| Risk assessment is a core competence of information | | | | This is a good question and well articulated. |
| security management. A recent question and answer | | | | The answer - and this is a paraphrase of the more |
| exchange goes to the nub of how risk appetite and an | | | | detailed treatment contained in the chapter on risk in |
| organization's risk acceptance criteria should be | | | | International IT Governance and in Information Security |
| approached. | | | | Risk Management for ISO27001 - is as follows: there |
| The question was: | | | | are two different types of risk. |
| 'ISO27001 hammers home that the approach to risk | | | | The first is called speculative risk, and it is what |
| that an organization has towards security risks should | | | | business people do - speculative risk can lead to either |
| be based on the organization's approach (and risk | | | | gain or loss, and is at the heart of business strategy. |
| appetite) for business risks. This just doesn't ring true | | | | We assess the risk, decide whether or not we can |
| to me given how granular the rest of 27001 is.' | | | | afford the possible loss and whether this is adequately |
| A business risk is fundamentally different from a | | | | balanced by the potential gain, and then go ahead - or |
| security risk and I really struggle to see how the | | | | not, as the case may be. Your Elbonian investment |
| approach to one maps over to the other. | | | | decision is a speculative one, particularly in the light of |
| It's one thing to say "we are willing to take a high | | | | the current economic climate. |
| degree of risk, so we'll invest in your factory in Elbonia" | | | | Non-speculative risk, on the other hand, is the sort of |
| - there is a potentially high profit to be had from taking | | | | risk that can lead only to loss. Non-speculative risks |
| that risk. Business managers will be used to making | | | | can derail speculative business plans. Non-speculative |
| decisions based on that kind of risk vs reward thinking. | | | | risk is therefore the subject of risk control; if we can |
| It's entirely different to say "we are willing to take a | | | | reduce this type of risk, we can remove potential |
| high degree of risk - we'll not invest in (eg) an antivirus | | | | obstacles to the realisation of our business strategy. |
| solution and accept the risk that that entails" | | | | Information risk, operational risk, regulatory risk, health |
| Investing in my factory in Elbonia could have the exact | | | | and safety risk - these are all forms of non-speculative |
| same potential (monetary) loss attached to it as the | | | | risk and the proper subject of risk management. |
| damage caused by not buying an AV solution - the | | | | The overall risk management framework to which we |
| crucial difference is that taking a security risk can't | | | | refer is that which applies to non-speculative risk. In |
| GAIN you anything. You might be lucky and not lose | | | | other words, the risk appetite that is relevant to the |
| anything - that's about the best you can hope for. | | | | management of information risk should be the same |
| There is no reward in this situation. | | | | as that applied to health and safety risk, or operational |
| In light of that - I'm not sure that the "risk appetite" | | | | risk, or any other controllable risk - it makes for |
| business-wise is necessarily a good indicator of how | | | | coherence and consistency inside the enterprise. |
| "risk hungry" we should be security-wise. | | | | It is possible, therefore, for an organization to pursue a |
| Just as in life - my appetite for skydiving bears no | | | | highly risky speculative business strategy within a |
| relation whatsoever on how I invest my money. My | | | | non-speculative risk management framework that is |
| high-risk appetite in the one arena has nothing to do | | | | based on a very low tolerance for risk. For example, |
| with the other and it would stupid for me to apply it so. | | | | jumping out of an airplane is taking a speculative risk |
| I would have thought that ISO27001 which stresses a | | | | from which gain (probably emotional) is expected; |
| bottom up, high granularity approach, would also include | | | | managing the non-speculative risks - ie making sure |
| the understanding that there can be different risk | | | | that the chute is properly packed, that the lines haven't |
| arenas which may need to be treated with very | | | | been cut, etc - is likely to be on the basis of a very |
| different approaches. | | | | low tolerance for risk! |