Effectively managing cyber risks requires an understanding of how to assess the impact of risk. A strategy for the management of a risk should correspond with the nature and degree of the risk to be addressed. Risk assessment tries to identify and anticipate possible events. Effective risk assessment offers an organisation the opportunity to take greater control of its internal and external environment. Instead of reacting to events, the organisation with an effective risk assessment and management strategy can plan and direct its actions with greater confidence that it will not be undermined by unforeseen events.
Risk assessment involves certain processes. The first is to identify the risks associated with a particular activity or strategy. Technological, legal compliance and operational risks were identified in earlier chapters. The next process is to assess and evaluate the potential impact of a particular risk on the organisation. This chapter is concerned with that process. The third process involves implementing appropriate steps to either eliminate the risk or reduce it to an acceptable level, namely risk management, which is considered in Chapter 7.
Fundamentally, risk assessment is no different from any other form of assessment, involving the same processes of planning, and evaluation. Business professionals, such as lawyers, accountants, surveyors and financial advisers are always involved in this process when acting upon clients’ instructions. By their nature and training, professionals are naturally cautious and, therefore, risk averse. In their own businesses, the traditional concept of risk assessment is predominantly associated with strategies for the avoidance of professional errors and omissions.
A management strategy cannot always eliminate risk and sometimes the strategy must be limited to reducing risk, so that the consequences are manageable. This is especially so in respect of Internet technologies where, for example, placing advertising material on a website, which is accessible globally, risks infringing regulations in foreign countries and exposes organisation to risks of a global nature.
Broadly, risk may be regarded as any matter that might jeopardise a business’s accomplishment of its objectives. There are different types of risk. Strategic risks concern the overall direction of an organisation and frequently arise from its position in the wider business environment. In terms of Internet technologies, the decision to deploy a website will be a strategic decision – it concerns the future competitive position of the organisation.
Operational risks involve the functioning of an organisation. If a website is deployed, thought must be given to appropriate content. Management of the content is an operational issue. If inaccurate content is posted, the ability of the organisation to offer its services could be prejudiced.
Cyber risks introduce a confusing blend of strategic and operational risks. Collecting data through a website for the purposes of marketing an organisation more effectively to clients and visitors is a strategic decision because it is concerned with gaining competitive advantage in the marketplace. However, the proper handling of any data collected is an operational issue involving the internal compliance functions of the organisation. If data is handled incorrectly, risk of prosecution or an action for damages arises and the business operation might be prejudiced. In this instance, there are, therefore, strategic and operational risks arising from a single issue, the collection of data.
There are different types of risk. Pure risks can result only in losses. Speculative risks involve potential benefits and disadvantages. Some risks have clearly foreseeable consequences. Others have only possible consequences. The risks with clearly foreseeable consequences are easier to manage. They can be avoided altogether or strategies can be devised for management of the consequences.
Speculative risks with possible, variable, or ill-defined consequences present greater difficulty. For the most part, this type of risk arises in the use of Internet technologies, partly because the technologies are developing rapidly and partly because the extent of their use is potentially global.
For example, what might be the consequences of collecting personal data through a website? The consequences might be an increase in volume of business as consumer relationships develop, or a prosecution for infringing the provisions of the DPA. In assessing and managing cyber risks, frequently the only strategy is to take and accept some risk, reduced as far as possible by careful planning in the hope that the business strategy succeeds.
Risk is not always obvious and can emerge quite unexpectedly. It does not necessarily appear as an identifiable threat. This is especially true of external risk where organisations are dependent upon an environment wholly outside their control. Risk might arise from failing to recognise the need to adopt a relevant strategy in a changing market – particularly relevant in the case of Internet technologies. Failure to employ adequate security measures may be regarded by clients and strategic allies as poor service and result in loss of competitive advantage and business opportunity. Internal risk can arise just as unexpectedly in the form of the unpredictable behaviour of staff. Risk appears in a variety of guises. It is impossible to confine its incidence to particular events or situations.
