This section focuses on the fundamental principles of risk management. Here, we won’t be talking about standards or policies, or even anything directly to do with cyber security. Rather, we'll be introducing some fundamental principles of risk management, which are relevant whether you’re studying disease outbreaks, the rise and fall of stock markets, or the risks of a cyber attack.
Why risk management matters
Risk management exists to help us to create plans for the future in a deliberate, responsible and ethical manner. This requires risk managers to explore what could go right or wrong in an organisation, a project or a service, and recognising that we can never fully know the future as we try to improve our prospects.
Risk management is often perceived as a technocratic and dull profession; this isn't how the NCSC see risk management at all. Risk management is about analysing our options and their future consequences, and presenting that information in an understandable, usable form to improve decision making.
Risk can't be abolished
The starting point of risk management is an acceptance that risk can’t simply be abolished. Risk must be recognised and then managed in some way or other (classically to either avoid, reduce, transfer or retain). This can be easier said than done, particularly when confronted with a demand to 'abolish risk', as if that were an easy and simple option.
Risk Management often requires a relationship between people who analyse risks and people who make decisions based on that analysis. Communication between these two groups must be clear, understandable and useful. If the people who make decisions can't interpret the analysis they're presented with, then there is little point in doing risk analysis at all.
How different management techniques will define 'risk'
Risks can be described as 'possible future outcomes that we can describe in terms of their chances of occurrence, and what impact they would have on us'.
However, we've already learnt that there are a range of different techniques that can be used to analyse risks. The precise meaning of the term 'risk' will change depending on what technique you are applying to a given problem. For this reason, it is important not to be wedded to one strict definition, as you might disregard - unnecessarily - those techniques which are not consistent with that definition.
As we will see later in this guidance, some cyber risk management techniques define risk as a combination of threat, vulnerability and impact. Others define risk in terms of high-level outcomesto achieve or avoid. You might need to be able to use both, so don't limit yourself unnecessarily.
Managing the undefinable
Go to any risk management conference, and you will hear the following complaint:
We have no clear definition of risk. How on earth can we manage something that we haven't defined?
It's a fair point. Risk is such an abstract concept, and it has such a strong influence on all of our lives, yet we can’t agree on a definition. Given this, how can we really know what everybody else means when they talk about 'risk'?
Paradoxically, we see the lack of a clear definition as an essential aspect of risk management. The fact that organisations won’t necessarily know exactly how everyone defines ‘risk’ forces us to explain to each other what we mean. It makes us ask questions and challenge assumptions.
This is the fundamental strength of risk management; it provides a way of talking about the future, the outcomes we care about, and how to work to towards them. If we could all agree a universal definition of risk, then this could reduce the need for those crucial discussions about the future, uncertainty and risk.
Of course, it may be worthwhile for individual organisations to define, for themselves (and maybe for their supply chains), what they mean by the concept. After all, risks are often analysed from the perspective of organisations, so it is sensible to develop a local definition which is agreed by anyone working on behalf of that organisation. However, avoid trying to make your local definition a universal one.
Uncertainty is an important part of risk
The purpose of risk management is to enable us to make the best possible decisions, based on our analysis of future events and outcomes. The future can be anticipated, but within limits defined by our uncertainty in our analysis.
Risk is a part of everything we do. You not only ‘take risks’ that you are aware of, but you also ‘run risks’ that you’re unaware of all the time. This introduces an important point about risk; because of this uncertainty, it is impossible to know and understand all of the risks that any person, organisation or network is running at any one time. You will always run risks that you are not aware of.
There are some overly bold standards and frameworks out there which claim you will 'know all your risks' if you follow a certain set of procedures diligently and comprehensively. That’s a false and dangerous notion. Instead you should approach risk management with a sense of realism and pragmatism. Breaches of cyber security can and do happen to anyone, even the most diligent. The purpose of risk management is not to chase the unattainable goal of perfectly secure systems and a risk-free business; it is to make sure that you have thought about what can go wrong, and that this thinking has influenced your organisation's decisions.
Don't be fatalistic; you can still protect yourself from many cyber attacks, but if something does go wrong, it isn't always the case that someone is to blame, or that your risk manager missed something.
Compliance ≠ risk management
'Improving outcomes' isn’t always the primary driver for carrying out risk management. Often, organisations conduct risk management exercises for 'compliance' reasons, which could include:
- obligations from external pressures (such as regulatory requirements)
- customers' demands
- legal constraints
When done for these reasons, there is a danger of risk management becoming a tick-box exercise. This can lead organisations believing they have managed a risk, when in reality they have merely complied with a process which may have (albeit unintended) negative consequences.
Compliance and security are not the same thing. They may overlap, but compliance with common security standards can coexist with, and mask, very weak security practices.
Risk management performed for compliance reasons is sometimes described as ‘defensive risk management’. Risk management, done in this way, can cause an excessive focus on protecting the organisation’s reputation (or to protect it from being sued, fined or subject to similar external sanctions). Defensive risk management is about being able to show that you haven't been negligent, should something bad happen; the emphasis is on proving that something has been done.
This is not necessarily a bad thing. In many industries, compliance requirements are unavoidable. However, if you are conducting defensive risk management, make sure that:
- staff understand that cyber risk management goals will be to meet external demands, rather than adressing specific security objectives
- you are aware of the limitations of the risk management techniques that you apply in order to be compliant
- you adopt further techniques that recognise the limitations of compliance (some of the categories of technique presented in this guidance can help you do this)
The risks in compliance
The goals of a compliance-focused team can become less aligned with those of the rest of the organisation. When this separation occurs, the compliance-focused team can develop an unrealistic view of what the rest of the organisation does, leading to poor decisions. The NCSC's advice here is for organisations to be clear and honest about why they conduct cyber risk management. If this is for compliance reasons, lay out a plan for how you propose to prevent some of the behaviours outlined above.
It may sound like a tongue-twister, but managing the risks inherent in 'compliance' are just as important as managing any other risk.