My expertise is in information security assurance, but I am fortunate to be married to a risk analyst who deals with insurance risk.  My world typically revolves around software security risk assessment and risk mitigation, while my wife deals with insurance risks and also a lot with Enterprise Risk Management. When we talk about our work, I see a lot of things in her world, which I wish we had more of in mine.

Risk Assessment and Risk Management

There are two main approaches when performing risk assessment: quantitative and qualitative.  The CISSP and SANS Security Essentials courses present very good material on quantitative risk assessment with details on Single Loss Expectancy (SLE) and Annualized Loss Expectancy (ALE). In the real world, though, quantitative risk assessment is being sorely neglected.

The risk disciplines are complex and evolving for cyber security, but risk assessment and risk management have seen a lot of focus and maturation in the insurance industry. Other types of businesses, though, still have a ways to go in maturing in the cyber security risk fields.

In cyber security, the majority of risk assessments I see present qualitative results. We typically identify risks as critical, high, medium, or low. However, I rarely see quantitative risk assessment results where believable costs are presented. This is a major weakness in our risk assessment and risk management for cyber security. Without defined costs for a risk impact, a manager cannot make an objective decision on the amount to invest in risk mitigation. I think the reason we do not see more quantitative risk assessment results is because we are also weak in the enterprise risk management area. There is a direct relationship between the slow acceptance of security efforts in the cyber world and not being able to pin down costs.

Most cyber security risk assessment are performed by security professionals who are really good at identifying the assets to be protected, security objectives, security requirements, vulnerabilities, mitigations, and cost of mitigation but are not as good at pinning down the costs and impact for a potentially exploitable vulnerability.  For example, just how much value is associated with brand impact, customer dissatisfaction, or, even more simply, how much will it costs to repair the damage done when 500, 1000, 100,000 or a million sets of credit card numbers are stolen? Quantification of these items requires other expertise.

When I look at my wife’s world, I see lots of quantitative risk assessment results and dollars and cost are always part of the picture. I see an evolution taking place where the appropriate stakeholders are becoming increasingly involved on the risk assessment and management sides. I think we can learn from these efforts and identify a missing element in cyber security.

We rarely involve the marketing people or managers in the risk assessment portion of our work.  Yet they are the experts when it comes to placing concrete values on the intangible items we do not deal with on a daily basis.  They are also the ones who will need to understand the cost and ROI impacts when making decision on mitigating the risks we identify. Most importantly their involvement improves stakeholder buy-in.

ROI and Support of Cyber Security Efforts

In the cyber security discipline, we sometimes face significant challenges in justifying expenditures for security mitigation. We can blame that on a variety of factors.

First of all, our efforts prevent exploitation. Rarely does a prevented exploit receive much attention because nothing happens. Only when we fail to prevent such exploitation that high level attention within our organizations tends to arise. This is typically driven by the news exposure that such exploits receive—attention that we strive to avoid with our prevention efforts.

In many organizations, this invisibility leads to a cycle where we have a hard time justifying spending on risk mitigation and security efforts because good results prevent bad things from happening and the cost of the bad thing is poorly understood. By failing to provide cost/benefit information to the decision makers, we lose.  We also lose by not providing quantitative risk assessment data that the decision maker can trust as real.  Managers and decision makers use cost/benefit information to calculate Return On Investment (ROI), which is used to justify important decisions. Lack of good ROI data also leads to difficulties in justifying expenditures for security and security resources.

I think the solution lies in including cyber security more into existing enterprise risk management efforts or maybe in just including more enterprise risk management techniques in our cyber security efforts.  Here’s the good news: small to medium businesses may have an advantage in implementing better enterprise risk management since they have smaller and more easily coordinated management structures.  Let us know how you are bringing together qualitative and quantitative risk assessment into your efforts.