Risks can impact at all levels and will differ according to the size and nature of the organisation. Small organisations are more likely to be at risk from events threatening their future survival. Larger organisations may be at risk from factors arising from their sheer size and the intricacy of their organisational processes. In order to understand whether and, if so, how an organisation faces risk in respect of a particular activity, it is helpful to ask certain questions:
• What is the worst that could happen?
• How likely is it to happen?
• Are procedures in place to stop it happening?
Risk can also be confused with a number of other situations which are not truly risks. These might arise in two instances. First, the perception of risk can, and often does, differ from individual to individual. For a business manager, an information technology project represents a major opportunity. For the information systems project manager, however, it may involve major risks. Risk assessment determines the difference between the real and the perceived risk. Therefore, there is a need to create a commonly understood perception of risk.
Second, potential confusion lies in the analysis of problems as opposed to risk. Every organisation faces problems. Risks are potential problems. In trying to understand what is a risk and, therefore, requires analysis, and what is a problem masquerading as a perceived risk, perhaps requiring a different approach, the manager or the individual charged with the assessment needs to be clear that it is the impact of a future set of circumstances that is to be addressed.
Risk will affect an organisation adversely in two ways: either impacting upon the day-to-day performance of the organisation’s function; or, more seriously, impacting upon business continuity. An example of a risk affecting the efficiency of the organisation is the failure to plan and adequately manage Internet technology systems to ensure quality of performance. Examples of risks threatening business continuity are virus intrusion, ‘hacking’ activities, or ‘denial-of-service’ incidents preventing the organisation from providing an electronic service.
The first step in assessing risk is to identify any risk that might arise from a particular strategy as accurately as possible. This is familiar territory for professionals accustomed to identifying risk on behalf of their clients; distinguishing one or more courses of action open to a client and suggesting the advantages and disadvantages of each, then offering advice on the most appropriate course of action.
The same principles can be applied in the case of cyber risks. Consider the strategy that the organisation wishes to pursue, such as allowing limited client access to check the progress of instructions online, and then list the potential risks – the most obvious being that a third party may inadvertently gain access to this confidential information. Every organisation will identify different risks because every organisation is different. In many cases, risks will be specific to the particular activity proposed and the manner in which the firm proposes to undertake it.
Once a risk is identified, its impact will need to be assessed. This process involves identifying the business assets and assessing the impact on the organisation if the perceived risk should materialise.
In terms of cyber risks, ‘business assets’ are the organisation’s reputation and the goodwill of its clients. Risks will be any consequences of the proposed activity that has an adverse impact on the business assets, for instance the interception of insecure confidential e-mail. The impact will be the immediate and future loss, including any action taken by the client as a result.
There are different methods for performing a risk assessment. It might be calculated in terms of a mathematical formula as an estimation of the likelihood of a risk materialising. Another approach might be to conduct an analysis of its likelihood based on decisions in the light of particular circumstances. A third approach might be to take a calculated risk based upon convenience or practicality.
Some examples might help to explain this suggestion. In respect of the first approach, for an assessment of whether there might be any real risk of staff using Internet technologies to harass fellow employees in a small organisation with trusted and long-serving personnel, a simple mathematical formula, such as a score of 1–10 might be applied.
In the second approach, a decision-based assessment may be required regarding, say, the risk of infringement of foreign advertising codes in placing advertising material on a website. The decision might be taken to proceed provided a statement on the site makes it clear that the advertisement is directed at United Kingdom viewers of the website only.
In the third approach, a calculated risk might be required to incur the expense of security technology that would allow clients to access the organisation’s systems, in the hope that this would generate an improved client relationship and enhance the organisation’s reputation, although at the same time exposing the firm to the potential danger of unwanted access by unauthorised third parties.
Risk assessment also involves other features. For example, there will always be a human element in assessing risk, in the decision-making process and even in the risk itself. Most of the operational risks considered earlier concern the conduct of staff in the workplace.
