Does putting a numerical "score" on a risk register entry (or a grade like Red, Amber, Green or High, Medium, Low) really mean anything? Does it make anything clearer or assist with decision making? Risk registers (which might be better described as a statement of scope and priorities) can provide an important first step to create the organisations risk management framework and establish and implement required mitigations. What they don't help with is helping us understand what our intrinsic exposure looks like and whether our chosen mitigations are being operated correctly & error free and producing the expected effect. Many risk management frameworks rely on self assessments and/or assertions given during assurance activities. Because of unconscious bias, unintentional blindness and at times, wishful thinking, these assurances can be unreliable and can significantly understate the intrinsic EXPOSURE to the risk because of what is REALLY GOING ON in the organisation. An organisation that track and understand it's current levels of exposure to risk can significantly improve its intrinsic risk management capability and gain insight into whether existing mitigations are making any difference - and if not, why not.
Understanding exposure means we KNOW what's REALLY going on
As we progress during this post I'm going to give some examples of how a focus on understanding exposures provides a clearer and more actionable perspective on risk. I'm going to focus on what I'll call "Vital Signs" that indicate intrinsic exposure rather than judgemental approaches based on assertion. I'll be giving some real-world examples based on this approach which have been successfully applied to information security management frameworks and how this enables senior non-specialists, including board directors, audit committees and senior non specialists to clearly understand their exposure and whether there is cause for concern.
To understand what actions we should be taking to manage a risk we need to understand the root causes of it and the factors that could enable it's occurrence. In terms of information security risks, let's say we are focussing on cyber attacks such as theft of data, denial of data or compromise of credentials. The core risk is that a malicious third party gains entry to our organisations IT infrastructure. We know that risk is out there, we know that many organisations are damaged by cyber attacks and that there is a growing body of knowledge of how cyber criminals successfully launch attacks. So we know what the threat is, what impacts could occur and what our defences should be - the building blocks of our "scope & priorities" statement
Attributes & Context
Having understood root causes and defences, we are now in a position to understand what exposure to this risk looks like. Exposure is the absence or presence of defences and the effectiveness of their operation. This is where we now diverge from the majority of risk management processes - because at this stage we go beyond the solicitation of assurances from "risk owners" and look for indicators within our defences that tell us the EXTENT to which that we are ACTUALLY exposed to the risk.
So bringing this back to the cyber security example of cyber attack exposure we need to answer a few questions
What are the indicators of exposure in our organisation?
How do we KNOW that defences are effective
How do we know that our defences are being operated consistently and effectively
Cyber attacks - indicators of exposure
Security vulnerabilities on IT platforms that support our core business systems which have been or are currently being exploited in successful cyber attacks
Low levels of threat awareness within the organisation
Weak management of security certificates and domain name system records
Weak authorisation credentials
Inconsistent or non-existent implementation of information segregation
We can gather "hard data" on all of the above:
Results of network security scans and cross referencing to government agency databases will tell us if we have "vulnerable and exploitable" systems.
Periodic phishing simulations and - more importantly - comparing phishing reports made compared to phishing emails received in a business as usual context, provide a strong indication of users capability to recognise cyber threats in the workplace and take the correct action when they do.
The status of internet security certificates and sub-domains provide a strong signal of trust and reputation exposure in the organisations internet presence.
Weak authorisation credentials can be identified using standard systems utilities
Information segregation can be established using policy management tools
This "evidence" indicates what our exposure really are - not what we think they might be (or what the person who gave us the assertion thought they were). Red, Amber, Green or High, Medium, Low are replaced with data that can be used further to help us draw conclusions, understand our exposure, establish if we are improving or not and take further action if necessary.
Although we have numbers coming out of this approach, establishing a numerical threshold for each category that is universally applicable will be elusive. These are empirical results and should be considered as indicators rather than scores which place the organisation on a "league table" - context and judgements play an important part.
Probably what's more important is how comfortable you feel with your exposure indicators indicators and the speed with which you can remediate. In the context of the cyber security exposure indicators, the manifestation of some will be out of our control (a recently discovered vulnerability, for instance) and others will be be due to human error (as is often the case with exposures related to faulty configuration). So although we can't adopt an across the board strategy for zero tolerance to cyber security exposures - we can set targets for remediation. For instance, we could require any currently exploitable vulnerability, should be fixed with a specified timeframe and until that is done the organisation goes to "DEFCON" 2 - a state of heightened surveillance and preparedness. For some areas, let's say certificate and subdomain management we could require zero tolerance to issues in this area, because, once identified, remediation can be quickly applied.
What is our direction travel?
Seeing whether we are improving or not provides a useful perspective on whether our defences, mitigations, risk treatments (call them what you will) are actually making a difference to the level of exposures our organisation faces. It helps risk specialists to understand and demonstrate their contribution to the organisation by providing transparency of the outcomes of existing and adjusted risk management initiatives. Returning to our reference point of cyber security: Let's say for past few months we have tracked how many phishing reports have been made by users. The percentage of reports made compared to the number of phishing emails that actually found their way into inboxes is around 10%. That's not great - it means 90% of recipients of the phishing email either did not recognise it or failed to take the correct action (which is to report it). Clearly the awareness programme is not "sticking" in users' minds so we need to think of some new techniques to raise awareness. By looking for improvements in the reporting ratio we can make some informed judgements as to whether the changes to the awareness programme made a difference Let's say, the new technique is a resounding success and after a month or two we are getting a 60/40 ratio - we can confidently conclude our exposure has reduced.
Garbage in, Garbage Out
The most important thing to remember is the above concept. It's really important to know what exposure looks like. It's not just knowing the risk, it's understanding the conditions under which it reduces or increases and correctly gathering the required data or metrics that help us make an informed judgement whether our exposure to a specific risk should give cause for concern.