@ISACA Volume 26  26 December 2018

Applied Risk Appetite

By Jack Freund, Ph.D., CISA, CRISC, CISM

When establishing and measuring against an organization’s risk appetite, it is important to consider both the quantitative and psychological components that could affect risk appetite. When applying cybervalue-at-risk models, there is an opportunity for us to select a value beyond which we would not care to go. “Too much” risk in this regard is an expression of how much potential loss we would need to account for if a bad scenario came to pass. The other aspect of this is the need to account for the psychological needs of the people making and communicating the decisions. Relating the task of setting and managing a risk appetite to common everyday household budgetary exercises can be helpful to bridge the gap and leverage skills people already possess.

Where most appetite exercises fail is in the creation of a policy or statement that acknowledges that while eliminating bad outcomes is impossible, the organization does not care to have anything with high risk occur. The former part of such a statement is very accurate; the latter is nonsensical and can create, rather than eliminate, confusion. The first reason is that the use of verbal risk labels (high, medium, low) has long since been shown to resonate with people in different ways. One seminal study in this regard has shown that when asked to relate a probability to such verbal labels, there is significant variance in how that is received. Further compounding this problem is that too often, we fail to adjust for our human biases in the setting or interpretation of such statements. Without proper techniques, we may be considering our own feelings of exposure or loss when interpreting whether a data loss scenario is high risk or not. Indeed, the risk needs to be indexed to an organization’s tolerance for loss, not our own. This is best illustrated by how, in very large organizations, the notion of a US $1 million loss can be regarded as a “rounding error,” but very few of us would be so cavalier in our personal finances. Scale matters, and we need to account for that in how we talk about risk in an organization.

There is a certain amount of uselessness in saying an organization does not want to accept high risk. Clearly, no organization has any desire to lose anything. It does not want its expense management to get out of control, it does not want wages to rise nor does it want costs associated with its raw materials to inflate. Organizations do not want to be involved in lawsuits, bidding wars or, frankly, competition. And yet, these things happen routinely. Simply writing that you would rather not have such bad things happen to your organization is rather like wishing for a pony for your birthday. Inevitably, on a long enough timeline, these bad things will happen. (However, I will make no representation of your prospects for a pony.)

So how can an organization improve in the application of setting and interpreting risk appetite statements? It is here that I think using household budgeting exemplars can be useful. Borrowing from practices such as insurance and savings, we can establish a similar discipline for organizations. Simply, an organization can write a check or sign a promissory note to itself. Let us continue with that US $1 million rounding error. Say that an organization decides that the error is an excessive amount of money and it does not want to risk a single loss that big. In these instances, an organization may mature its risk appetite statement to say, “We do not accept losses associated with IT risk scenarios in excess of US $1 million per incident.” There is significant clarity in this, but it still requires action to complete. What it requires is either the funding necessary to avoid having operational losses of that magnitude, or it requires funding be set aside to offset such a loss. In other words, a check or a promissory note. This can be accomplished in a couple ways. Financial organizations have long had the concept of risk-based capital, which is a fancy version of a savings account or a rainy-day fund. They figure out what a very bad scenario looks like and stock away some cash to help cushion the blow of such a thing occurring. If such a large sum is not immediately available, an organization can purchase a cyberinsurance policy effectively financing their rainy-day fund. Lastly, I have worked with some chief information systems officers (CISOs) who would rather an organization invest that cyberinsurance premium in their own budgets to reduce risk. They can use such additional funds to bolster staff and technologies to detect and respond to potential incidents before they become loss events for the organization. In reality, many organizations choose a combination of these things: investing in security functions, saving money for a rainy day and using insurance to offset catastrophic loss.

Practically speaking, whenever you encounter a loss scenario in your organization that will exceed appetite, you should examine the way the organization responds to it. Through this, you will uncover some truths about how the organization and its leadership truly think about risk. If they proceed with their actions despite the risk, then perhaps it is time to revise appetite statements. Likewise, if they allow existing control deficiencies to continue without remediation (they do not like it, but will not pay to fix it), that, too, is an example of where appetite may be higher than stated. These are not examples of failures to adhere to and manage risk; indeed, they are examples of better articulating and maturing an organization’s view on risk. In the end, risk appetite is less like a stake in the ground and more like a chalk line.

