What is risk?
Risk is the impact of uncertainty on people or organisations. Risks can emerge from any type of uncertainty, including those related to finance, health and safety, and security. These different types of risk will need to be analysed by people with skills and expertise in each domain, and then brought together to form a complete view of the risks that an organisation faces. Cyber security risk refers to security risks to digital services, computers, networks, connected technologies or information.
What a risk is, and how it’s described, depends entirely on the context of the organisation which faces that risk, and on the knowledge, understanding, skill and biases of the individual assessing the risk.
In the context of wider business risk management, a risk is the potential for either harmful or positive outcomes to impact upon business objectives, including reputation. Organisations cannot develop without taking risks. Technology and information risk is not just about avoidance and mitigation; the pursuit and acceptance of risk create opportunities and can help deliver business objectives.
Having recognised this wider meaning, this guidance uses the word ‘risk’ to describe the potential for security harm to occur as a result of people using technology and information to achieve business objectives. It is important not to just think about risk in the context of the confidentiality, integrity and availability of technology and information. Other things that the organisation values (its reputation, the well-being of customers and employees) may be at risk and should also be taken into account.
What is risk management?
Risk management is about managing the impact of uncertainty on people or organisations. Every activity, whether business or personal, entails some degree of uncertainty. Risks arise when these uncertainties have the potential to impact upon something you care about.
The purpose of risk management is to help organisations and people protect themselves, and provide confidence that the ways in which they respond to risk are good enough to meet their needs. Managing risk requires a range of complementary capabilities and an understanding of when risk management methods and frameworks are effective, and when they are not.
Where risk management decisions and actions affect multiple organisations (or multiple parts of an organisation), then some level of risk management co-ordination is likely to be required.
Risk management is not a ‘one-off’ activity. It needs to happen throughout the whole life cycle of a system or service, informed by a realistic view of risk and a clear understanding of the organisation and its objectives. This is because all of the following change over time:
- the needs of people and organisations
- the threats they face
- the vulnerability of technology and information
Technology and information risk is just one area of business risk that organisations need to manage. As such it should fit in with the existing business risk management activities undertaken by an organisation (e.g. legal, finance and safety).
What is risk assessment?
Risk assessment is a key risk management activity that identifies, assesses and articulates risks to the organisation. Risk assessment is needed to inform risk management decision making, and it requires technical, security and business skills and knowledge.
Organisations may use different risk assessment methods or frameworks to assess the risks associated with particular areas of their business (eg financial, legal, health and safety, etc). The choice of risk assessment method rests with the organisation and these choices are often based on the type of risk or business area under consideration. Achieving a consistent approach to describing and presenting risks from different areas of the organisation will help decision makers to consume assessment output, and make informed risk management decisions. Irrespective of the risk assessment method or framework chosen, it will usually be necessary for organisations to tailor them to suit the needs and context of the business.
Who makes risk management decisions?
The decisions made to manage technology and information risk are the responsibility of the organisation. They are not the sole responsibility of security or IT departments. Risk management decisions should be objective and informed by an understanding of risk. They should not be made in isolation, but on a basis of understanding how individual decisions affect the wider business, and what it is trying to achieve.
Organisations should decide for themselves what risk management decisions need to be made to support the delivery and operation of a system or service, and could include:
- the authorisation of expenditure to design a system or service
- the authorisation of expenditure to build, test, install, run and decommission a system or service
- the approval to use information, a system or a service during the test, install, run, and decommission stages of a system or service lifecycle
The right people need to make decisions at the right time, with the right advice and support. They need to be empowered by the organisation and have the right business, technology, and security knowledge and skills to make informed and objective decisions.
Establish approaches that are right for your organisation
When security decision making is done well, it takes account of what the organisation is trying to achieve and provides confidence that technology and information is secure enough to meet business needs. It is not necessary for all organisations to establish a formal decision making process (or appoint a dedicated decision maker) because there is no single risk management process or governance structure that fits all scenarios.
This does not mean there is no need to manage risks and govern risk management activities or make informed and objective decisions. Rather, organisations should establish the processes and approaches that are right for them. Applying the guidance you are reading now will help to achieve this.
The sector in which an organisation operates may mean that there is a need to employ mandatory business roles for security decision making and governance. Some of the best decision making approaches can occur when it is clear who owns the risk, and who has the difficult challenge of balancing the business imperative with any remaining risk.
It is important to recognise that as long as the system or service is in operation, then the organisation is in fact accepting the risks, whatever those might be. Stating that a system is ‘unapproved’, ‘unaccreditable’ or ‘not accredited’ whilst it is still allowed to operate is meaningless.
