official Alerts & Statements—FBI | CISA. (n.d.). Retrieved January 19, 2024, from https://www.cisa.gov/stopransomware/official-alerts-statements-fbi
Risk Definition & Meaning—Merriam-Webster. (n.d.). Retrieved January 18, 2024, from https://www.merriam-webster.com/dictionary/risk
Satter, R., & Siddiqui, Z. (2023, August 8). MOVEit hack spawned over 600 breaches but is not done yet -cyber analysts | Reuters. Reuters.Com. https://www.reuters.com/technology/moveit-hack-spawned-around-600-breaches-isnt-done-yet-cyber-analysts-2023-08-08/
Verizon Data Breach Investigations Report. (2023). https://www.verizon.com/business/resources/reports/dbir/?cmp=knc:ggl:ac:ent:ea:na:8888855284&utm_term=verizon%20data%20breach%20report&utm_medium=cpc&utm_source=google&utm_campaign=GGL_BND_Security_Exact&utm_content=Enterprise&ds_cid=71700000082347933&ds_cid=&gad_source=1&gclid=EAIaIQobChMIouvxrtPpgwMVQHBHAR2HCgBCEAAYASAAEgJlkPD_BwE&gclsrc=aw.ds