Understanding “Risk Based Decisions” in Cybersecurity
Business leaders will often say they leverage "risk-based analysis" to help them make decisions. However, when asked which model or framework they are using, they cannot point back to one. Without a plan, model, or framework, leaders instead rely on their experiences and the recommendations from those around them (see graphic below on “Recognition-Primed Decision Model”).
This does not mean that they do not have a desire to include additional analysis to support their 'gut feelings' of the situation. In fact, many leaders are open to new information or direction, especially in "unknown-unknowns" situations, such as the onset of the 2020 pandemic. Changing this pattern of decision making can be a significant challenge.
Recognition-Primed Decision Model
Klein, G. A. (1993). A recognition-primed decision (RPD) model of rapid decision making.
In G. A. Klein, J. Orasanu, R. Calderwood, & C. E. Zsambok (Eds.), Decision making in action: Models and methods (p. 138–147). Ablex Publishing
Risk based analysis is the process of identifying and ranking risks, to determine which are critical and above the organization’s risk tolerance and thus require attention, and then to select the risk management action(s) to take in response. To identify and rank risks, an organization must evaluate both its real and potential risks.
Once identified, they need to be analyzed for probability of occurrence and impact to the business. After the critical risks are identified, there are four primary methods of addressing them. These methods are avoidance, prevention, reduction, and risk transference. In other words:
Prevent it from happening, or
Reduce the chance it could happen, or
Minimize the impact if it does happen, or
Accept the risk but put money aside to address it if it does occur.
Going from ad-hoc, gut-feeling decision making to a documented model will take a lot of effort to consistently roll-out to an organization. Until a model or framework is embraced, there are things that can be done to help move a security program or initiative forward.
While there is not a formula you can use to influence a decision, there are some helpful things that we have used to positively influence the decision-making process within an organization.
I. Focus on the things that are closest to the money
A common quote in business reads that "the reason a business exists is to make money". There are many nuanced parts to "make money". In this instance we are looking at reducing costs by addressing risks that have a high probability to impact an organization’s bottom-line. We need to be selective about which risks we want to solve by choosing those that have the most impact to the business's bottom line. You will need to establish how the issue has an impact to the bottom line.
Here is an example related to implementing an automated patching solution:
There is a risk for a system outage if the time between a patch release and patch application is too large. The average time it takes to identify and manually patch systems across a mid-size organization is 102 days (Reference: “2018 State of Endpoint Security Risk” Ponemon Institute Research Report). This exposes the organization to operational loss if a system experienced an unexpected outage/breach in between the time a patch is released and when it is patched. Quantifying the amount of lost revenue and related cost to remediate relate directly to the bottom line.
Implementing an automated patching processes can recover approximately 120 hours back per month (average of 30 minutes per device) to into an IT programs' ability to support the organization. The costs of the system and any monthly effort needs to be documented as well as the on-going monthly costs for manually applying patches for each system.
When sharing information with leaders, always have your cost comparisons ready to share. This should include the cost of a potential outage and recovery efforts, as well as the monthly ongoing manual efforts if no actions are taken. Next share the costs of the automation and the reduced ongoing monthly costs. This will help to quantify the value against the bottom line.
II. Consider the customer experience
While businesses exist to make money, they do it by supplying a service to their customers. In an organization whose culture is service-oriented, tying the risk to the customer experience can be useful.
Here are some considerations related to implementing an automated patching solution:
What is the long-term internal impact to your organization if there is an outage?
What departments will be impacted? (Sadly, it is the ServiceDesk or HelpDesk that bears the brunt of the impact).
What is the long-term customer impact to your organization if there is an outage?
If a customer cannot place an order, can they go somewhere else?
What is the probability that they will return on their own once they have left?
Documenting the impact of prior outages can help leaders understand both the impact to customers and the organization.
III. Have a deep understanding of your data
In every major meeting where we are presenting with the objective of getting a decision made, we spend between 8-16 hours analyzing the data to make sure we have understood it completely.
If you understand the data and its context in the company, you can answer questions raised in the meeting. If you are not able to address the questions and concerns that are raised by other stakeholders in the meeting, it is likely another meeting will be needed. This pushes any decisions farther away and gives people a chance to entrench their opinions.
Here are some questions to ask yourself to ensure you are ready:
What is the reason this is even important to the business right now?
If a technology/cost is needed as part of the solution, what is the cost if we do nothing? (example: what happens if we maintain the status quo?)
What is the impact to our customers?
What are the one time and on-going costs?
What is the simplest "ask" that I can make? (do not make the decision complicated)
I try to have at least two options that could address the risk.
What will be the impact both internally and to our customers that we anticipate will impact other teams? (Example: the ServiceDesk might get a spike in calls.)
IV. Build individual partnerships/agreements ahead of time.
While taking time to talk with other decision makers can take time, building trusting relationships pays off in the long run. If you can show that you have the company’s best interest at heart, other decision makers will lend more credence to your proposals.
Here are some items to consider using to connect with other leaders and build trust:
Who are the leaders that are critical to your business succeeding?
How does your group / department interact with or support this leader?
What are the key factors that these key leaders are measured on or worried about?
What are some things you can do that would have a positive impact those key factors?
Final Thoughts and Closing
Developing and managing vulnerability management programs is the core service of New Genesis Solutions. By itself, this is a complex objective that involves both identifying gaps within technology management practices and coordinating with the subject-matter experts within an organization to resolve them.
Add to this, for most of today’s businesses, there is a wide range of technology solutions that are woven together to meet the mission of the business. However, once we start adding velocity to the remediation processes, being able to help technology owners make the right decision becomes a requirement.
Inside of any engagement or service, we have found that we consistently leverage each of these methods to help facilitate a decision. Our expertise within IT and cybersecurity does not mean much if we cannot move forward with a decision. We at NGS hope that article reminds you of these methods and helps you to move forward as you transform your environment.