Get everyone on the same page – establish a common vocabulary

Risk management lies at the heart of data security. Virtually every best-practice framework and law related to cyber security or data privacy takes a fundamentally risk-based approach, including:

• The UK and EU GDPR (General Data Protection Regulation)
• NIS (Network and Information Systems) Regulations
• DORA (Digital Operational Resilience Act)
• NIST CSF (Cybersecurity Framework)
• ISO 27001

Damian Garcia is our head of GRC (governance, risk and compliance) consultancy. He’s an expert in information security and risk management, with more than 30 years’ experience in the field and an MSc in cyber security risk management.

In this interview, Damian talks us through how to begin managing your cyber security risks.

We’ve also conducted a follow-up interview with Damian on how to mitigate security risks.

Quick links

• Define ‘risk’
• Likelihood and impact
• Impact categories and values
• Likelihood categories and values
• Risk heat map (likelihood–impact matrix)
• Consistency across the organisation

Define ‘risk’

Where do you start with cyber security risk management?

First, I like to think of it as information security risk management. That’s what we [our consultants] do: treat cyber security as part of a 360-degree information security picture, making it clear that security is everyone’s responsibility, right down to everyone entering a building or logging in remotely.

But where to start with risk? Define what the term means to you.

‘Risk’ is a broad concept and our perception of risk is influenced by:

• Our experiences
• Our background
• Our culture
• Etc.

In business, taking a risk usually means pursuing a business opportunity. A board or senior management team takes a risk on the basis that, if it plays out, the upside is worth it. Put it another way, there’s an opportunity cost to not doing something. The business could stand still or go backwards, so risk is always on the radar. Calculated risk, appropriately mitigated, is a commercial necessity.

In information security, we normally talk about ‘risk’ to mean some kind of negative outcome for the organisation, if the risk were to materialise. The purpose of identifying it is to mitigate it with awareness of the time and cost implications of the necessary actions.

So, again, be clear on what you and your organisation mean by ‘risk’. Establish a common vocabulary. When you train in cyber security, information security or privacy, the terms are all set out so everyone starts to speak the same language. This helps avoid misunderstandings. Clarity and efficiency don’t go together with long-winded explanations about everything you do, so a common vocabulary is essential.

Likelihood and impact

First and foremost, make sure you’re on the same page about what ‘risk’ and a few other fundamental terms mean. Most risks have:

Most risks have:

1. A likelihood or probability; and
2. Some form of impact, whether positive or negative.

The question becomes how you quantify and measure both. Your definitions need to be as clear and unambiguous as possible so that everyone interprets key terms in the same way.

If you need to, include a ‘copy and paste’ set of definitions with important documents. It makes sense to get the risk of misinterpretation out of the way from the start..

When assessing risk, you might use words like ‘low’, ‘medium’ and ‘high’. You’ve got to define what those terms mean and put those words into context.

Often, when we’re talking about a ‘low’ risk, it means that whatever the effect on the organisation is, you can live with it.

Conversely, at the other end of the scale, a ‘high’ risk means a catastrophic effect. It means you must do something about that risk, because if it materialises, you’d struggle to recover. Simple traffic light colour coding often goes along with simple risk level terms.

Impact categories and values

How do you define the impact of a risk materialising?

The first step is to establish which categories are relevant to the client. Impact categories can include:

• Financial
• Strategic
• Customers
• Employees
• Regulatory
• Operational
• Reputational

Not all categories apply to all organisations. For some businesses, some of these categories may also overlap. Reputational and financial, for example, can go hand in hand if you’re find or a breach is made public.

But this list provides a good starting point for a discussion to determine:

1. Which  categories apply to them; and
2. Which categories are missing.

How do you define the values to those categories?

That’s another important part of the early conversations with clients – establishing those values. How will the client measure the level of impact? What metrics will you use?

Clearly defining those values is incredibly important. This is how you establish that common language. It’s also how you meet ISO 27001’s requirement for ensuring that repeated risk assessments produce “consistent, valid and comparable results” [Clause 6.1.2.b].

Financial impact is the easiest to define – use figures either in pounds sterling [or a different currency] or as a percentage of the organisation’s annual turnover. This information may be sensitive, so getting turnover figures and keeping the documents private is part of the task.