Technology and information risk at a glance
Using technology to deliver business benefit attracts risk. Applying the guidance described below will help organisations to understand how to approach the assessment and management of risks.
Understand the business context
Taking risks is a necessary part of doing business in order to create opportunities and help deliver business objectives. Organisations should always be aware of the risks they are taking to achieve their aims.
To ensure meaningful outcomes, organisations need to provide a context in which risk management and risk assessment is conducted. This context can be set by answering the following questions:
- What is the organisation trying to achieve, and what does it really care about?
- What business assets are involved (for example systems, services, information and other business assets such as reputation), and what are they worth to the organisation?
- What risks is the organisation prepared/not prepared to take with those assets to achieve its objectives?
- Are there any external legal and regulatory requirements that need to be considered?
- Are there any third party risk management or contractual considerations to take into account?
- What rewards may be realised by taking risks?
- What governance structure will the organisation have in place to support risk management decision making?
Those responsible for making risk management decisions should contribute to, and agree with, the formulation of this context.
Decide on the risk management approach
Before taking any action, the organisation must understand and communicate what risk management approach the business is going to take to provide confidence that the technology and information used is secure enough. This is an important business decision because the security of the organisation and its assets depend on it.
Risk assessment and other risk management activities require technical, security and business skills and knowledge and resources. Choosing the wrong approach could be costly in terms of resource use and security compromise.
Organisations have a number of choices available to them to manage risks that have been identified. They can choose to avoid, accept, transfer or treat risks to their business. If an organisation has decided to manage the risks they face, through treatment using security controls, then three potential approaches are briefly outlined below:
1. Rely on the security provided by commercial products and services
In this approach, the organisation relies on the security provided by a commercial product or service, without conducting further security analysis. If the organisation adopts this approach, then there is no need to conduct customised technology and information risk assessments to help specify additional security controls. However, the organisation must accept that:
- it is completely reliant on the security claimed to be provided by commercial products and services, which can vary from ‘very robust’ to ‘almost none at all’
- security won’t be tailored to any specific needs the organisation might have
From a security perspective, this approach does not mean ‘do nothing’. Organisations that choose to take this approach still need to:
- have in place organisational controls (for example personnel security, physical security and security training for users)
- seek confidence and assurance that the commercial products and services they use are appropriate in the context of what they are doing and the threats they face
- make appropriate use of the security provided as standard by commercial products and services
Adopting this approach is dependent on having effective and appropriate commercial contracts and agreements in place. It should not be assumed that suppliers’ own standard commercial terms of business will provide an adequate basis for relying on the security provided by any product or service.
Organisations should also note that without risk assessment, the business will have no understanding of the technical and information risks it faces. This could result in a lack of security where it is needed, or the application of security where it is not needed, resulting in security compromise or unnecessary costs.
2. Apply common solutions to solve common problems
In this approach, the organisation applies the security provided by common security solutions to solve common technology problems. It only carries out tailored risk assessments (or specifies additional security controls) for those business objectives that are not entirely covered by the common solution.
This is illustrated in the diagram below:
Some examples of common solutions to common problems include:
If the organisation decides that its business objectives are not entirely covered by the risk assessment for a common solution, the next step is to understand where the differences lie. For example, is there a unique threat or unique asset to be considered? Once these differences have been understood, then this can be used to form the basis of a more tailored risk assessment activity to specify additional security controls.
3. Carry out risk assessments to specify security controls
In this approach, the organisation chooses an appropriate risk assessment method and makes informed risk management decisions about what security controls it will implement. When making these decisions, the business may choose to:
- manage risks using controls that are independent of any predefined control set
- use security controls and control sets intended to implement local, national or international policies and standards (eg ISO/IEC 27001); these control sets are general in nature and need to be tailored to meet the needs of the organisation
Decisions will be informed by what the organisation is, and what it is trying to achieve. Some organisations in certain sectors may need to demonstrate that they have applied security controls to comply with standards or a sector-specific regulatory requirement. For example:
- external factors (eg sector specific legislation or regulations)
- organisations may need to apply security controls based on the type of information they need to protect; for example those that store and process personal data will need to apply controls to demonstrate compliance with the Data Protection Act (DPA)
- organisations seeking compliance with ISO/IEC 27001 may choose to apply the ISO/IEC 27001/2 control set in the context of what the organisation is doing
- organisations conducting payment card transactions must apply the security controls and requirements set out in the Payment Card Industry (PCI) Data Security Standard
- certain business communities sharing services and infrastructure may choose to develop their own minimum set of security controls against which compliance can be demonstrated to protect the wider community
- organisations may choose to implement the advice provided by the 10 Steps to Cyber Security and/or the control set provided by the Cyber Essentials Scheme
The examples above should not be viewed as an exhaustive list of recommended control sets, as there are many to choose from. Some organisations may need to use a combination of control sets. Irrespective of the method, standard or framework used to make security control choices, decisions must be informed by and traceable to realistic risks affecting something that the organisation is actually doing.
