Risk management, the essential glue for information security and data protection

We all take risks, on a daily basis and multiple times too. Without realising it, we are constantly evaluating and re-evaluating risk in our surroundings and with every decision we make. this can vary from crossing the street, buying a new gadget or continuing or discontinuing a job or assignment, buying or selling a house or not doing so.

Risks can be both positive and negative, although positive risks are generally called benefits, the fundamental principles are the same.

Even continuing reading this article beyond this point can be a risk or maybe a benefit because you may well learn something valuable or find out that what you believed to be risk management turns out to be incorrect.

Want to take the risk? Then by all means, read on.

Risk definitions

There may be a lot of ways to define risk, depending on the topic at hand and the sector or even profession of choice. However, for this article I keep with well established definitions based on international standards.

The basis for this article is the standard from the International Organization for Standardization (ISO), ISO 31000:2009, Risk management—Principles and guidelines.

What is a risk?

According to the ISO3100 standard the definition of risk reads: effect of uncertainty on objectives.

This is further clarified in the following three notes:

1. An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.
2. Objectives can have different aspects and categories, and can be applied at different levels.
3. Risk is usually expressed in terms of risk sources, potential events, their consequences and their likelihood.

The remainder of the article will use this definition as the basis. The terms used here will play a major role in the next section on risk statements.

What is a risk statement?

A risk statement is a bite-size description of a risk, including consequences, that is easy to read and understand for everybody that needs to work with the specific risk register.

Two of the basic formats of a good risk statement are:

• [Event that has an effect on objectives] caused by [cause/s] resulting in [consequence/s].
• [Threat actor] impacts the?[effect] of [asset] via (optional) [method].

Where the first definition is a more general risk statement and the second is more related to information risks.

Whichever format is used, when writing risk statements you should always be able to answer me these questions three:

• What could happen?
• Why could it happen?
• Why do we care?

The last question is ultimately the most difficult one to answer correctly. Would damage to the reputation really be an issue? That greatly depends on say the market share of a company and may well be less directly problematic for say a branch of the government. Fines, financial impact or both may have a larger effect to the organisation. The consequences must result in a noticeable impact to the organisation, maybe somebody should really lie awake thinking about what this consequence(s) would mean for the organisation if the risk really would materialise.

Negative and positive risks

As noted previously in this article, risks can be positive as well as negative.

Positive risks, benefits, are usually related to say starting a new business venture, creating or starting to sell a new product, buying up another company, doing sales and marketing to gain new clients. But there is also the risk that any of these actions fail or maybe are so succesfull that the organisation can't handle the consequences.

From an information risk perspective however, we usually look to the negative aspects of risk including security incidents, data breaches, unavailability of systems and services and more.

In the remainder of this article we will focus on information risk and leave the positive risk factors for what they are.

Information Security and risk

Some would say that information security is actually almost exclusively identical to risk management. Whilst there certainly is something to say for that, it is not entirely correct.

There is a little more to the puzzle of information security then just risk management.

Governance, strategy, risk, program

When setting up an effective information security program, there are several elements and steps to look at. And yes, risk is one of them.

Governance: whos is responsible for what, who reports to whom and how does the delegation and escalation process run within the organisation? Whilst this may seem logical for the business, within the governance structure of the organisation the security governance must be correctly embedded as well for it to function properly.

Strategy: every business has a strategy, a way to make money or deliver a community service or for whatever reason the organisation exists. Information security must be part of that business strategy, because if they don't align then you may end up by not securing the most valuable assets within the organisation, wasting resources and leaving doors open that should not be left open too widely.

Risk management: When your governance structure is in place, the strategy is set and aligned, then and only then are we going to look at risks. What risks are threatening to derail the strategy, hinder it's success and form a direct threat to the assets of the organisation. But more importantly even, how much risk is the organisation willing to take and how much of it can they handle without too much adverse effects?

Information security program: based on the strategy and outcome of the risk management process, the security program goals, timelines and budget are set and confirmed.

