Evaluating Risk and Benefit Properly to Strike the Right Balance
Ideally, an organization’s security posture will appropriately protect all of their assets with as little encumbrance to the business as possible. This objective is easier discussed than accomplished. Determining the appropriate and adequate security posture and the acceptable or allowable impact to commerce for an organization should be done only after a careful review and consideration of a number of relevant factors. The term “appropriately,” in describing the protection of assets, and “as little as possible,” in describing the impact on commerce are subjective and dependent on an organization’s industry, culture, risk tolerance and comfort and familiarity with security, etc. Understanding Crime Prevention, by the National Crime Prevention Institute, indicates that, “risk management attempts to reduce the possibilities for loss in order to derive the highest possible net benefit. Through the application of risk management techniques (security solutions and otherwise), organizations seek to reduce these possibilities for loss. Thus, risk management always involves a variety of specific loss reduction actions taken in some appropriate relationship with each other so as to assure a maximum possibility for benefit.” The evaluation of risk and benefit are important considerations when determining an organization’s risk tolerance, risk management options and ultimately their security posture.
Given what’s at stake, it’s important that organization’s “strike the right balance” in evaluating the relationship between risk and benefit when determining its security posture. A posture that is too intrusive will negatively impact commerce and inappropriately overprotect assets while one that is too laxed will unnecessarily expose assets to loss and facilitate commerce. These are examples of an improper evaluation of risk and benefit and, as a result, a skewed application of risk management techniques that can adversely impact an organization. It is possible, and quite feasible, when risk and benefits are assessed and evaluated correctly, to arrive at the right “fit for purpose” risk management approach (i.e. security solutions), to enable the free flow of commerce while applying an appropriate posture that is commensurate with an organization’s identified and tolerated risk. Unfortunately, most organizations do not apply this methodology, or any methodology, when assessing and evaluating their own risk, their risk tolerance, risk management techniques and/or their security posture.
The process by which an organization determines the appropriate security posture which will facilitate commerce while ensuring the correct protection of their assets is a risk assessment. This process will identify the operations and/or the areas of the entity/business which require the greatest amount of security attention. During this process there are four key components that are evaluated and assessed to determine the likelihood, impact and current exposure of a potential, future loss. Based on this information, as well as data of historical losses, and considering the optimal risk/benefit relationship and the risk tolerance of an organization, security recommendations can be made for a “fit for purpose” security program to mitigate the identified concerns. The ability to conduct such a review and assessment and then design cost-effective, risk management systems, which are also acceptable to organizations and aligned with their culture, is the single most important skill to be developed by a risk management practitioner/security consultant.
Once the risk assessment is completed and the information evaluated and synthesized, the recommendations that follow will address the risks identified using any of the five methods of risk management to create the appropriate security posture.
- Risk Avoidance- avoiding the risk by removing it altogether
- Risk Reduction- reducing the risk to the lowest acceptable level which is compatible with the organization’s operations
- Risk Spreading- use of security features (physical, technical and procedural) to deter, delay, and deny attacks
- Risk Transfer- transfer the risk to someone else (i.e., an insurance policy)
- Risk Acceptance- after application of #1-4, accepting some risk as a cost of doing business
After evaluating a number of factors, including, but not limited to, the following; industry, location, size of organization, organizational culture, business operations, laws and regulations, risk management and tolerance, an organization can arrive at the most appropriate “fit for purpose” security posture. “Fit for purpose” is code for the most appropriate, adequate, cost effective security solutions and posture for the identified risk with as little impact to the organization as possible. Evaluating the risk properly and striking the correct balance between these two competing interests makes all the difference in the world.