• United States




How to manage cyber risk

Jan 21, 20165 mins
CSO and CISOData and Information SecuritySecurity

Demystifying the dark art of cyber risk: the shark tank.

In the World Economic Forum’s 2015 edition of Global Risks, cyber-attacks were specifically cited as a clear and present danger to business and government. The report stated, “2015 differs markedly from the past, with rising technological risks, notably cyber attacks…”. We’re going to shed some light on this dark art and show you some of the more important aspects of managing cyber risk.

What is cyber risk?

According to National Institute of Standards and Technology (NIST) Special Publication 800-30, “Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.” While the Information Systems Audit and Control Association (ISACA) in the Risk IT Framework defines it as, “The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.” To boil it down into its simplest terms, “Risk is the likelihood that something bad will happen.”

What is the risk landscape?

Risks can be categorized into three broad areas:

  • Unauthorized access of IT systems for the purposes of theft, industrial espionage, extortion or embarrassment.
  • An unintentional breach by staff, contractors or vendors.
  • Operational risk through improper systems integration, e.g., poor legacy integration or inadequate testing during mergers and acquisitions.  

Who sets the risk appetite for a company?

The company’s Risk Committee can be organized at the executive, board level or utilize a hybrid approach. It is responsible for the risk management policies of the company and oversight of the risk management program, which includes determining the risk appetite, risk management, compliance framework and the supporting governance structure. The committee should also have the appropriate resources and authority appropriate to carry out its defined duties. (See Why written policies are vital to your cyber strategy.)

How is risk determined?

Determining risk starts with two methods, qualitative and quantitative. According to NIST SP 800-30, qualitative risk analysis relies on empirical data to assess risks based on non-numerical categories (e.g., very low, low, moderate, high, very high). The advantage to a qualitative approach is that it is easier to communicate the risk to a broader audience. This method may also find risks and inter-dependencies not identified with other methods. The disadvantage is a number of subject matter experts can be shown the same data and not reach a consensus. Also, everyone including subject matter experts are prone to cognitive bias. Simply stated, cognitive bias is the tendency of people to color their perception by filtering it through their own experiences, prejudices, likes, and dislikes.

Quantitative risk management may be defined as, “A numerical scoring or rating which is assigned through verified mathematical modeling using high quality data.” This type of mathematical modeling will enable the company to make cost-effective investments in security technology and reduce cyber risk. The downside to this methodology is that it can require a significant investment of time and resources.

The general practice is to use a qualitative risk analysis to feed the quantitative risk management process. Used properly, these two methods of risk analysis are codependent. One of the most important steps in the post production process of both methodologies is to test the results and feed them back into the next round. Risk management is a continuous process of development and refinement as the company changes, grows, and moves new directions. Simply stated, it is a journey without an end.

What does the company do with risk?

Risk acceptance does not reduce the effects of risk; however, it is still considered a risk strategy. This is a common option when the cost of other risk management strategies such as avoidance or mitigation may outweigh the cost of the risk itself. Why deploy an expensive counter measure where this is a low likelihood of loss? Though caution should be taken when using this strategy, there is legal precedent. In the United States v. Carroll Towing Co. 159 F.2d 169 (2d. Cir. 1947) decision from the 2nd Circuit Court of Appeals, Judge Learned Hand proposed a test to determine the standard of care for the tort of negligence. Simply stated the ruling asserts:

  • If (Burden
  • If (Burden ≥ Cost of injury × Probability of occurrence), then the accused may have met the standard of care.

Risk avoidance is a risk management strategy that seeks to eliminate the possibility of risk by avoiding engaging in activities that create exposure to risk. The down side to risk avoidance is that it can limit a company’s opportunities.

Risk mitigation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by utilizing countermeasures, processes, and policies. An example of risk mitigation would be a company determining that a network may fail or become over utilized and deploying a cloud-based solution which would provide redundancy and scalability.

Risk transference is the strategy of assigning risk to a third party. This usually takes the form of assigning the risk to a vendor and or utilizing cyber-risk insurance. In the case of a vendor, this can be beneficial to a company, by transferring a risk function that is not a core competency. Cyber-risk insurance can assist a company in limiting the financial impact of a cybersecurity breach. However, insurance companies will closely inspect the company’s information security management and cyber-risk programs for sufficiency. Cyber insurance will not mitigate the impact of reputational damage nor does it transfer regulatory compliance liability.

A corporate cyber-risk strategy is critical to good governance by the board and senior management. The board and executive level risk committees, so prevalent in the finance and insurance industry, will proliferate outward into every corner of the private sector. This is especially true as we see a tougher legislative and regulatory compliance environment on the horizon.


Over twenty years of experience as an information security professional, serving in executive and senior management positions, in the US and the UK. My responsibilities have included the development and implementation of global information systems security management programs aligned with NIST CSF, ISO 27001:2013, elements of the NIST 800 series and HIPAA/HITECH. Also, I have created new corporate risk programs including the formation of a board level Risk Committee. Implemented new vendor management programs to track the compliance state of our key vendors and data holders with HIPAA/HITECH and PCI DSS. Completed the requirements, testing and installation of a state of the art security information and event management (SIEM) platform with IBM’s QRadar and ArcSight. Also, completed the requirements, testing and installation of two vulnerability scanners, IBM's QVM and Nessus. Developed an information security awareness program which included annual training for all staff.

Served as Chairperson of the Communications and Public Relations Project Group of Interpol's European Working Party on Information Technology Crime, as well as advising their Wireless Applications Security Project Group. I am the former, the President of the United Kingdom and Bluegrass chapters of the Information Systems Security Association (ISSA), also editorial advisory board of the ISSA Journal. I have attended numerous courses on cybercrime and white collar crime through both the Kentucky Department of Criminal Justice Training and the National White Collar Crime Center.

It has been my honor to receive an ISSA International Fellow (2015) and the International Information Systems Security Certification Consortium, Inc. (ISC)^2, President's Award for service to the information security community (2002 and 2004, 2009).

Lastly, I hold a Master of Science in Information Security from Royal Holloway, University of London, a former senior instructor for the (ISC)^2 CISSP CBK seminar, MCSE and BS7799 Lead Auditor.

The opinions expressed in this blog are those of Richard Starnes and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.