One controversial topic in IT risk management is the presentation of risk as a positive thing. This happens when an organization attempts to adopt a definition of risk and someone helpfully suggests that risk could have positive outcomes, as in not all risk is bad; some risk can be good. Indeed, many standards reference this point of view in their definition of risk. One popular example is the definition offered by the Project Management Institute (PMI) in their publication, the Project Management Body of Knowledge. In it, PMI refers to risk as "an uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives." In his 2009 book, The Failure of Risk Management, risk measurement expert Douglas Hubbard offers a succinct rebuttal to this definition: There is already a word for “positive” risk—uncertainty.
Indeed, the pursuit of our goals and objectives is fraught with peril, and, given the opportunity, we would certainly choose less peril to accomplish the same goal. It is this desire to minimize risk that tells us the true nature of it. No one takes more risk simply for the sake of having greater losses. (At least not without some notion of a gain that would make the risk worthwhile.)
But one does not need a high degree of knowledge to understand risk; one need only look at an organization’s risk register. I have never seen a single corporate risk register include a list of all the good things that could happen. Never once have they outlined the good fortune that may transpire and shower them with riches. Even among those organizations that may have adopted a positive definition of risk, their use of that definition never extends to practical application.
This is because cyberrisk (and operational risk largely) is in a category of risk called “pure risk,” or risk for which loss is the only possible outcome. There are 3 forms of pure risk: personal, property and liability. The market for the first is usually life, health and disability insurance. Property risk comprises things such as automobile and homeowner’s insurance. The last is where we find things such as professional liability and errors and omissions insurance. These are, effectively, insurance products that protect you if you were to perform negligently. Indeed, the burgeoning market for cyberinsurance fits into this space as well. If an organization is negligent in its protection of customer data and a breach occurs, the ensuing loss may motivate the organization to file a claim to offset its losses.
Those who believe that IT risk can be positive are conflating pure risk with speculative risk, the latter categorization of which is used to describe investment instruments such as securities. For much the same reason, one cannot claim that information security yields a return on investment because one can only calculate returns on speculative risk.
Jack Freund, Ph.D., CISA, CRISC, CISM, is senior manager of cyberrisk framework for TIAA; member of the CRISC Certification Working Group; coauthor of Measuring and Managing Information Risk; a 2016 inductee into the Cybersecurity Canon and IAPP Fellow of Information Privacy.
Leveraging COBIT 5 to Adopt the NIST Cybersecurity Framework
The US National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a valuable resource to help enterprises become more secure. A recent US executive order on cyber security mandates implementation of the CSF for US federal agencies. To help federal agencies and enterprises implement the framework, ISACA is offering the “Adopting the NIST Cybersecurity Framework Using COBIT 5—Tips and Techniques” webinar. This webinar will take place on 1 June at 11AM CDT (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) credit by attending this webinar and passing a related quiz.
Consultant and COBIT expert Mark Thomas, CRISC, CGEIT, will lead this webinar. In it, he will show attendees how the COBIT 5 framework facilitates CSF adoption, highlighting connections between CSF and COBIT, and he will introduce tools and resources that can help in adopting the framework. Attendees will also learn a wealth of CSF adoption tips based on real-world experiences.
For more information on this webinar or to register for it, visit the Adopting the NIST Cybersecurity Framework Using COBIT 5—Tips and Techniques page of the ISACA website.
Connecting Talent With Top Employers
ISACA’s Annual Online Career Fair webinar is a one-of-a-kind event that gives you the opportunity to network directly with industry representatives around the world who are seeking exceptional and skilled candidates. This webinar will take place on 28 June from 10AM to 2PM CDT (UTC -6 hours). Whether you are looking for a career move locally or are willing to relocate, the ISACA Online Career Fair breaks through geographic barriers and gives you an edge over candidates applying through traditional methods. Sign up today for this member-exclusive event and attend for free.
Enterprises seeking skilled candidates should consider participating in the career fair. Employers that register for this career fair will have an exclusive chat room for real-time engagement, the ability to conduct video interviews and unlimited job postings on the career fair website. For more information on recruiting at the career fair, visit the ISACA Virtual Career Fair website.