The New York State Department of Financial Services (NYSDFS) Cybersecurity Requirements for Financial Services Companies went into effect on March 1, 2017. The core of this first-of-its-kind cybersecurity regulation is the requirement to develop a robust risk-based cybersecurity program that protects the confidentiality, integrity, and availability of nonpublic data. The risk related to achieving your business objectives is one of the factors that should influence cybersecurity decision making and policy development, so this makes a lot of sense.
What is Risk?
Risk is the potential of an undesirable or unfavorable outcome resulting from a given action, activity, and / or inaction. The motivation for “taking a risk” is a favorable outcome. “Managing risk” implies that other actions are being taken to either mitigate the impact of the undesirable or unfavorable outcome and / or enhance the likelihood of a positive outcome.
For example, a venture capitalist (VC) decides to invest a million dollars in a startup company. The risk (undesirable outcome) in this case is that the company will fail and the VC will lose part or all of her investment. The motivation for taking this risk is that the company becomes wildly successful and the initial backers make a great deal of money. To influence the outcome, the VC may require a seat on the Board of Directors, demand frequent financial reports, and mentor the leadership team. Doing these things, however, does not guarantee success. Risk tolerance is how much of the undesirable outcome the risk taker is willing to accept in exchange for the potential benefit, in this case, how much money the VC is willing to lose. Certainly, if the VC believes that the company was destined for failure, the investment would not be made. Conversely, if the is VC determined that the likelihood of a three-million-dollar return on investment was high, she may be willing to accept the tradeoff of a potential $200,000 loss.
Is Risk Bad?
Inherently, risk is neither good nor bad. All human activity carries some risk, although the amount varies greatly. Consider this: Every time you get in a car you are risking injury or even death. You manage the risk by keeping your car in good working order, wearing a seat belt, obeying the rules of the road, not texting, not being impaired, and paying attention. Your risk tolerance is that the reward for reaching your destination outweighs the potential harm.
Risk taking can be beneficial and is often necessary for advancement. For example, entrepreneurial risk taking can pay off in innovation and progress. Ceasing to take risk would quickly wipe out experimentation, innovation, challenge, excitement, and motivation. Risk taking can, however, be detrimental when ill-considered or motivated by ignorance, ideology, dysfunction, greed, or revenge.
The key is to balance risk against rewards by making informed decisions and then managing the risk commensurate with organization objectives. The process of managing risk requires organization to assign risk-management responsibilities, establish the organization risk appetite and tolerance, adopt a standard methodology for assessing risk, respond to risk levels, and monitor risk on an ongoing basis.
Risk Appetite and Risk Tolerance
Risk appetite is a strategic construct and broadly defined as the amount of risk an entity is willing to accept in pursuit of its mission. Risk tolerance is tactical and specific to the target being evaluated.
Risk tolerance levels can be qualitative (for example, low, elevated, or severe) or quantitative (for example, dollar loss, number or customers impacted, or hours of downtime). It is the responsibility of the Board of Directors and executive management to establish risk tolerance criteria, set standards for acceptable levels of risk, and disseminate this information to decision makers throughout the organization.
An objective of a risk assessment is to evaluate what could go wrong, the likelihood of such an event occurring, and the harm if it did. In cybersecurity, this objective is generally expresses as the process of (a) identifying the inherent risk based on relevant threats, threat sources, and related vulnerabilities; (b) determining the impact if the threat source was successful; and (c) calculating the likelihood of occurrence, taking into consideration the control environment in order to determine residual risk.
Learn how to perform a risk assessment in our blog post, 6 Steps to a Cybersecurity Risk Assessment.
Your cybersecurity decision making and policy development is greatly influence by the results on your risk assessments, so the process is critical. However, effectively managing cybersecurity risk requires an understanding of the relative significance of organizational assets in order to determine the frequency by which they will be scrutinized for risk exposures. We can help you establish acceptable risk for your business goals. Click here to learn more.Note: This article is an excerpt from Security Program and Policies: Principles and Practices (2nd Edition) by Sari Greene.