Defining Cyber Risk

The more I learn, the more I realise how little I know. This is especially true for risk.

I have been practicing risk management (whatever that means) for a little over 10 years now. Even with this experience, risk still confuses me. You can hardly blame me; especially when the industry itself can't agree on what risk is. Take, for example, this list of risk definitions I compiled from industry sources. Not only does each standard have its own distinct way of describing risk, they each have their own way of calculating risk, too!

Before going further, I want to briefly diverge and discuss where I see cyber risk in the broader risk picture. There’s a great HBR article by Robert Kaplan and Anette Mikes on risk strategy which I highly recommend (you can check it out here). In it, they discuss three broad categories of risks: Preventable Risks, External Risks and Strategic Risks. Each has their own distinct way of dealing with risk.

Preventable risks are those risks that arise from within an organisation (i.e. internal) and include unauthorised, illegal, unethical, incorrect, or inappropriate behaviours. They are inherently undesirable and can be eliminated or avoided with a “rules-based” compliance approach to risk management.

Strategic risks, on the other hand, are not inherently undesirable and include “calculated” risks in order gain a competitive edge. Financial Services and Oil & Gas industries often come to mind when thinking about this type of risk-taking. Strategic risks cannot be managed through a rules-based compliance approach.

Lastly, External risks are those that arise from events outside of the company and are beyond influence or control. Sources include natural disasters and macroeconomic shifts. External risks require yet another risk management approach.

A similar distinction between these different ‘modes’ of risk management -- a “rules-based” compliance approach versus probabilistic methods -- has been created by Alex Siderenko (here). Alex calls these two areas of risk management RM1 and RM2. RM1 refers to methods and practices commonly used in managing Preventable risks, while External and Strategic risks are managed by RM2 methods and rely on quantitative methods and behavioural sciences. 

Cyber Risk, in my view, crosses both Preventable (RM1) and External (RM2) risk categories. Cyber is a channel, not a risk category. Preventable risks (e.g. fraud) and External risks (e.g. corporate espionage, theft, activism, vandalism) exist irrespective of the digital medium. Cyber is just another method to accomplish these same tasks. And it is this (seemingly innocuous) distinction, I theorise, that makes Cyber Risk so confusing to work with. (The cross-over between RM1 and RM2 creates additional problems which I will explore another time.) 

Back to defining risk. When I read the definitions above, it becomes apparent that there is no consensus on what a risk actually is. Is it a quantity? (NIST 800-39) A “thing”? (OWASP) An event? (ISC2) Or an effect? (OCTAVE).  

Risks aren't "things". I can quickly rule out risks as being “things” or events by referencing one of my favourite quotes by risk philosopher Paul Slovic,

“Risk” does not exist “out there,” independent of our minds and culture, waiting to be measured. Human beings have invented the concept of “risk” to help them understand and cope with the dangers and uncertainties of life. Although these dangers are real, there is no such thing as “real risk” or “objective risk.”

This leaves risk as a quantity and risk as an effect. These, I believe, are much closer to the nature of what risk is. Risk, should it materialise, effects an outcome by some amount (it adds volatility). The ISO:31000 risk standard captures this succinctly and describes risk as the "effect of uncertainty on objectives". I will save the topic of risk as a quantity for another time.

I conclude on this note. A common language is essential to understanding risk. Whist the creation of a separate (and more specific) risk language provides greater specificity to its user, it creates a chasm between those it intends to help. All risk is business risk. And risk language needs to reflect this.

I’m keen to hear your thoughts. Do you think Cyber Risk needs its own nomenclature? Do you have any other definitions for risk? Let me know in the comments.


Popular posts from this blog

The Limitations of Cyber Risk Assessment Tools

The Pitfalls of Cyber Risk Assessment