Wii Insight on Risk
Dimensions of Knowledge Risk Assessment
Risk to be Measured
The FCC (USA Federal Communications Commission) has advised that every business that uses the Internet is responsible for creating a culture of security that will enhance business and consumer confidence. Additionally, they should have a risk strategy focused on safeguarding their business capabilities, customers, and digital assets from growing threats. That strategy should be based on a risk event analysis that identifies:
Undesirable Outcome & Threat causal relationship e.g. Supplier communication breach
Threat Severity e.g. Catastrophe via infrastructure failure; Slow Burn via climate change
Vulnerability of at-risk Business Capability e.g. Digital asset storage not protected
Probability of Risk e.g. Layer of Protection Analysis per event frequency
The Risk Strategy must also have knowledge about the business Tolerance to Risk. Which requires an assessment focused on the strength / weakness of each safeguard and its ability to mitigate one or more Threats. Further, it requires the business to determine Acceptance Level limits for the Vulnerabilities that exist, the Business Capability that are at-risk and the exposure that would have an Undesirable Outcome. To help measure changes in probabilities-of-risk the business should use a Key Risk Indicator (KRI). For example, when used for continuous risk event analysis the KRI(s) would signal any changes in risk exposure and help identify the business capabilities that require a safeguard investment.
Sustainability A Sustainable Risk Assessment (SRA) is designed to help decision makers understand how potential data protection threats (and other challenges) may impact strategic objectives. The assessment may be as simplistic as the two factor (Morningstar.com) Environmental, Social and Governance (ESG) rating. Which considers, the "Exposure" that measures a company’s vulnerability or susceptibility to risk, and the "Management" actions taken to address a risk issue. The assessment may employ a Qualitative risk technique, such has, a probability and impact matrix, a risk categorization, a risk frequency ranking, or a risk urgency prioritization. It may also use a Quantitative risk method that employs weighted outcome, probability ratio and expected Business Value analysis. Finally, it may employ a multiple factor scoring methodology, similar to the CDP global disclosure system that recognizes participation in Climate Change, Water, Forests and Supply Chain programs [1].
Exemplar KRI: Number of Notifications Received from Regulators reflects total number of notifications that the business receives from regulators during the measurement period. Risk Factor: A high volume of notifications can be an indicator of weak compliance controls which may increase exposure to financial, reputational and operational risk .
Strategy A Risk Management Strategy should include a process for regularly updating and reviewing essential factors based on the outcomes from actions taken to continuously identify, assess and manage the known risk. It may also leverage a Sustainability Risk Management Framework that references the essential factors and their relationship with the measurable dimensions of key objectives - Value chain drivers; Risk exposure; Response design; Value Outcomes; Performance [2] .
Exemplar KRI: Percentage of Key Performance Indicator (KPI) Targets Not Met reflects the number of objectives that have targets which are not being achieved. Risk Factor: An indication that the management of a large number of objectives is unsatisfactory may expose the company to operational, financial and reputational harm.
Portfolio To support Portfolio-level analysis a quantitative risk assessment and management framework identified the phases of a Value of Asset driven analysis > scenario identification > consequence and criticality assessment > security vulnerability assessment > threat likelihood assessment, > benefit-cost analysis [3]. Key to this methodology is the use of plausible threat scenarios based on a target susceptibility and a threat likelihood assessment that captures adversary tendencies to shift their preferences in response to security investments.
Exemplar KRI: Value at Risk (VaR) reflects the probability that asset losses will occur within a given portfolio over a given period of time and can be calculated using historical data and/or proprietary models. Risk Factor: The probability could be based on a worst case situation where the amount is a realized loss and there is an order of magnitude harm to reputation.
Project A Project Risk Analysis assesses how a Vulnerability would impact the targets set for key Objectives, such as, Project Cost, Delivery Schedule, Technical Performance and Business Value. Moreover, when there are many Threats the determination of Project Priorities would likely use a most-to-least-critical importance ranking [4]. Further, to ensure the prioritization algorithm accurately reflects needs All the Factors of All Objectives should be included e.g. factor in Time Criticality as part of the calculation for the Scheduling Objective .
