Earlier in this chapter, risk management was defined as the practice of identifying, assessing, controlling, and mitigating risks. Identifying the threats and vulnerabilities that are relevant to the organization is an important step, just as knowing the worth of an asset can help determine the impact of its loss. With this information, action can then be taken to reduce potential losses to assets from these risks.
Realizing that risk management is not the same as risk elimination is important. Risk elimination isn’t a reasonable goal. Instead, risk management attempts to identify the risks that can be minimized at a reasonable cost and implements controls to do so. Risk management includes several elements:
Risk management controls are any actions or changes put into place to reduce a weakness or potential loss. NIST Special Publication 800-37 Rev. 2 identifies three classes of controls: technical, administrative, and physical. More will be learned about controls later in this text.
Controls are often referred to as either preventive or detective. Preventive controls attempt to prevent the risk from occurring. Examples include increasing physical security and training personnel. Detective controls try to detect activity that may result in a loss. Examples include antivirus software and intrusion detection systems
After risks have been identified, steps can be taken to reduce or manage them, often by implementing controls, or countermeasures. Managing risks comes at a cost. If too much money is spent on reducing risks, the business’s overall profit will be reduced. If too little money is spent on reducing risks, a loss could result from an easily avoidable threat and/or vulnerability. Ideally, organizations should never spend more on controls than the value of the asset. For example, an organization should not spend $10,000 in controls for an asset that is worth only $5,000. The amount spent on controls should be proportional to the risk, which is known as the principle of proportionality.
Risks can be measured based on the value of the asset. A cost-benefit analysis (CBA) can be performed to help determine which controls, or countermeasures, to implement. If the benefits outweigh the costs, the control is often selected.
A CBA compares the business impact with the cost to implement a control. For example, the loss of data on a file server may represent the loss of $1 million worth of research. Implementing a backup plan to ensure the availability of the data may cost $10,000. In other words, $10,000 would be spent to save $1 million, which makes sense.
Starting a CBA begins by gathering data to identify the costs of the controls and benefits gained if they are implemented.
A control doesn’t always eliminate the loss. Instead, the control reduces it. For example, annual losses for a current risk may average $100,000. If a control is implemented, these losses may be reduced to $10,000. Thus, the benefit of the control is $90,000.
The following formula can be used to determine whether the control should be used:
Loss before control − Loss after control = Cost of control
For example, the company lost $100,000 last year without any controls implemented. If the control is implemented, a loss of $12,000 a year is estimated. The cost of the control is estimated at $7,000. The formula is:
$100,000 − $7,000 (Cost of control) − $12,000 (Expected residual loss) = $81,000
Implementing the control represents a benefit of $81,000.
One of the biggest challenges when performing a CBA is getting accurate data. Although current losses are often easily available, future costs and benefits need to be estimated. Costs are often underestimated, and benefits are often overestimated.
The immediate costs of a control are often available. However, sometimes, the ongoing costs are hidden. Some of the hidden costs may be:
Following the principle of proportionality, if the costs outweigh the benefits, the organization might choose not to implement the control. Instead, it might choose to accept, share or transfer, or avoid the risk.
Both profitability and survivability must be considered when evaluating the cost of risk management:
In terms of profitability, a loss can ruin a business. In terms of survivability, a loss may cause a company never to earn a profit. The costs associated with risk management don’t contribute directly to revenue gains. Instead, these costs help to ensure that a company can continue to operate even if it incurs a loss.
Regarding profitability and survivability, the following items should be considered:
Data is often one of the most valuable assets a business owns. It can include customer data; accounting data, such as accounts payable and accounts receivable; and employee data. The list could go on and on. This data is integral to the success of a business, so it is often backed up regularly.
For example, a business spends $15,000 a year on data backups, a cost that will not increase revenue or profits. In a full year’s time, data is never lost, and the backups are never needed. If profitability is the only consideration, management may decide to eliminate this cost. Backups are stopped, but the next year, data could be lost, causing the company to fail and go bankrupt.
The cost does need to be considered against profitability, though. For example, if a company earns only $10,000 a year in profit, the company’s spending $15,000 a year to protect its data doesn’t make sense.
On the other hand, for example, a company has $100,000 in annual profits. It chooses not to spend the $15,000 on backups, but then a virus spreads through the enterprise, destroying all customer and accounting data. The company no longer has reliable records of accounts receivable, and no one has access to the customer base. Such a scenario can be a business-ending catastrophe.
3.133.134.17