Guide
Guide to improving your business case
JASANZ Register
Looking for help with getting certified to management system standards?
JASANZ has a Register of accredited bodies who can help.
Cyber and information security professionals often struggle to communicate the business case for investment in the steps need to meet standards like ISO/IEC 27001:2013.
FUD
One approach, sometimes dubbed Fear, Uncertainty and Doubt (FUD) is used by some security professionals to cut through the noise to engage with management. This is particularly common in response to cyber incidents and breaches and works over a short term. [And it is an approach also utilised on this website through the use of hypotheticals and testimonials…]
However, FUD makes it hard for executive decision makers to evaluate cyber and information security risks over a longer timeframe. Especially when they inevitably compete for attention and investment with other operational, financial, and business risks.
Qualitative and quantitative techniques
Critical minerals management can be more effectively engaged over the longer term if the value at risk — as well as the opportunity — are identified using qualitative or quantitative techniques.
For the vast majority of small to medium-sized businesses, qualitative still offers an efficient functional approach.
The adoption of standards like ISO/IEC 27001:2013 is a widely accepted method for mitigating risk. If cyber and information security risks can be appropriately identified, then the ISO standards offer a ready library of risk treatments.
This guide surveys some of those techniques.
Most organisations begin with a qualitative approach based on ISO 31000 and ISO/IEC 27005 and develop a risk management framework.
This qualitative technique is the most common and involves these rating values being a descriptive approximation of frequency, probability and magnitude of risk.
This simple assessment can be expressed as:
Risk = Threat x Vulnerability
This formula does emphasise the negative side of cyber and information security in that security exists to minimise threats and reduce vulnerability.
Often this fails to resonate with business leads who are focused on achieving positive objectives like business growth and maximising shareholder value. This negative orientation can be offset by counterbalancing it with consideration of the opportunities (benefit) to be realised in face of the risk.
Consider assets
Assets in this context are the information that is stored by computer systems and the computer systems themselves (hardware and software)
The questions a business must answer are:
- What assets require protection?
- What is the value that the organisation (and adversaries) place on the assets?
- How essential are the assets to producing revenue?
- What costs will be incurred if the asset is compromised?
With a focus on assets and their value, identification of threats and vulnerabilities becomes easier and the relationship between them becomes stronger.
However, this approach may lack specificity for a large and dispersed business operation, when more quantitative techniques may be useful.
Two legacy quantitative approaches are:
- Annual Loss Expectancy (ALE)
- Return on Security Investment (ROSI)
Annual Loss Expectancy
ALE = SLE x ARO
A risk rating value and overall monetary indicator can be calculated for each risk known as the Annual Loss Expectancy.
In this calculation, impact ratings are typically applied to the risk scenarios. A Single Loss Expectation (SLE) monetary value is based on the expected costs should the risk occur.
The Likelihood rating is augmented by an Annual Rate of Occurrence (ARO).
Return on Security Investment (ROSI)
ROSI = (ALE * Mitigation Ratio – Cost) / Cost
For a more glass-half-full approach that compares options and their benefit, consider Return on Security Investment (ROSI).
In addition to calculating ALE to estimate the annual loss associated with each risk scenario, the effect of planned control can be calculated by multiplying ALE by a Mitigation Ratio (% risk reduction).
With both ALE and ROSI, organisations can bring quantitative analysis to their risk assessment and business case for new security controls.
A more contemporary approach to risk quantification is called Factor Analysis for Information Risk (FAIR).
The FAIR framework provides for greater quantification of Likelihood and Impact, specifically in relation to threats and vulnerabilities.
With FAIR, risk is calculated as follows:
Risk = Less Event Frequency (LEF) x Probable Loss Magnitude (PLM)
This is where FAIR begins to differ from qualitative techniques because the Likelihood (LEF) and Impact (PLM) equivalents are the subject of further defined quantification rather than using a scale for each.
To calculate Less Event Frequency (LEF)
To calculate LEF, the analyst must fully appreciate the asset, relevant threats and vulnerability:
Loss Event Frequency (LEF) = Threat Event Frequency (TEF) x Vulnerability
- Threat Event Frequency (TEF) is further defined as a calculation (Contact Frequency X Probability of Action)
- Vulnerability (Threat Capability x Control Strength).
Most organisations would not have a clear picture of Contact Frequency, Probability of Action, and Threat Capability. Increasingly, private sector organisations are subscribing to threat intelligence services that may offer some useful insights and inputs.
Another good source of threat information is the MITRE ATT&CK website, which maps groups (threat actors) to techniques and in turn to mitigations.
Control (or Resistance) Strength is much easier for organisations to calculate as it is akin to current control effectiveness.
To calculate Probable Loss Magnitude (PLM)
FAIR encourages organisations to assess both the Primary Loss and Secondary Risk.
This is where the Primary Loss is based on the criticality of the asset, cost if the asset was to be compromised and the asset’s sensitivity to compromise.
Secondary Risk is based on Secondary Loss Event Frequency x Secondary Loss Magnitude and includes indirect losses (e.g. reputation).
The calculation is:
Probable Loss Magnitude (PLM) = Primary Loss + Secondary Risk
Finally, FAIR encourages the use of a Monte Carlo simulation to produce a loss distribution based on the data collected and calculations performed. Communicating the results of a FAIR-based risk assessment typically involves stating the minimum, most likely, and maximum loss values so that management can understand the range at play.
Naturally, following a FAIR-based approach to risk assessment takes more time and data, and is usually only warranted for a select number of significant risks. Having more data points enables a deeper understanding of the risk, which in turn can help ensure the most effective responses.
Whether companies adopt qualitative or quantitative techniques for risk management may depend on their scale and individual risks. However, employing strategies that go beyond Fear, Uncertainty and Doubt and being able to clearly communicate both risks and opportunities to decision makers should present a stronger business case.
The adoption of internationally accepted standards like ISO/IEC 2700 prepares companies to mitigate risk. If cyber and information security risks can be appropriately identified, then the standards offer a ready library of risk solutions.