How to Make Sense of Risk Management in Cybersecurity? Tip: Avoid gut instinct

You can’t avoid risk management.  It’s just as fundamental to our business as it is to our lives. From checking an email address before sending sensitive documents, to looking left and right before crossing a road.

Trying to calculate the risk of something happening can feel like chasing Usain Bolt in a 100-meter Olympic race.  Risks are typically dynamic in nature and require different responses depending on the level of threat given the surrounding environment, individuals’ perceptions and the consequences should a risk occur. As humans, we are not naturally conscious of risks; for example, when in a hurry and running late for a meeting, humans will often engage in riskier behaviour and cross streets with an urgency that could increase the chances of getting hit by a car.

Most risks are – by their nature – difficult to determine with any degree of certainty, especially cybersecurity risks.  So why invest the time in assessing them?  In cybersecurity, without effective risk management, organisations will fail to keep the bad guys out.

But how good are we at calculating risk?  We often assess risk quickly and based on our subjective experiences. In other words, our judgement of risk is heavily influenced by our emotions.  Take another example that is backed up by a solid set of factual data. Many people have a deeply ingrained fear of flying. No matter how they came to develop this phobia, what people share in common is a preconception of plane crashes, aeroplane safety, and the risk of death or injury.  But these same people do not have a fear of driving in a car. Which is worse?

In the United States between 2012-2016, there was a 1 in 3.37 billion chance of dying in a commercial airline plane crash.  There were no reports of any fatalities.

However, in 2015 there were 32,166 fatal motor vehicle accidents – which led to over 35,000 deaths. That comes out at 1.13 fatalities per 100 million vehicle miles travelled, and nearly 11 people for every 100,000 U.S. residents.   It is overwhelmingly clear that travelling by car is significantly more dangerous than flying in a commercial plane. Yet do you think that those people who fear flying are calculating their risk of dying by looking at the data? Of course not. Their risk calculations are driven by their emotions.

People often suffer from cognitive bias in assessing risk.  They base their risk calculations on emotion vs mathematics.  The famous economist, Daniel Kahneman, summed it up best. People tend to create plans and forecasts that are “unrealistically close to best-case scenarios”. When forecasting the outcomes of risky projects, people tend to make decisions “based on delusional optimism rather than on a rational weighting of gains, losses, and probabilities. They overestimate benefits and underestimate costs. They spin scenarios of success while overlooking the potential for mistakes and miscalculations… In this view, people often (but not always) take on risky projects because they are overly optimistic about the odds”.

Humans are just not very good at calculating the probability of events happening when our calculations are so heavily influenced by our emotions.  Risk probabilities should be identified through data analysis. But you must understand what the data is telling you and you must ensure the data is complete and accurate.   To manage risk, you need to be able to use elements of mathematics instead of always relying on your gut feelings or intuitions. This is what every insurance company and financial institution aims to achieve. Their entire business model depends on being able to calculate the probabilities of an event happening. Gut feeling just wouldn’t – and shouldn’t – cut it.

Just as in insurance, cybersecurity is all about risk management as well.  It can be summed up in two words what security professionals do: it is “Risk Management”.

There are three ways in which the information security profession typically addresses risk.  Firstly, do we mitigate the risk, for example by buying a security technology to stop a specific threat?  Secondly, do we accept the risk? e.g. is the cost to mitigate the threat too great and the probability of a threat happening so low that the business could decide to live with the risk and carry on as normal? Thirdly, do we transfer the risk, for example by buying cybersecurity insurance?

Cybersecurity is about trade-offs, about costs versus the benefits – and there are some key questions to ask. Where should we target budget for security?  Which threats do we choose to mitigate, accept or transfer (because we cannot address them all)? Should the organisation aim to acquire the latest and greatest security product, or select a less expensive and less effective solution to mitigate the risk?

Cybersecurity risks are evolving rapidly in sophistication and prevalence.  Coupled with this is the sheer size of data leaks, and the increasing potential for “seismic” level impacts to the business.  Risk models can help to make a better-informed view of risks in cybersecurity and whilst they are not 100% perfect, such models help to improve our decisions about risk and (if they’re good) should challenge our gut feel perceptions of risk.

In summary, if you want to “do” risk management properly, take a close look at what the data is telling you and give gut instinct a miss.

For more information about how a risk-based approach can help your organisation, get in touch at info@crmg-consult.com.

 

About the author

Todd Wade
Principal Consultant, CRMG
Former CTO Skechers (Europe)
Industry Specialism: Rapidly Scaling Startups, Cloud technologies, Retail
Area of Expertise: Cyber Security Executive Management, Technology Risk

For more articles by Todd, check out his article on ‘Risk in Retail: Staying on the right side of the headlines’ here.