What Is Technology Risk?
Technology risk, IT risk, cyber risk – what’s the difference among these commonly used terms, and is there really a distinction in a time of digital transformation?
Generally, risk management has looked at the world of risk with this hierarchy:
- Operational Risk: Any event that affects the organization’s ability to operate
- Technology (or IT Risk), a subset of Operational Risk: Any risk to information technology or data or applications that negatively impact business operations. This could cover a range of scenarios, including software failures or a power outage.
- Cyber Risk, a subset of Technology Risk: Loss event scenarios strictly within the cyber realm, such as phishing, malware, data breach.
If it sounds like there’s lot of room for crossover in these definitions, that’s right. Gartner has successfully advocated for Integrated Risk Management (IRM) that takes “a comprehensive view across all business units and risk and compliance functions, as well as key business partners, suppliers and outsourced entities.” In Gartner’s view, risk management is a continuum, as shown in this graphic, driving toward Digital Risk Management (DRM, on the left), as business processes all become digital in one way or another.
Defining Technology Risk in FAIR Terms
Factor Analysis of Information Risk (FAIR™) is the standard for quantification of cyber and technology risk in financial terms to enable justification, prioritization, and communication of security investments within an organization.
In FAIR terms, risk is defined as the
Probable Frequency and Probable Magnitude of Future Loss
The starting point for FAIR quantitative analysis is a risk scenario or risk statement that addresses a technology problem the business needs to solve. The format is:
"[Threat Actor] impacts [Confidentiality, Integrity, Availability] of [an Asset] via [Some Method]"
For example:
“Analyze the risk associated with an external threat actor establishing a foothold on the network through a trusted security vendor’s application (e.g. SolarWinds) resulting in a breach of sensitive data in our crown jewel asset.”
The FAIR standard shows the way to break the scenario down into factors to quantify the probable frequency and impact of such an event, based on the organization’s experience or industry data.
The FAIR model is highly flexible, and still valid with less cyber-centric scenarios.
Try it NOW at no cost: Our Free Industry Cybersecurity Report demonstrates the potential financial cost of key negative cybersecurity events like ransomware, insider error and more with just a few simple inputs.
Additional Resources
In this RiskLens case study, a furniture manufacturer wanted to determine if it should keep paying the annual subscription fee for support from the technology vendor for its order fulfillment system or bring the maintenance of the system in-house. If an employee misconfigured the system, what would that accident cost the organization in terms of lost sales, response costs, or other impacts? How would that compare with the ongoing subscription cost?
Scenario: “Analyze the risk associated with a non-malicious privileged insider impacting the availability of the order fulfillment system via a misconfiguration resulting in a suspension of fulfillment.”
Quantified risk analysis on the RiskLens platform based on FAIR showed that staying with the subscription service would shorten response time to an outage, reducing the impact to a level that justified the $1 million annual investment.
Learn quantitative cyber risk analysis, enhance your career in risk management with FAIR training from the RiskLens Academy.
What Is an IT Risk Assessment?
Risk analysis and risk assessment are two more terms that often used interchangeably but with an important distinction. While a risk analysis might look at a single scenario, a risk assessment gives a broader look at risk across scenarios to support business decision-making, particularly to justify, prioritize and communicate security investments. Types of technology or IT risk assessments include:
Rapid Risk Assessment: Run a quick series of risk analyses to aggregate and compare outcomes, for instance to prioritize top risks for response based on loss exposure in dollar terms. Learn about Rapid Risk Assessment on the RiskLens platform.
Aggregate Risk Assessment: Understand and quantify the organization’s total probable loss exposure for information technology. Gain granular insights by looking across scenarios to spot which threat communities or asset types pose the greatest risk to the organization, or which business units carry the most lost exposure, relevant insight for a CISO (chief information security officer) deciding on how and where to target defenses.
To fully support business decisions, risk assessments should be presented with risk treatment options for the risks identified.
A risk treatment analysis
- Establishes a baseline of loss exposure from the current situation
- Runs “what-if” scenarios to compare the risk reduction (in financial terms) from the current state that alternate proposed controls process changes could achieve.
- May include a cost/benefit or return-on-investment (ROI) analysis comparing the cost of new security investments to their effect on risk reduction.