It is important to adopt the right approach to personnel. Management that is seen by subordinates as divisive or indecisive is unlikely to gain their support and commitment and is, therefore, far more likely to be exposed to risk than an efficient committed team.
In the same way, a management team that lacks adequate technical and business expertise is unlikely to show adequate ability in assessing the risks arising from a project involving skills beyond its capabilities. An individual whose experience of information technology is severely limited can hardly be expected to be at the forefront of the implementation of an IT security strategy.
A poorly performing management team is unlikely to gain the competitive advantage that a properly thought out risk assessment strategy can offer. In these situations, the danger is that an irresolute or incompetent approach to the project will result in the organisation continuing to remain exposed to risk.
The objective of risk assessment is to balance the potential benefits against the potential risks of a proposed course of action, enabling a decision to be made on whether the action is justified. Properly assessing risk helps to provide time, information and a degree of control that will assist in more effective decision making.
The assessment needs to be as accurate as possible in order to develop a framework to manage it most effectively. A risk strategy aims to accept risk and manage it in a way that is acceptable to the organisation.
A risk assessment will have particular objectives. First, there is the need to assess all aspects of the risk, so that it can be minimised.
Second, it provides the ability to investigate whether the risk can be managed by transferring the responsibility for its management, for instance by outsourcing some or all of the organisation’s IT function.
A third objective is to assess the degree of a particular risk with a view to its elimination. A risk that is eliminated does not require any subsequent management.
Other more direct benefits include:
• improved understanding of risks and their impact;
• more appropriate business response strategies;
• more accurate risk/cost calculations;
• identification of business opportunities;
• development of an organisation-wide approach to risks;
• enabling an organisation to develop ‘know-how’ in risk management;
• identification of a wide range of internal and external risks, which may be categorised for future reference.
In order to understand how these benefits might apply in terms of Internet technologies, a useful exercise is to apply them to a specific strategy, for example a proposal to provide encrypted e-mail facilities for a large commercial client for the completion of a complex project. Mapping the benefits listed above across the proposed strategy, the following benefits emerge:
• Discussion of the strategy with the client will clarify requirements and expectations and improve the quality of the service.
• Consultation will take place with the client on the steps required to implement the strategy, to agree any contingency plans and to explain any exceptional costs that may be incurred.
• The consultation process encourages both parties to develop procedures for handling e-mail that will minimise exposure to risk and maximise the efficiency with which e-mail is employed.
• A feature which was once a threat becomes an opportunity for collaboration and, therefore, a business opportunity.
• As confidence is generated, other ideas emerge for the use of secure communications technology on other projects, or in other ways.
• Valuable information is obtained about the client’s potential requirements so developing the organisation’s knowledge base.
• Mutual discussion ensures that all aspects of the risk assessment are considered for future occasions.
This analysis shows that if approached on the basis of collaboration and dialogue, in addition to a proper assessment of risk, a valuable marketing opportunity presents itself as well as the ability to enhance the reputation and goodwill of the practice.
Effective risk assessment requires sufficient information to be available to enable an informed assessment to be made for successfully managing the risk. There must be an effective mechanism for collecting information. There are three useful approaches that can be adopted, which may be employed exclusively or in conjunction with each other, according to preferences and the needs of the organisation.
One approach is to interview key personnel to identify the particular issues that might arise. These personnel will be those most closely concerned with eventual management and control of the risk in question. Returning to the example of collecting personal data from a website for marketing purposes, there may need to be consultation with those responsible for ensuring compliance with the DPA and individuals in the firm’s IT department responsible for ensuring that any data received is securely stored in the organisation’s system.
A second strategy is to circulate questionnaires directed to key personnel. This can be valuable where the organisation wishes to establish whether there are common concerns over particular risk issues.
Third, workshops or focus groups for key personnel can also be employed to receive and develop ideas for managing identified risks.
