by David Apgar

Get Smarter About Security Risks

Nov 01, 20066 mins
Risk Management

There’s a reason companies are asking CIOs to solve a new kind of security risk every time they turn around. Business continuity threats, data breaches, malicious code and stolen laptops all have one thing in common—they’re the price of information technology’s success. Information security is an issue because most of our core business processes incorporate IT, and technology has started to break down the stovepipes that used to protect corporate data.

CIOs have always had to prioritize risks when deciding how to allocate resources. What’s different about information security risks today is the uneven ability of CIOs and their business partners to assess them. Every company faces a different mix of security risks. And every one has a different set of information advantages and disadvantages—call this risk intelligence—for assessing each of those risks. IT executives have no choice but to sort out which security risks are big, which ones are small and, most important, which ones they and their colleagues are not very good at evaluating.

This last challenge is new. The methods for estimating the size of a risk usually involve polling business partners to determine the worst-case loss they expect in a given period of time. But CIOs still have to evaluate how accurate these assessments are. One company may know from experience how information integration can compromise records. Another might have learned what a data breach costs. But it would be a mistake to assume every company, or even every business leader within a company, has the same ability to assess the likelihood or impact of fast-evolving threats. So a critical new step in allocating resources for security risks is to determine which ones your organization is good at assessing before you rank the risks and estimate how much it would cost to mitigate each one.

How to Assess Risk Intelligence

To assess your risk intelligence, ask yourself these five questions for each major security risk you face.

  • How frequently do you have experiences related to the risk you’re evaluating?
  • How surprising are these experiences?
  • How relevant is your experience to the risk you’re evaluating?
  • How diverse are the sources of information about the risk?
  • How methodically do you track what you learn from past experience about mitigating risks? Score your answers on a scale of 0 to 2, where 0 means you and your business partners have less understanding about this risk and its contributing factors than others on your list; 1 means your understanding is about average; and 2 means you understand it better than other risks. Add up your answers for all five questions. Scores fall between 0 and 10; 5 means you think your ability to weigh a risk is average across the five factors. It doesn’t matter if you’re a tough or an easy grader: What you’re doing is ranking your risk competence.

    Now rank your organization’s information security risks by their risk intelligence score. You may want to allocate more mitigation resources to the ones that score the lowest, because these are the ones you are worst at assessing. For larger companies, it may be important to score the risk intelligence of each business unit facing a single risk. In this way, you can figure out which business unit has the clearest understanding of the threat, though you may still allocate more resources to the unit that scores the lowest.

    By the way, this is the opposite of the conclusion you’d draw for elective projects. It makes sense to pursue discretionary projects that pose risks we’re good at assessing. But when the risks are unavoidable, the question is different. We need to focus on the risks—or the parts of the business—where we’re most likely to make a mistake.

    How Assessments Help Decision Making

    Here’s how to apply the risk intelligence methodology. Suppose your company has been spooked by recent security breaches that have compromised customer data. You’re trying to figure out just how much—and where—to invest in security safeguards. The company’s network has never been breached, although a competitor’s customer database was compromised and the story was all over the news. Closer to home, a laptop was stolen from a salesperson’s car a few weeks earlier.

    So you ask the heads of your company’s business units (let’s say there are three) what would be their worst-case loss for a security breach. Compared to their revenue, the estimate from business unit A seems too large, B seems too small, and C falls between A and B. You want to judge who is most likely to be accurate, so you score the risk intelligence of each of the three business unit leaders.

    The business leaders have different amounts of experience with security breaches. Because of the volume of its customer data, you give a 2 to business unit A, meaning a lot of potentially valuable experience. You give B and C each a 1 because their experience is about average for their business segments—they keep track of the problem but haven’t suffered a breach so far.

    Next you ask how surprising the experience of each of these business units tends to be. The salesperson who lost the laptop works for A, so A gets another 2. B hasn’t typically attracted privacy threats, so it gets a 0. C gets a 1 because its experience in this area is about as surprising as that of most companies.

    Now evaluate how relevant this experience is. You believe the number of integrated customer files is a big factor. A keeps each set of data in separate systems, so it gets a 0. B has both multiple- and single-file customer systems; it gets a 2 because this experience should be highly relevant to whether the integration of files really matters. C’s experience seems average, so you assign a 1.

    And so on. Tallying the scores, it turns out A has the best understanding of the magnitude of your company’s problem with security breaches. Thus, you apply A’s standard for evaluating the risk to the whole company. But you decide to pilot new security systems with C because there’s reason to expect it is least prepared to deal with the risk of a security breach.

    Risk intelligence analysis does not replace the exercise of judgment in prioritizing security or any other IT-related risks. But laying out the main issues—the worst-case loss assessments and the reliability of those assessments—helps you apply your judgment systematically. And it provides a basis for discussing with your executive colleagues the key trade-offs in your risk management strategy.

    David Apgar is the author of Risk Intelligence: Learning to Manage What We Don’t Know.