Controls are the nexus of a cybersecurity and data privacy program, so it is vitally important to understand how cybersecurity and data privacy controls should be viewed from a high-level risk management perspective. ComplianceForge provides the information on this page, including a whitepaper on the topic, to help educate cybersecurity practitioners on practical approaches to implement and manage cybersecurity risk.
The alternative to risk management is crisis management. The information on this page exists to provide practical guidance on Enterprise Risk Management (ERM) for cybersecurity and data privacy practitioners, specifically focused on how to align risk appetite, risk tolerance and risk thresholds with an organization's strategic, operational and tactical business planning activities. What is presented is a holistic approach that has practical applications. There are a lot of terms in cybersecurity and three (3) of the top misused terms are:
The concepts of risk appetite, risk tolerance and risk thresholds are not independent terms that are meant to stand by themselves, since they share a dependency that needs to be understood to create a coherent risk management strategy. Likewise, those terms are also directly linked to strategic, operational and tactical decision making.
Organizations invest in cybersecurity and data privacy as a necessity. This necessity is driven in large part by statutory, regulatory and contractual requirements. It is also driven by the desire to protect the organization's brand from acts that would harm its public image. Regardless of the reason, the base expectation is that those charged with developing, implementing and governing the cybersecurity and data privacy functions are doing so in a reasonable manner that would withstand scrutiny that could take the form as an external auditor, regulator or prosecuting attorney.
The following whitepaper delves into a viable method to align risk appetite, risk tolerance and risk thresholds with your organization's strategic, operational and tactical business planning activities:
Before diving into that discussion, it is important to baseline some underlying concepts that come into play when describing "What is meant by managing risk?" Risk management involves coordinated activities that optimize the management of potential opportunities and adverse effects. The alternative to risk management is crisis management. Risk management provides a way of realizing potential opportunities without exposing an organization to unnecessary peril.
In the context of cybersecurity risk management practices, “risk” is defined as:
In the context of this definition of risk, it is important to define underlying components of this risk definition:
One important concept to understand is that risk is variable - it changes and is not static. The implication is that risk ratings are subject to change as the operating environment changes.
In the context of the cybersecurity risk management practices, “threat” is defined as:
Risks and threats both tie into cybersecurity and data protection controls, but it is important to understand the differences:
If you want to learn for about threats vs vulnerabilities vs risks, we have a page that describes that in greater detail.
According to the Project Management Body of Knowledge (PMBOK)™ Guide:
Risk appetite is more of a management statement, where it is subjective in nature. Similar in concept to how a policy is a "high-level statement of management intent," an organization's stated risk appetite is a high-level statement of how all, or certain types of, risk are willing to be accepted. Risk appetites exist as a guiderail from an organization's executive leadership to inform personnel about what is and is not acceptable, in terms of risk management. Using a review of current risk status vs target risk appetites can be useful to see how well cybersecurity practices operate to clearly see what practice areas deviate from expectations.
Examples of an organization stating its risk appetite:
It is important to know that in many immature risk programs, risk appetite statements are divorced from reality. Executive leaders mean well when they put out risk appetite statements, but the Business As Usual (BAU) practices routinely violate the risk appetite. This is often due to numerous reasons:
In a mature risk program, the results of risk assessments are evaluated with the organization's risk appetite in mind. For example, if the organization has a "moderate risk appetite" and there are several findings in a risk assessment that are high risk, then action must be taken to reduce the risk, since it cannot be accepted. Accepting a high risk would violate the moderate risk appetite set by management. In reality, that leaves remediation, transferring or avoiding as the remaining three (3) options.
From the previous graphic, when you look at it from a risk appetite perspective, For an organization that wants to follow a "moderate risk appetite," that establishes constraints for allowable and prohibited activities, based on the potential harm to the organization:
It is possible to identify a target risk appetite at a domain level, as well as an organizational level. This can be visualized with a spider / radar diagram, as shown below:
Unlike risk appetite, risk tolerance is objective in nature. While risk appetite is conceptual, risk tolerance is based on objective criteria. Defining objective criteria is a necessary step to be able to categorize risk on a graduated scale. Establishing objective criteria to quantify the impact of a risk enables risk assessments to leverage that same criteria and assist decision-makers in their risk management decisions (e.g., accept, mitigate, transfer or avoid).
From a graduated scale perspective, it is possible to define "tolerable" risk criteria to create a few useful categories of risk:
The objective criteria that goes into defining what constitutes a low, moderate, high, severe or extreme risk includes:
The six (6) categories of IE are:
The six (6) categories of OL are:
There are three (3) general approaches are commonly employed to estimate OL:
Risk thresholds are directly tied to risk tolerance. As the graphic at the top of the page depicts, there is a threshold between the different levels of risk tolerance. By establishing thresholds, it brings the "graduated scale perspective" to life.
