Risk Tolerance: Understanding the Risks to your Organization

‘A ship in port is safe, but that’s not what ships are built for,’ said Dr. Grace Hopper, Rear Admiral of the US Navy and a computer pioneer. As soon as the ship leaves the harbor, or even the dock, there are risks.  Depending on conditions and purposes, the ship’s crew might decide they are negligible, that they can be recovered from, or that the potential rewards are worth the risk.  The same ideas can be applied to computers. A computer that is not networked to anything and never turned on is likely safe from most cybersecurity attacks but is also not particularly useful.  Deciding what risks are acceptable describes risk tolerance.

For example, consider a powered down laptop.  Is turning it on risky?  Some of the risks of using that machine can range from the simple to the extreme, depending on your role in the organization.  Risks can arise from simply plugging into the office network or downloading files from a known location, all the way to releasing code or configuration changes to a production system.  There’s a lot of “it depends” when assessing risks, and most will relate to the specific situation.  The answers are different if you work with an unnetworked crash box, or if you manage an enterprise server that is subject to GDPR compliance.

Compare this to riding a bicycle.  If the cyclist is experienced, on an empty street, and the bike is in good working order, safety may not seem to be a question.  Sure, it’s possible the rider could crash and skin their knee, but that may not be a big deal, and the risk is unlikely. However, an inexperienced rider on a bike with poor breaks along busy highway will not have the same risk level. How can you effectively communicate these different risk degrees?

Risk is often represented in a table with 3 or more rows and columns, labeling the likelihood or probability of the risk across one axis and the impact severity along the other, and multiplying the values.

Our risk described for the experienced cyclist likely calculates out to a 1 while the inexperienced cyclist is in the 6-9 range.  Moving the conversation to numeric values allows you to compare risks and set limits, also known as your risk tolerance. For example, if you aren’t comfortable with risks with a value over 5, this would lead you to take action to mitigate the risk. For instance, if either of our cyclists are on a defective bicycle, the probability of an accident goes up until the bicycle is repaired. 

Risk Tolerance is totally situational.  For a computer security example, what decisions might be made about installing a third-party productivity add-in that was recommended by a co-worker?

Many organizations like insurance firms or  investment companies offer online risk surveys that can give you a sense of your risk appetite for their realm.  However, no 10-question tool is going to give you the situational analysis for your cybersecurity needs. There is a bit of an art to it, and a lot of negotiation.  As seen above, what may seem like a minor inconvenience to some may be appear to be a large red flag to another, so performing a risk analysis with a group of stakeholders is likely to come out with more accurate results than one person making a list. 

Whether you are looking at the risks of implementing a hardware replacement project, choosing a new accounting tool, or identifying which of the CIS Controls you should focus on, the steps are actually simple to describe: 

1. Brainstorm the risks – consider what could go wrong.  For example, if you are evaluating a new system, what are the risks if the new hardware doesn’t arrive on time, the project timeline could be impacted to the point of business disruption. From a security perspective, if you don’t have an accurate asset inventory, you may be at risk of having unpatched or non-compliant systems that desperately need security updates, raising your risk exposure. 
2. Analyze the probability and impact.  Discuss it.  You may find potential impacts for edge cases that were not on the minds of some of your team.  Not everyone will agree on severity, but the discussion will help find balance of whether an impact is low or medium.  A small organization can use a simple spreadsheet to calculate risk, while a larger organization will require commercially available assessment tools.
3. Identify your risk tolerance.  At what point numerically does a potential issue become an acceptable risk?  This may end up being iterative with the analysis.  You may look at your table for analysis of software asset risks and find the high impact/high probability is not as business critical as the high impact/high probability of your malware defenses.
4. Identify your risk mitigation response.  You may require that there is a plan in place for any risk that has a value that exceeds your comfort. Your risk response will use one or more of these response categories:
   1. Avoid the Risk – What can you do to prevent the risky issue from happening?  Can you test that the software tool candidates will do what you desire, or confirm the vendor will have your hardware in stock?
   2. Reduce the risk – What measures can you take to reduce either the likelihood or the impact if the risk occurred. This is where security controls become vital.
   3. Transfer the risk – Have a different party deal with this risk. Often, this is handled through contract clauses and insurance policies.
   4. Accept risk – Recognition that the occurrence of the risk is minimal enough that the cost to mitigate it exceeds the benefit of mitigation.

Monitoring for risk is an important step to keeping an organization safe.

From a cybersecurity perspective, you could contemplate the risks involved with teammates clicking links on phishing emails. They could get spammed or tricked into giving out data, or malware may affect their machine.  You’ve decided that this poses a low probability, but may have a high impact, and your risk tolerance means that you to do something about each possibility.  You can reduce the risks by providing regular training and practice for your team as well as implementing spam and malware identification tools.  You can mitigate by having the team member feel confident they can contact their security group, and the security group knows how to isolate and remedy the issue.  You might get ransomware insurance to transfer the monetary effects to your insurance company. The security group will need to monitor various aspects of the risk strategy, such as what is being reported as a phish, who needs more training, what the latest tools are, and what their normal load of email is, and be able to escalate when the ecosystem demands the risk analysis needs updating.

Risks are a normal part of any activity. The important part for cybersecurity professionals is to carefully evaluate the risks to the organization, and work to put plans in place to mitigate those risks that aligns with the risk tolerance of the organization.