Jack Freund, Ph.D., CISA, CRISC, CISM, is director of cyberrisk management for TIAA, a member of the Certified in Risk and Information Systems Control (CRISC) Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, IAPP Fellow of Information Privacy, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.


Earn CPE Hours Before Year-End


Source: Virojt
Getty Images

ISACA certification holders need to earn continuing professional education (CPE) hours to maintain their certification designation. There are plenty of ways for ISACA members to earn CPE hours, including completing webinar and virtual conference CPE quizzes (up to 36 free CPE hours a year), attending conferences (up to 32 CPE hours per event), participating in an online or in-person training course (up to 26 CPE hours online and 32 CPE hours per course), taking ISACA Journal quizzes (up to 6 free CPE hours a year), or even serving as an ISACA volunteer or mentor (20 and 10 free CPE hours, respectively).

Additionally, if you are a bronze, silver, gold or platinum member and need an extra opportunity to earn your annual CPE hours, you can now take advantage of 15% off 2 of our newest on-demand online learning sessions, both recorded live at ISACA’s 2018 global conferences, until 31 December 2018. Use the code 15OFFRISK to save 15% on CPE on Demand: IT Risk Management, and use the code 15OFFCONTROLS to save 15% on CPE on Demand: Audit Controls and Automation for access to these online training courses that can be viewed at home, work or while you travel.

If you are interested in earning more CPE hours and learning business-critical information, you can easily achieve both by viewing archived ISACA webinars. The top 5 most popular webinars of 2018, in order, are:

  1. Introducing COBIT 2019
  2. Compliance by Design
  3. Ransomware: The Not So Good, Really Bad and Truly Ugly!
  4. Continuous Assurance Using Data Threat Modeling
  5. Machine Learning: What Assurance Professionals Need to Know

To view other upcoming webinars, visit the Webinars page of the ISACA website. ISACA members who attend webinars can earn 1 free CPE hour per webinar. Interested in learning more about how to earn CPE hours? Visit the How to Report and Earn CPE page of the ISACA website.


From AI to Digital Fabrication, New Technology Is Powering the Future


Source: Qi Yang;
Getty Images

To say we live in a rapidly changing world of technology is an understatement. From artificial intelligence (AI) to digital fabrication, new technologies are advancing to help solve some of the world’s toughest challenges. Innovative tools, such as Lenovo’s NVIDIA Quadro RTX graphics processing units (GPUs), are changing the way things are designed, made and used with support from AI and digital fabrication. New GPUs can offer real-time ray tracing, AI-enhanced workflows, graphics memory scaling and performance to drive the most demanding rendering, AI and visual computing workloads.

These new technologies are accessible at a discount to ISACA members through the ISACA Member Advantage program. This program gives ISACA members access to special offers and programs through discount partners. Right now, ISACA members can instantly save up to 44% off Lenovo gadgets and gifts with their ISACA membership. Visit www3.lenovo.com/us/en/m1isaca to use this member benefit. Other partners currently include HotelStorm, Vegas.com, GE Appliances, PrivacyArmor, Office Depot, OfficeMax, UPS, Hertz, Avis, Budget, Wyndham, TNT Vacations, CruisesOnly and Collette Guided Tours.

For more information on other discounts available to ISACA members, visit the ISACA Member Advantage page of the ISACA website.


ISACA’s Newest Chapter: Amman, Jordan


ISACA has 221 chapters in 96 countries, with the addition of its newest chapter, the ISACA Amman Chapter. This chapter has been many years in the making, and the formation committee is very excited, enthusiastic and honored to have achieved formation of the first chapter in Jordan.

The members of the ISACA Amman Chapter sought to form a chapter to promote awareness about information systems audit and control, information security, and enterprise governance of IT (EGIT) in Jordan. They also hope to refine talents, enhance knowledge and increase the expertise of professionals in those fields.

The Amman Chapter also intends to provide IS and IT expertise and support to the private and public sectors in Jordan. This is particularly valuable since many members of the new chapter are currently working for Jordanian financial institutions, which must now implement COBIT and cybersecurity measures to comply with national law and regulations issued by the Central Bank of Jordan.

Interested in finding your local ISACA chapter? Visit the Local Chapter Information page of the ISACA website.