Earlier in this chapter, risk management was defined as the practice of identifying, assessing, controlling, and mitigating risks. Identifying the threats and vulnerabilities that are relevant to the organization is an important step, just as knowing the worth of an asset can help determine the impact of its loss. With this information, action can then be taken to reduce potential losses to assets from these risks.

Realizing that risk management is not the same as risk elimination is important. Risk elimination isn’t a reasonable goal. Instead, risk management attempts to identify the risks that can be minimized at a reasonable cost and implements controls to do so. Risk management includes several elements:

• Assessing risks—Risk management starts with a risk assessment, or risk analysis. There are several steps to developing a risk assessment:
  • Identifying the assets of an organization and their value—When focused on IT, these assets can include data, hardware, software, services, and the components of the IT infrastructure itself.
  • Identifying threats and vulnerabilities to the assets—­Prioritize the threats and vulnerabilities.
  • Identifying the likelihood of a vulnerability being exploited by a threat—These vulnerabilities are the risks.
  • Identifying the impact of a risk—Risks with higher impacts should be addressed first.
• Identifying a risk response—Risks can be avoided, shared or transferred, mitigated, or accepted. That decision is often based on the likelihood of the risk’s occurring, the impact it would have if it does occur, and the cost to implement a sufficient control.
• Selecting controls—After the risks have been identified, control methods can be identified and selected. Control methods are also referred to as countermeasures. Controls are primarily focused on reducing vulnerabilities and impacts.
• Implementing and testing controls—Once the controls have been implemented, they can be tested to ensure they provide the expected protection.
• Evaluating controls—Risk management is an ongoing process. Implemented controls should regularly be evaluated to determine whether they still provide the expected protection. Evaluation is often done by performing regular vulnerability assessments.

After risks have been identified, steps can be taken to reduce or manage them, often by implementing controls, or countermeasures. Managing risks comes at a cost. If too much money is spent on reducing risks, the business’s overall profit will be reduced. If too little money is spent on reducing risks, a loss could result from an easily avoidable threat and/or vulnerability. Ideally, organizations should never spend more on controls than the value of the asset. For example, an organization should not spend $10,000 in controls for an asset that is worth only $5,000. The amount spent on controls should be proportional to the risk, which is known as the principle of proportionality.

Risks can be measured based on the value of the asset. A cost-benefit analysis (CBA) can be performed to help determine which controls, or countermeasures, to implement. If the benefits outweigh the costs, the control is often selected.

A CBA compares the business impact with the cost to implement a control. For example, the loss of data on a file server may represent the loss of $1 million worth of research. Implementing a backup plan to ensure the availability of the data may cost $10,000. In other words, $10,000 would be spent to save $1 million, which makes sense.

Starting a CBA begins by gathering data to identify the costs of the controls and benefits gained if they are implemented.

• Cost of the control—Cost of the control includes the purchase costs plus the operational costs over the lifetime of the control.
• Projected benefits—Projected benefits include the potential benefits gained from implementing the control. These benefits are identified by examining the costs of the loss and how much the loss would be reduced if the control were implemented.

A control doesn’t always eliminate the loss. Instead, the control reduces it. For example, annual losses for a current risk may average $100,000. If a control is implemented, these losses may be reduced to $10,000. Thus, the benefit of the control is $90,000.

The following formula can be used to determine whether the control should be used:

Loss before control − Loss after control = Cost of control

For example, the company lost $100,000 last year without any controls implemented. If the control is implemented, a loss of $12,000 a year is estimated. The cost of the control is estimated at $7,000. The formula is:

$100,000 − $7,000 (Cost of control) − $12,000 (Expected residual loss) = $81,000

Implementing the control represents a benefit of $81,000.

One of the biggest challenges when performing a CBA is getting accurate data. Although current losses are often easily available, future costs and benefits need to be estimated. Costs are often underestimated, and benefits are often overestimated.

The immediate costs of a control are often available. However, sometimes, the ongoing costs are hidden. Some of the hidden costs may be:

• Costs to train employees
• Costs for ongoing maintenance
• Software and hardware renewal costs, such as subscription costs

Following the principle of proportionality, if the costs outweigh the benefits, the organization might choose not to implement the control. Instead, it might choose to accept, share or transfer, or avoid the risk.

Both profitability and survivability must be considered when evaluating the cost of risk management:

• Profitability—Profitability is the ability of a company to make a profit. It is calculated as revenues minus costs.
• Survivability—Survivability is the ability of a company to survive a loss due to a risk. Some losses, such as fire, can be disastrous and will cause the business to fail.

In terms of profitability, a loss can ruin a business. In terms of survivability, a loss may cause a company never to earn a profit. The costs associated with risk management don’t contribute directly to revenue gains. Instead, these costs help to ensure that a company can continue to operate even if it incurs a loss.

Regarding profitability and survivability, the following items should be considered:

• Out-of-pocket costs—The cost to reduce risks comes from existing funds.
• Lost opportunity costs—Money spent to reduce risks can’t be spent elsewhere, which may result in lost opportunities if the money could be used for other purposes.
• Future costs—Some countermeasures require ongoing or future costs. These costs could be for renewing hardware or software. Future costs can also include the cost of employees to implement the countermeasures.
• Client and stakeholder confidence—The value of client and stakeholder confidence is also important. If risks aren’t addressed, clients and stakeholders may lose confidence when a threat exploits a vulnerability, resulting in a significant loss to the company.
• Total cost of security—The total cost of security includes one-time costs, for example, spending money on an IDS, and ongoing, or recurring, costs, for example, the cost of an antivirus software subscription. This cost can be quite high, and the money spent reduces the company’s overall profit. But what’s the alternative? If these protections are not taken, the entire business could grind to a halt. If this happens too often or for too long, the business could fail.

Data is often one of the most valuable assets a business owns. It can include customer data; accounting data, such as accounts payable and accounts receivable; and employee data. The list could go on and on. This data is integral to the success of a business, so it is often backed up regularly.

For example, a business spends $15,000 a year on data backups, a cost that will not increase revenue or profits. In a full year’s time, data is never lost, and the backups are never needed. If profitability is the only consideration, management may decide to eliminate this cost. Backups are stopped, but the next year, data could be lost, causing the company to fail and go bankrupt.

The cost does need to be considered against profitability, though. For example, if a company earns only $10,000 a year in profit, the company’s spending $15,000 a year to protect its data doesn’t make sense.

On the other hand, for example, a company has $100,000 in annual profits. It chooses not to spend the $15,000 on backups, but then a virus spreads through the enterprise, destroying all customer and accounting data. The company no longer has reliable records of accounts receivable, and no one has access to the customer base. Such a scenario can be a business-ending catastrophe.