Risk assessment is a core competence of information security management. A recent question and answer exchange goes to the nub of how risk appetite and an organization’s risk acceptance criteria should be approached.
The question was:
‘ISO27001 hammers home that the approach to risk that an organization has towards security risks should be based on the organization's approach (and risk appetite) for business risks. This just doesn't ring true to me given how granular the rest of 27001 is.’
A business risk is fundamentally different from a security risk and I really struggle to see how the approach to one maps over to the other.
It's one thing to say "we are willing to take a high degree of risk, so we'll invest in your factory in Elbonia" - there is a potentially high profit to be had from taking that risk. Business managers will be used to making decisions based on that kind of risk vs reward thinking. It's entirely different to say "we are willing to take a high degree of risk - we'll not invest in (eg) an antivirus solution and accept the risk that that entails"
Investing in my factory in Elbonia could have the exact same potential (monetary) loss attached to it as the damage caused by not buying an AV solution - the crucial difference is that taking a security risk can't GAIN you anything. You might be lucky and not lose anything - that's about the best you can hope for. There is no reward in this situation.
In light of that - I'm not sure that the "risk appetite" business-wise is necessarily a good indicator of how "risk hungry" we should be security-wise.
Just as in life - my appetite for skydiving bears no relation whatsoever on how I invest my money. My high-risk appetite in the one arena has nothing to do with the other and it would stupid for me to apply it so.
I would have thought that ISO27001 which stresses a bottom up, high granularity approach, would also include the understanding that there can be different risk arenas which may need to be treated with very different approaches.
This is a good question and well articulated.
The answer – and this is a paraphrase of the more detailed treatment contained in the chapter on risk in International IT Governance (http://www.27001.com/products/16) and in Information Security Risk Management for ISO27001 (http://www.itgovernance.co.uk/products/789) - is as follows: there are two different types of risk.
The first is called speculative risk, and it is what business people do - speculative risk can lead to either gain or loss, and is at the heart of business strategy. We assess the risk, decide whether or not we can afford the possible loss and whether this is adequately balanced by the potential gain, and then go ahead - or not, as the case may be. Your Elbonian investment decision is a speculative one, particularly in the light of the current economic climate.
Non-speculative risk, on the other hand, is the sort of risk that can lead only to loss. Non-speculative risks can derail speculative business plans. Non-speculative risk is therefore the subject of risk control; if we can reduce this type of risk, we can remove potential obstacles to the realisation of our business strategy. Information risk, operational risk, regulatory risk, health and safety risk - these are all forms of non-speculative risk and the proper subject of risk management.
The overall risk management framework to which we refer is that which applies to non-speculative risk. In other words, the risk appetite that is relevant to the management of information risk should be the same as that applied to health and safety risk, or operational risk, or any other controllable risk - it makes for coherence and consistency inside the enterprise.
It is possible, therefore, for an organization to pursue a highly risky speculative business strategy within a non-speculative risk management framework that is based on a very low tolerance for risk. For example, jumping out of an airplane is taking a speculative risk from which gain (probably emotional) is expected; managing the non-speculative risks - ie making sure that the chute is properly packed, that the lines haven't been cut, etc - is likely to be on the basis of a very low tolerance for risk!
Alan Calder
CEO
IT Governance Ltd
www.27001.com
Alan Calder is chief executive of IT Governance Limited (www.itgovernance.co.uk & www.27001.com), the one-stop-shop for information security books, tools, training and consultancy. He is co-author of the definitive guide to ISO 27001 compliance, ‘IT Governance: A Manager’s Guide to Data Security and BS7799/ISO17799’.