Exemplar KRI: Percentage of Projects Currently in Progress That are Delayed reflect measurements of all the issues that delayed any project. Risk Factor: Excessive project delays expose the business to financial, strategic, operational and reputational risk.
Technology To help Secure Critical Information Infrastructure the European Union Agency for Network and Information Security has created an evaluation Framework [5]. It primarily consists of a logic model presenting a set of steps and a list of possible KPIs that map to the objectives of the evaluation model.
Exemplar KPI: Identification of Critical Information infrastructures. Performance Factors: Evidence of registries of business capability specific critical assets, dependencies, risks, vulnerabilities
Exemplar KPI: Risk Assessment and Risk Management Procedures / Plans. Performance Factors: Evidence of definitions of risk centric procedures that have a stated frequency of knowledge updates
Exemplar KPI: Business Recovery and Continuity Plans for Critical Infrastructures. Performance Factors: Evidence of strategic documents - implementation guides, Use Case Tree, RACI (responsible, accountable, consulted, informed) Chart
Exemplar KPI: Successful Information Sharing and Trusted Cooperation. Performance Factors: Evidence of trusted channels for communication; Enterprise Knowledge Graphs for stakeholders, partners and participants
Exemplar KPI: Transparency and Accountability of Systems. Performance Factors: Evidence of different types of documentation available to the public e.g. Knowledge Graph
Exemplar KRI: Mean Time Between Failure (MTBF) reflects the stability of systems following a resumption of service that had been suspended due to failure. Risk Factor: A large value for this metric may indicate that systems are unstable and underlying architecture must be further examined.
Knowledge When Assessing Risk it can be readily accepted that accumulated Knowledge leads to a better awareness of What has greater Certainty and What remains Uncertain. Moreover, to have a culture of security, it is critical that all the strategic decision makers (Business Capability stakeholders, Project Engineers and others in key roles) share a common understanding of What is at Risk. That shared knowledge may be the core content of a Business Capability Portfolio (BCP) that is purposed to assure that Business Capabilities are attuned to a Sustainable Risk Appetite, protected by a Risk Management Strategy, and provisioned by Risk Mitigation Technology.
Note: A Capability Portfolio is a time-dynamic organizing construct to deliver capabilities across specified epochs; a Capability can be defined as the ability to achieve an effect to a standard under specified conditions using multiple combinations of means and ways to perform a set of tasks [7].
Exemplar KRI: Risk Larger Than Appetite reflects that current Risk score is greater than the amount of risk the business is willing to accept to achieve its objectives. Risk Factor: The more the risk score exceeds Risk Tolerance the greater the probability the business is exposed to catastrophic financial, strategic, operational and reputational damage.
Next Steps The task of populating a BCP will likely employ a digitization process that converts the characteristics of a physical object / process into a digital form and, as a Value-Add, create a Digital Twin (DT) [6] construct. Moreso, to provide operations intelligence that span its lifecycle, The BCP would have Use Case Tree connections to Knowledge Graphs, KPIs, KRIs and the Business Capability that leverage it. As in, Safeguard physical properties declared in a Knowledge Graph are used to accurately represent how connected entities (e.g. Customers, Partners, Sales, Products, Locations) are protected in real life. Further, when the safeguard (DT) uses digital objects (representing images, sounds, signals) the response to physical warnings (sounds, flashing lights) can be better calibrated. Moreover when a Vulnerability is discovered, the Use Case Tree (of connected nodes) may be actuated to simulate how a proposed change in behavior could mitigate specific risks.
[1] https://www.cdp.net/en/info/about-us
[2] https://www2.deloitte.com/content/dam/Deloitte/my/Documents/risk/my-risk-sdg12-sustainability-risk-management.pdf
[3] https://onlinelibrary.wiley.com/doi/abs/10.1111/j.1539-6924.2007.00911.x
[4] https://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-engineering/risk-management/risk-impact-assessment-and-prioritization
[5] https://www.enisa.europa.eu/publications/an-evaluation-framework-for-cyber-security-strategies
[6] https://en.wikipedia.org/wiki/Digital_twin
[7] Advanced Risk Analysis in Engineering Enterprise Systems By Cesar Ariel Pinto, Paul R. Garvey