Let's take a look at a theoretical company, ACME, that is experimenting with Artificial Intelligence (AI) to strengthen its products and/or services, ACME's long-standing risk appetite is relatively conservative, where ACME draws a hard line that any risk over moderate is unacceptable. Additionally, ACME has no tolerance for any activities that could harm its customers.
Given the changes necessary to ramp up both talent and technology to put the appropriate solutions in place to meet ACME's deadlines, there are gaps/deficiencies. When the risk management team assesses the associated risks, the results identify a range of risks from high to extreme. The reason for this is simply due to the higher occurrence likelihood of emergent behaviors that potentially could harm individuals (e.g., catastrophic impact effect). The results were objective and tell a compelling story that there is a realistic chance of significant damage to ACME's reputation.
With those results, it is a management decision. What does ACME's CEO / Board of Directors (BoD) do?
If the CEO/BoD proceeds with accepting the risk, is it violating its fiduciary duties, since it is accepting risk it previously deemed unacceptable? Additionally, would ACME be considered negligent for accepting high, severe or extreme risk (e.g., would a rational individual under similar circumstances make the same decision?)?
These are all very real topics that need to be considered and how risk is managed has significant legal and financial implications.
This brings up the concept of "cybersecurity materiality" as it pertains to the governance of an organization's cybersecurity and data privacy controls.
With the recent statement on public company cybersecurity disclosures by the US Security and Exchange Commission (SEC), the concept of cybersecurity materiality has taken on an enhanced sense of importance.The new SEC requirements affect publicly traded companies in two (2) ways:
Specific to cybersecurity and data protection, the Secure Controls Framework (SCF) defines a material weakness as: "A deficiency, or a combination of deficiencies, in an organization's cybersecurity and/or data protection controls (across its supply chain) where it is probable that reasonable threats will not be prevented or detected in a timely manner that directly, or indirectly, affects assurance that the organization can adhere to its stated risk tolerance."
In cybersecurity compliance, words have meaning. Therefore, it is important to understand the nuances with the terminology, since material weakness, material risk and material threat are not synonymous. However, since the SEC, Generally Accepted Accounting Principles (GAAP) and International Financial Reporting Standards (IFRS) lack specificity in defining the criteria for materiality, organizations have leeway to define it on their own. The lack of authoritative definition for materiality is not unique, since the concept of risk appetite, risk tolerance and risk threshold also suffer from nebulous definitions at many organization. For an item to be considered material, the control deficiency, risk, threat or incident generally must meet one or more of the following criteria where the potential financial impact is:
A material weakness is a deficiency, or a combination of deficiencies, in an organization's cybersecurity and/or data privacy controls (across its supply chain) where it is probable that reasonable threats will not be prevented or detected in a timely manner that directly, or indirectly, affects assurance that the organization can adhere to its stated risk tolerance.
When a deficiency, or absence, of a specific control poses a material impact, that control is designated as a material control. A material control is such a fundamental cybersecurity and/or data protection control that:
When an identified risk that poses a material impact, that is a material risk. A material risk:
When an identified threat poses a material impact, that is a material threat. A material threat:
When an incident poses a material impact, that is a material incident. A material incident is an occurrence that does or has the potential to:
It is important to understand that the concept of materiality expands beyond the realm of publicly traded companies. The concept of materiality is important to understand the health of a cybersecurity and data privacy program, where a material weakness crosses an organization's risk threshold by making an actual difference to the organization, where systems, applications, services, personnel, the organization or third-parties are or may be exposed to an unacceptable level of risk.
The SEC's usage of "materiality" is intended for external, third-party consumption (e.g., investors) to ensure informed decisions are made. The SCF's definition of "cybersecurity materiality" is intended for internal governance practices. This intended usage is meant to mature risk management practices by providing context, as compared to generally-hollow risk management statements that act more as guidelines than requirements. Cybersecurity materiality is meant to act as a "guard rail" for risk management decisions.
ComplianceForge
NIST SP 800-161 Rev 1 - Cybersecurity Supply Chain Risk Management Strategy & Implementation Plan (C-SCRM SIP) Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the C-SCRM is...
ComplianceForge
Cybersecurity Risk Management Program (RMP) Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the RMP is to help answer common questions we receive. What Is The Risk Management...
ComplianceForge
Cybersecurity Risk Assessment Template Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the CRA is to help answer common questions we receive. What Is The Cybersecurity Risk...
The NIST Cybersecurity Framework (NIST CSF) is commonly used “cybersecurity best practice” for organ...
Cybersecurity Supply Chain Risk Management (C-SCRM) is the process of identifying, assessing and mit...
Determining the scope of controls (e.g., assessment boundary) is different than determining control...
NIST 800-171 focuses on protecting Controlled Unclassified Information (CUI) anywhere it is stored,...