Once adequate information is received, it can be recorded in a standard format, which includes a measurement of the greatest risks. It is important to ensure that information is obtained from appropriate sources. Risks which may be regarded as strategic – for instance, those arising from marketing activities through the firm’s website – will require information from those responsible for strategic issues. These will usually be at senior management (board or partnership) level, even though implementation may be at a lower level. Risks that are essentially technology based in nature, for instance the threat of virus infiltration and the need to deploy anti-virus software, will require information from those with technological knowledge.
Consideration should also be given to the quality of information collected. It is important to obtain a full perspective of the risk when seeking information. Some individuals’ perspectives will be more valuable than others. Often, the most valuable information is obtained from junior or support staff charged with implementing the policies of senior management.
A logical approach to recording the findings of a risk assessment is to develop a risk control plan, which will specify responsibility and accountability and the nature and impact of the measures and controls to be applied. It is a mechanism for identifying and rating, or evaluating, the risk and then deciding upon suitable preventative or corrective action.
Once the risk assessment is complete, formulation of a risk control plan should not be difficult. Information identifying the risk and the circumstances of its incidence will have been obtained and can be recorded A checklist can be used, although this will need periodic review to take account of new risks arising from new services provided by the organisation.
The next step is to ‘rate’ or evaluate the significance or importance of the risk – how likely is it to happen? Rating risk means deciding the likely consequence to all aspects of the organisation. This will involve profiling each risk and its interrelationship with any other functions of organisation. Obviously, the greater the threat posed by the risk, the greater should be the priority accorded to it in terms of resources.
The final step is to determine the organisation’s response to the risk – how can the risk be controlled, reduced or eliminated? Determining appropriate action involves deciding what measures need to be adopted to respond appropriately to the identified risks, having regard to their gravity and priority. The overall objective is, as far as possible, to place the business in the position it occupied before the consequences of the risk were realised. Therefore, the response should include the minimum requirement for essential operations to continue.
In practical terms, the organisation should develop a risk assessment plan showing categories of information needed for an informed assessment. Typical issues to be recorded are:
• type of risk;
• origin of the risk;
• criticality of the risk;
• necessary controls;
• responsibility for management;
• measure(s) to address the risk;
• any time frame;
• actions initiated.
This can easily be documented in the form of a simple spreadsheet. In the vertical column to the left might be listed the categories of risk. Across the top of the grid might be listed the various stages of management.
A risk control plan should be accessible to all concerned with its implementation. Personnel at all levels should be aware of the existence and location of the risk control plan. Detailed knowledge of its contents may not be essential, but personnel should have a broad idea of its content and the circumstances in which reference should be made to it. If the risk control plan is not too complex, there is no reason why it should not be incorporated into the business plan of the organisation.
An alternative approach to recording the findings of a risk assessment is a risk register – a template to include all the necessary details relating to the risk and the contingencies surrounding it.
For instance, there should be information about the company, location, department, type of risk and even a number allocated to the risk. There should be a description of the risk, its root causes, its status, the likelihood of eventuality and its consequence. The response should be recorded and if elimination is impossible, there should be details of any residual risk.
Some IT solutions are now emerging which enable organisations to computerise risk assessment and risk management techniques. Risk Reasoning Ltd. has developed two modules: RiskAid and RiskAid Enterprise (see www.riskreasoning.co.uk).
In addition to the risk management standards referred to in the previous chapter, a further complementary standard, ISO/IEC 31010:2009, has recently been published.
This addresses risk assessment concepts, processes and the techniques through to such issues as the likely consequences, the probability of their occurrence and any risk mitigation factors.
BS 31100:2008 addresses risk management frameworks, processes and implementation and is considered in the next chapter.
It is almost impossible to protect an organisation from exposure to every risk that might arise in the ordinary course of business. Invariably, the best that can be done is to assess the likely risks and devise a strategy of controls which balance their cost with their intended effect.
An effective procedure for assessing risks enables an organisation to take a proactive approach to the operation of its business. It can identify priorities and direct resources where they are most needed.
The foresight that effective risk assessment provides enables an organisation to know the time and commitment needed to address particular issues instead of simply responding to crises. Accurate risk assessment calls for correspondingly effective management.
3.22.241.228