Choose a risk assessment method that is right for the business
There are many methods for conducting risk assessments, and numerous tools to support them. Most risk assessment methods can be aligned to the approaches described in the ISO 31000 and ISO 27000 series of International Standards which seek to identify, analyse and evaluate risks. The method to be adopted should be appropriate for the organisation, so this is ultimately a business decision. It should be scaled to support whatever delivery model is being used and tailored as necessary to suit the needs of the business and the target audience.
When choosing a risk assessment method, the organisation is likely to need to answer the following questions:
- can I define the inputs I need (threats, vulnerabilities and impacts) using a particular method?
- will the output from the method reflect meaningful risks in a way the organisation will understand?
- will the output allow me to understand and prioritise risks in a meaningful way?
- can the output be communicated to third parties?
- is the method of assessment proportionate to what it is I am trying to achieve?
- will I need to employ specialist resources to use it, or to interpret the output for the organisation?
- are there any costs associated with using the method?
- can I repeat the method consistently?
- are there any contractual or commercial restrictions on how I can use the method?
- will the method support the commercial model operated by my organisation?
- do I understand the limitations of the assessment method I am considering or have chosen?
We have provided a summary of common risk methods and frameworks. Further information on the limitations of risk management methods and frameworks can found in our critical appraisal of risk methods and frameworks.
Understand the components that cause a risk to exist
Risk assessments have inputs and outputs. The most common inputs considered in a risk assessment are threat, vulnerability and impact. Risk is normally realised as a consequence of these inputs, although some risk assessment approaches will include other inputs (such as likelihood and asset value).
Regardless of the risk assessment method used, any inputs and outputs should be understandable and meaningful in the context of the business and what it is trying to achieve.
Threat describes the source of a risk being realised. Threats to systems and services include people who would seek to do the business harm through technology, and undesirable events such as environmental disasters and accidents. Some of the threats that an organisation may face are beyond the organisation’s control; they can only use threat-related knowledge to aid risk prioritisation.
Modelling threats can be a useful way of helping to understand what threats should be considered and how they may affect individual assets, the organisation, and what it is doing. Where threats are people, organisations should consider the motives that drive individuals to launch an attack, as well as their opportunities and capabilities to do so.
To achieve consistency between different risk assessments within the same organisation, the business should establish organisation-wide (or business area specific) ‘threat assessment baselines’, and use them as input to all risk assessments. These baselines will need to be amended if the threat landscape changes, or if something significant changes within the organisation.
Vulnerability is a weakness which can be exploited by a threat to deliver an impact. A system or service could be compromised through the exploitation of vulnerabilities in people, places, processes or technology.
When assessing their risks, organisations should ensure that they have a clear and realistic understanding of where and how their systems and services are vulnerable. Whilst organisations can’t control the threats they face, they can reduce their vulnerabilities.
Impact describes the consequences of a risk being realised. To allow risk evaluation and prioritisation, impact should specify the negative effect that a risk’s realisation would entail.
This should include expected losses (eg financial and reputation losses) as well as business objectives which would not be achievable as a result of the impact. Organisations can exercise control over the negative impact that realisation of a risk would have, and should plan for this to happen.
Some risk assessment methods also consider likelihood and asset values as components of risk and inputs to assessments.
Likelihood estimates how likely it is for a threat to occur. It can be captured by examining historical records of compromises to estimate how history will be repeated. Some methods draw on likelihood to help determine vulnerability. Note that metrics of past occurrences are not necessarily a useful indicator of what will happen in the future.
Asset values are used to provide an understanding of what systems, services, information or other assets the organisation really cares about. This insight will provide organisations with a view of what it is they really want to protect.
Risk assessment output
Irrespective of the risk assessment method used, the output should be meaningful,understandable, realistic, and in context so that it informs risk management decisions and cannot be interpreted in different ways by different people.
The level and type of detail provided by the output (ie technical or not) will be dependent on who the risk assessment is for, and what risk management decision it is meant to inform.
Understand what risks exist
To understand what risks exist, the chosen risk assessment method should be applied in the context of what the organisation is trying to achieve. To do this, you should know:
- Which risk management decisions the assessment will inform?
