Every individual, company and society is willing to take risk. In everything we do there is risk, we use risk as leverage (in the financial sense) to achieve some benefit at lower cost. Figuring out where that bright red line of too much risk is not easy. Figuring out where you are relative to that position requires effort.

We have a tolerance for loss and therefore will accept some level of risk

Every company is willing to some risk in exchange for some return. Manufacturers invest in creating new products to bring to market; those products might fail to gain market share and the investment made is lost. Investment managers try to maximize returns on their portfolios but taking (balanced) risk but could experience significant losses. Online retailers are willing to accept the possibility of fraud in pursuit of a low friction buying experience that leads to more revenue. Software development companies release software to meet deadlines and take a chance that an unfixed (or unknown bug) won’t impact their product launch. The list is endless in which organizations willingly take risks to get a return, to gain advantage in the market.

In society we have a tolerance for loss. We have a tolerance for crime, automobile accidents, drug deaths and workplace injury (among many other types of loss). Every loss hurts someone, but there is a tolerance based on how many resources society is willing to invest to reduce or eradicate the underlying issues. The tolerance is low and we work to reduce it, but there remains a tolerance.

When it comes to information security, are companies willing to take security risks in exchange for some reward? Demonstrably, the answer is yes. Nearly every notable breach was, in hindsight, totally avoidable and whether the victims admit it or not, they were likely aware or reasonably should have been aware of the issue. If they were aware, they made a decision not to allocate resources to fix before the breach occurred. If they were not aware, they made a decision on where to invest their limited resources and it was not in capabilities to identify problems proactively. There was an intentionality in the resource allocation. We can take it as given that a company choosing to put resources towards some benefit generating activity instead of some risk reducing activity has decided to accept that risk and its potential impacts.

How do we determine acceptable risk?

That’s a delightfully big question in the domain of operational risk and it’s subsets of technology risk. In the financial world we understand that investing in “B” rated bonds is risky but offers a potential for greater returns. We want to maximize the upside we could capture while ensuring we are not exposed to excessive losses that might make the returns negative. We don’t have that level of understanding in technology risk (yet).

Here are the three steps to establishing an appetite or threshold for acceptable risk:

1. Get stakeholder alignment that there needs to be a threshold and the rules around that threshold
2. Agree on a threshold by drawing a line across your organization’s enterprise risk model
3. Implement and actively manage the organization to stay with the threshold

First, get stakeholders to agree that thresholds should exist. How we get to an answer is almost secondary to the agreeing that we ought to have an answer. There are many ways to determine what acceptable risk but before you do that there needs to be agreement that anything below that threshold is indeed acceptable. Issues, or a collection of issues, that are below the threshold are acceptable and will just be handled (and possibly not addressed at all); above the threshold will require a response from management (see the concept of complexity firewall in The One Risk. If you can’t get that agreement, then there’s little point in going further. A company that doesn’t know how much risk it is willing to take is a company that will never take the right level of risk. It’s our job as information security professionals and risk practitioners to translate the technical complexities into decisionable risk analysis.

Once we have that agreement, we can set a thresholds. There are several models to measure risk for a potential event. Whatever your Enterprise Risk Management approach doesn’t matter. The important part is to sit with stakeholders and agree that below a certain line in the model is acceptable risk, above that line the risk is not acceptable. The approach varies depending on the organization’s risk model:

• For Quantitative Modelling it wil be a anything above a certain loss amount in a given period;
• For Control Based approaches the line is set based on the performance, trending or point in time, of key controls known to prevent certain risk events;
• Qualitative Framing or Scenario Based you will likely just choose anything that is above medium risk (or some other qualitative risk descriptor). Alternately you might declare specific loss event types (customer record loss, regulatory fines etc…) as being above threshold; and
• Opinion Based is an option, often the least defensible if operating without clear structure and process. In this model a group of people will make reasoned decision as to whether or not the organization is operating within risk tolerances.

Note: Don’t try build your own scoring or evaluation system. Even if what your organization has isn’t ideal, it’s already been socialized and is understood. So just use it. If you want something better, make that a separate exercise.

Finally you need to monitor and report frequently on the organizations position relative to that threshold. Once you have a threshold, you need to continuously report on it. A threshold without continuous attention and proactive management loses it’s value quickly. A threshold that you can’t quickly report your position on isn’t meaningful. When the time comes to say “that we were within appetite” or “under threshold”, it will be an empty statement because you weren’t managing risk proactively.

Every company is willing to take on risk (although they may not realise it), our job is to help them figure out what that acceptable risk is. There’s no perfect model for doing this yet; as long as everyone agrees that a rough approach is better than nothing then we can start answering that question. Our first answers will be imprecise but with constant effort it can be tailored to line up with the organization’s best understanding of acceptable risk.

Omissions: You’ll note that I didn’t say what is reasonable risk taking. I think that requires courts or the government to establish the test of reasonableness as they have with many other things. I also didn’t talk about externalities, that’s a future post.