Obviously, risk needs to be constantly re-evaluated to see if the likelihood and/or impact of a risk hasn't changed. If it has, it has an effect on the security program and yes that by itself is a risk as well.

Information risk

Within information security we usually look at information risk. For this the same definitions for a risk statement can be used as previously discussed in this article.

Basically you look at the information assets of an organisation, define the business impact on those assets if a risk becomes and issue and materialises.

That risk is broken down in threat actors using threat events on a technical, organisational or people component of an information assets. Next the threat strength is calculated and a likelihood is determined of the threat actor being succesfull. Usually without taking any controls into account.

This is done because those controls may mitigate the risk and are discussed and defined separately.

In a further assessment, usually called a vulnerability assessment, a list of controls is chosen and for each control the strength of that control to reduce the likelihood of a threat being succesfull is determined.

Now that we have a threat actor using a threat event, controls that may or may not be enough to stop the threat actor of doing actual damage and the business impact that is likely to occur if the controls were not as effective as everybody hoped, we can complete the information risk assessment and start looking at where we need to shore up our defences.

Data protection and risk

Adhering to data protection law is a choice and therefore a risk. Don't do it and you may face damage to your reputation, regulators taking action which may include fines or may limit or deny you to continue processing personal data of your clients or otherwise order you to bring your processes into alignment with legal requirements.

Generally, at least from the point-of-view of privacy minded people, this is a pretty negative risk. The likelihood of regulatory action may be low enough, or your lawyer budget high enough, so you can take the risk as it may not hit your company too hard anyway so why should you care? A risk statement would therefore be hard to write as there would be no consequences impacting the organisation enough for anybody in any position of power to truly care about those consequences.

This is the point-of-view taken by, unfortunately, a lot of US tech giants at least.

GDPR and a risk based approach

The general data protection regulation, the landmark data protection law in the european Union, has a risk based approach to it's enforcement but also for organisations that need to adhere to the law.

Generally the law tells organisations to decide themselves on what personal data to process for which purpose, using one of the six available lawful bases of processing and also where they would like that processing to take place (geographically).

Based on these choices, some fundamental principles and a few things that an organisation by default is not allowed to do, processing personal data is left pretty open to be decided if and only if you can account for what you do, why you do it and if you take care enough to uphold the rights and freedoms of the data subjects (you and me that is).

You don't need permission up front and no checks are done before you can start processing personal data. The checks are done afterwards and only if enough complaints are received, signals are received of misusing or routine checks on your business or sector shine a light on your unfair practices. It therefore is your job to show you have done your best, acted in good faith and have understood your obligations as you can and will be held accountable.

So the GDPR has a risk based approach where the risk of non-compliance lies fairly and squarely with the organisation processing your personal data and who decides on the means and purpose of that processing.

Conclusion

Risk is around us, every moment of the day and in every decision we make. Even writing this article is a risk as I may have missed something, over-simplified difficult concepts or maybe I have misunderstood something. Yet there is the positive risk that people like you have read the entire article and maybe have learned something valuable by doing so.

If there is risk in everything we do or don't do, there is risk in information security as well as in data protection. As the two fields overlap and as information security really can't do without risk and risk management, both fields are inexorably glued together by their dependence on proper handling of risk.

This is also why I have chosen to have the name "Shamrock Information Security" with the shamrock signifying the trinity of information security, data protection (privacy) and information risk management as my company name exactly 8 years (or 2 leap year cycles) ago.

Next addition

The next addition will try to answer the question: is ISO27001 a paper tiger?

Want to be notified when the next addition is published? Then please subscribe.

Who is Drs. Andor Demarteau

I am a Chief Security Officer with 15+ years’ experience. A trusted advisor to Business, Banking, Healthcare, Aviation, Broadcasting, Education and Government, bridging the gap between Business and IT. Delivering high quality, transparent and ethical expertise in Information Security, Data Protection, Privacy, and IT Risk Management Strategy. Public speaker, article author, visionary.

This newsletter is sponsored by Shamrock Information Security