- Who is responsible for making them?
- What level of detail is needed?
Before conducting a risk assessment, the organisation needs to decide and agree how risk assessment output will be presented. There is little value in a risk analyst producing a large and detailed risk assessment document, when the decision maker will only read the first page. Ensure that the scale and rigour of analysis performed (and the amount of documentation produced) matches the business context and is justified and proportionate.
The output of any risk assessment should be recorded for traceability purposes. Traceability is important so that risk management decisions and investment choices can be traced to an identified risk.
Prioritise the output from a risk assessment to allow the organisation to make informed risk management decisions. Any prioritisation of risk should be based on a meaningful understanding of what the organisation really cares about, not meaningless risk level boundaries.
Communicate risk consistently
Irrespective of the approach taken to assessing risks, the outcome should be captured in a way that can be used to inform business decision making. Output from risk assessment and other risk management activities may also need to be communicated to interested third parties.
The results of risk assessments depend largely on the experience and biases of the individual conducting them. As a result, it is difficult to obtain consistent risk assessments from different risk practitioners even when applying the same method. Consistency in risk assessment and risk management is important to enable effective decision making and communication. Consistency does not come from the repeated application of a specific risk assessment method. Consistency is achieved by ensuring that:
- the inputs to and outputs from assessments are meaningful in the context of what the business is trying to achieve
- risk professionals do not go about their work in isolation, but collaborate with the wider organisation to achieve a consistent view of the business context
Different organisations do not have to use the same risk assessment methods in order to communicate risk consistently, provided they use a common language that describes the inputs to and results of their risk assessment and risk management activities. The common language to be used is a matter for organisations to agree amongst themselves.
Agreeing how to communicate will create trust amongst a community who need to have confidence in the decisions made by others. Organisations should, as a minimum, be able to communicate:
- the threat context under which risk assessments have been conducted
- the willingness of their organisation to accept risk
- the status of managed risks, and what any risk valuations actually mean
- what control measures have been taken and how much rigour has been applied to managing risks within the organisation
You should also:
- Avoid situations where (for example) both organisations articulate risk in terms of levels, but the actual meaning of these levels in each organisation differ.
- Communicate risk to third party delivery partners by reflecting real and meaningful risk management requirements in contracts and service level agreements; it is not sufficient to say in a contract or agreement that a system or service must be ‘accreditable’ or compliant with the requirements of a particular standard.
- Ensure that security requirements in contracts and agreements are informed by and traceable to real risks or external requirements whilst being communicated in a meaningful and testable way. This will ensure that there is a shared understanding between consumer and provider of what outcome is required.
Make informed risk management decisions
Throughout the lifecycle of a system or service, the organisation will need to make objective decisions about what needs to be done to manage identified risks. This should be based on a clear and meaningful understanding of risk.
These decisions should be informed and supported by information, subject matter expertise and evidence. It is for the organisation to decide how much and what form of information is required, together with the level of expert advice and evidence needed to demonstrate that risks are being managed.
Examples of information and evidence that could be used to support risk management decisions include:
- statements from the organisation on what risks it will and will not take to achieve its objectives
- the output of a risk assessment in the context of what the organisation is trying to achieve
- a description of the security controls that are already in place (or those that are needed to manage the identified risks)
- the cost of controls needed to manage a risk
- evidence and information on how third parties are managing risk and any contractual considerations that could affect the decision
- evidence that provides confidence that security controls have been implemented to manage identified risks
- evidence that provides confidence that security controls will continue to manage risks throughout the whole lifecycle of the system or service
- a view of the status of risks after they have been managed
It is important that the organisation understands what effect its risk management actions have on the risks it has identified. The organisation must be capable of communicating this to partners or authorities as necessary.
It is not possible to say that a system or service is ‘risk free’, or 100% secure. After risk management action has taken place, some risks will remain. These are often referred to as residual risks.
Some risk management approaches estimate how much a specific risk management action reduces an identified risk from its original state. For example, a risk management action may reduce a risk from ‘high’ to ‘medium’. It is not possible to quantify the level of risk reduction as a result of a single or suite of security controls, and basing risk management decisions on estimates of risk reduction can encourage a false sense of security.
Understanding the effect a security control is having on a risk can be useful in determining the value of risk management related investment decisions, and as a minimum, organisations should understand and be able to communicate:
- which risks are being actively managed
- how they are being managed
- the confidence the organisation has that measures are effective
- any risks that are not being managed at all
Risk management decison making do’s and don’ts
The following diagram shows a simple set of do’s and don’ts that can help risk assessment and risk management decision making.