Article

Building a practical cybersecurity risk acceptance/risk transfer framework

Sept. 11, 2017

Even the most prepared of organizations can suffer a cybersecurity breach or data loss - and according to surveys, the majority of large organizations already have. The impact can be substantial -- ranging from fines, lost revenue and out-of-pocket costs for credit monitoring to reputational damage, negative publicity, and operational slow-downs.

Put simply, organizations must understand their exposure to threats (see the previous sections on cybersecurity risk assessment and data classification) in order to define processes for the acceptance and/or transfer of risk. The typical process for evaluating and addressing threats is prone to human bias, which unfortunately creates an altogether new risk.

The solution is leveraging a systematic, objective framework to define, evaluate and determine the disposition of any credible threats to data and information.

A formalized, objective risk acceptance and risk transfer structure reduces the likelihood of human bias, integrates diverse perspectives from across an organization and allows for a more holistic picture of the risk environment and related impacts.

The need for an objective framework: Cybersecurity and the fear of flying

Human beings are famously bad at understanding risk. The fact that driving is far more dangerous than flying does not stop people from calmly driving to the airport only to white- knuckle their way through a flight. While psychologists have identified numerous reasons for this, a particularly influential (and relevant) cause is the fact that the excitement and drama surrounding unlikely events actually strengthens memory of them – allowing people to believe that rare events are more likely to occur than they actually are. (This is also why people believe they will win the lottery!)

In cybersecurity risk analysis, this phenomenon manifests itself as an overestimation of the risks we predict to be most significant and an underestimation of the everyday risks that may actually be more likely. Absent a systematic and objective risk framework, organizations often fall into a series of all-too-human mistakes. Specifically, the process for risk acceptance and transfer tends to be:

• Reactive: Focusing on things that have gone wrong in the past.
• Predictable: Uncovering risks that are already known at the start of the process, while overlooking risks that are unknown at the outset.