Webinar: Learn about RiskLens Risk Treatment Analysis for Cost-Effective Decision-Making
What Is IT or Information Technology Risk Management?
Risk management is a comprehensive process that requires organizations to: (i) frame risk (i.e., establish the context for risk-based decisions); (ii) assess risk; (iii) respond to risk once determined; and (iv) monitor risk on an ongoing basis using effective organizational communications and a feedback loop for continuous improvement in the risk-related activities of organizations.
--National Institute of Standards and Technology (NIST) Special Publication 800-39: Managing Information Security Risk
As NIST advises, the first step in risk management is to “frame” risk, in other words establish a common terminology and measurement system – ideally one based on a standard such as FAIR that normalizes risk vocabulary -- and on quantitative analysis that measures risk in the financial terms used to communicate across the enterprise, also the output of FAIR analysis. With risk treatment analysis, organization can also “respond” and, with ongoing risk assessments, “monitor” through a risk dashboard.
Compliance with IT Risk Management Frameworks
Many organizations make information risk management a less than “comprehensive” process by focusing on compliance with frameworks – treating publications like NIST 800-39 that recommend various security practices or controls as checklists, on the assumption that the more controls implemented, the lower the risk. Without quantitative risk measurement, however, that’s an unprovable assumption.
The frameworks are good foundational guides for a security program. But their strictly technical approach to cybersecurity can’t be fully aligned with business needs, such as determining security investments or communicating the need for budget to the business based on ROI.
Types of Risk Management Frameworks
Control Frameworks
>>The SANS CIS Controls is a basic list of cybersecurity controls that should mitigate 80% of attacks. NIST 800-53 is an extensive list of controls that, practically speaking, no organization would ever implement in entirety.
Note: FAIR is included in the SANS CIS Controls poster as part of the Five Keys for Building a Cybersecurity Program.
Program Frameworks
>>ISO 27001 brings in business requirements to a controls list but doesn’t prescribe a specific approach to analyzing risk. The popular NIST CSF maps specific controls to each cybersecurity function for a good technical overview of a risk management program.
Note: The NIST CSF includes FAIR as an “informative reference” among its recommended controls and processes.
Neither the controls frameworks nor the program frameworks can answer the basic questions for business decision-making, such as “if we invest in one security control or another, how much less risk will we have?” FAIR complements the frameworks by providing the missing quantitative risk analysis.
Technology Risk, Business Continuity Planning and Resilience
Large organizations often create a business impact analysis statement (BIA) to understand the links between processes that drive the business, and the probable outcomes of outages due to man-made or natural events that might significantly interrupt operations. For information technology, that means business continuity plans should prioritize IT resources to minimize the effect of an outage on the business. Typical off-the-shelf BIAs, however, share the fault of other non-quantitative risk assessments – they can’t communicate risk in business terms. Learn how one organization raised their game on business impact analysis:
Case Study: Healthcare Supplier Uses RiskLens to Identify Best Business Continuity Strategy
Ransomware: Where Cyber Risk, Technology Risk, Operational Risk and Enterprise Risk Converge
The recent ransomware attacks on Colonial Pipeline, the fuel distributor, and JBS USA, the meat packer, two owners of critical infrastructure, quickly jumped the increasingly irrelevant lines among risk disciplines.
In the Colonial Pipeline case, the company chose to shut down fuel shipment after ransomware hit their business systems. Details for the JBS USA case aren’t yet clear—whether the ransomware penetrated to their operational systems, or the company also halted production lines out of caution.
Either way, a cyber risk quickly escalated through technology risk to operational risk and ultimately a risk to the enterprise, potentially in material impact on the bottom line and certainly reputation and perhaps legal and regulatory impact.
The National Institute of Standards and Technology recently released Integrating Cybersecurity and Enterprise Risk Management (NISTIR 8286) to advise organizations on dealing with this new risk reality. The publication called out FAIR, as a recommended tool to “better prioritize risks or prepare more accurate risk exposure forecasts” in a risk register. NISTIR 8286 also endorsed many of the standard practices of FAIR analysis, including risk prioritization, risk scenario modeling, Monte Carlo simulations, and, of course, quantification of cyber risk in financial terms.
Learn quantitative cyber risk analysis, enhance your career in risk management with FAIR training from the RiskLens Academy.
