RESISTANCE AND BENEFITS

“Why should I bother with doing risk assessment?!” “I already know what the risks are!” “I’ve got enough to worry about already!” “It hasn’t happened yet …” Sound familiar? Most resistance to risk assessment boils down to one of three conditions:

•  Ignorance,

•  Arrogance, and

•  Fear.

Management often is ignorant, except in the most superficial context, of the risk assessment process, the real nature of the risks, and the benefits of risk assessment. Risk assessment is not yet a broadly accepted element of the management toolkit, yet virtually every “Big 6” consultancy and other major providers of information security services offer risk assessment in some form.

Arrogance of the bottom line often drives an organization’s attitude about information security, therefore about risk assessment. “Damn the torpedoes, full speed ahead!” becomes the marching order. If it can’t readily be shown to improve profitability, don’t do it. It is commendable that information technology has become so reliable that management could maintain that attitude for more than a few giddy seconds. Despite the fact that a well-secured information environment is also a well-controlled, efficient information environment, management often has difficulty seeing how sound information security can and does affect the bottom line in a positive way. This arrogance is often described euphemistically as an “entrepreneurial culture.”

Finally, there is the fear of discovering that the environment is not as well managed as it could be and having to take responsibility for that; the fear of discovering, and having to address, risks not already known, and the fear of being shown to be ignorant or arrogant. While good information security may seem expensive, inadequate information security will be not just expensive, but — sooner or later — catastrophic. Risk assessment, though still a young science with a certain amount of craft involved, has proven itself to be very useful in helping management understand and cost-effectively address the risks to their information and IT environments.

Finally, with regard to resistance, when risk assessment had to be done manually, or could be done only qualitatively, the fact that the process could take many months to execute and that it was not amenable to revision or “what if” assessment was a credible obstacle to its successful use. But that is no longer the case. Some specific benefits are described below:

•  Risk assessment helps management understand:

1.  What is at risk?

2.  The value at risk — as associated with the identity of information assets and with the confidentiality, availability, and integrity of information assets.

3.  The kinds of threats that could occur and their financial consequences annualized.

4.  Risk mitigation analysis. What can be done to reduce risk to an acceptable level.

5.  Risk mitigation costs (annualized) and associated cost/benefit analysis. Whether suggested risk mitigation activity is cost-effective.

•  Risk assessment enables a strategic approach to risk management. In other words, possible changes being considered for the IT environment can be assessed to identify the least risk alternative before funds are committed to any alternative. This information complements the standard business case for change and may produce critical decision support information that could otherwise be overlooked.

•  “What if” analysis is supported. This is a variation on the strategic approach to risk management. Alternative approaches can be considered and their associated level of risk compared in a matter of minutes.

•  Results are timely — a risk assessment can be completed in a matter of a few days to a few weeks. Risk assessment no longer has to take many months to execute.

•  Information security professionals can present their recommendations with credible statistical and financial support.

•  Management can make well-informed risk management decisions.

•  Management can justify, with quantitative tools, information security budgets/expenditures that are based on a reasonably objective risk assessment.

•  Good information security supported by quantitative risk assessment, will ensure an efficient, cost-effective IT environment.

•  Management can avoid spending that is based solely on a perception of risk.

•  A risk management program based on the sound application of quantitative risk assessment can be expected to reduce liability exposure and insurance costs.