What about non-financial impact? Operational or reputational, for example?

Operational impact can look at something like the loss or compromise of a technology or information system that halts your business operations organisation-wide.

The exact impact levels then depend on the duration of the disruption, and the day or time it happens. For example:

1. Very low: Halted for hours.
2. Low: Halted for a day.
3. Medium: Halted for a week.
4. High: Halted for multiple weeks.
5. Very high: Halted for at least a month.

If you’re an airline and a disruption happens on a peak travel day, an hour can be worse than a day when, say, you don’t run scheduled flights, so this needs to be contextualised.

Reputational impact might look at the level of media interest. For example:

1. Very low: Rumours; you might want to clarify the facts informally or internally.
2. Low: Minimal interest from local or regional media, police, regulators or other official bodies; you may need to respond informally or formally.
3. Medium: Significant interest from local or regional media, etc.; formal response required.
4. High: Interest from national media; strategic response required.
5. Very high: Extensive and sustained interest from national or even international media; continued strategic response required.

Again, the exact values depend on the nature of the organisation – its industry, its size, its risk appetite, and so on.

Why is using many different category types important?

Security is everyone’s responsibility, no matter in what department you work. And not every department can look at the impact in financial terms, so you’ve got to align departments with different types of impact.

For example, if you’re a chemical manufacturer, you’ll have someone in charge of health and safety. They need to be able to define impact levels in terms of the number of injuries, disabilities and even fatalities [the ‘employees’ category from the earlier list of impact categories].

When you use a heat map,* the red area [‘high’ risk] is what’s catastrophic to the organisation. But that can be in different terms or categories – even if you can indirectly express non-financial impact in monetary terms.

That’s why you should align the different impact types in a table like this:

Obviously, choose the impact types and complete the blanks as appropriate for your organisation.

[*Heat maps visualise risk severity by combining likelihood and impact levels. We discuss them later in this interview.]

Likelihood categories and values

Do the same principles apply to likelihood categories?

Pretty much. You choose your likelihood scores and give them names:

1. Very unlikely
2. Unlikely
3. Possible
4. Likely
5. Very likely

Again, make sure you clearly define what each category means, so you’re using that common vocabulary. That means using descriptions, or setting values, like:

1. Not expected to occur for years.
2. Expected to occur at least annually.
3. Expected to occur at least monthly.
4. Expected to occur at least weekly.
5. Expected to occur at least daily.

How can someone estimate how often something might occur? Just based on past experience?

That’s certainly one way of doing it. It’s also worth checking how often that risk has occurred in the industry.

For example, suppose your organisation has never seen a certain risk materialise, nor – to the best of your knowledge – has anyone else in the industry? You can then set the likelihood score nearer to ‘1’: very unlikely.

Risk heat map

Where does a likelihood–impact matrix come into the process?

I call it a ‘heat map’. We use it to visualise risks – which risks are catastrophic [red] and require immediate action? Which do you need to monitor [orange]? And which risks can you live with [green]?

When I work with clients, we tend to go for a 3×3 heat map – ‘high’, ‘medium’ and ‘low’ – or a 5×5, which adds ‘very high’ and ‘very low’.

My preference is a 5×5, because if you go for a 3×3, I find that risks tend to aggregate towards the middle – the ‘middle valley’, as I call it. That’s just what happens when people aren’t sure: they tend to go for the middle option. When I’m guiding people through the process, I make a note of those thornier topics that fall into the middle valley for further exploration.

One expert recommended using an even number of categories [for risk level], because that forces people to choose between ‘medium/high’ and ‘medium/low’. What are your views?

I’ve always used odd numbers, which has worked well for me. I can see the reasoning behind using an even number though – you’re forcing people to choose one way or another. I prefer to dig deeper, rather than force an answer.

We have these heatmaps in our CyberComply platform so that you can get different people to complete them, then you can get together and compare viewpoints before coming to an agreement.

But the key thing is to quantify your risk. You don’t want people to be deciding whether something is risky based on gut feel, but on analysis with hard numbers.

As humans, our assumption of risk – the way we intuitively ‘measure’ risk – is skewed by our perceptions and experiences. As much as possible, you want to analyse your risks based on hard fact and keep asking what’s behind those ‘gut feeling’ assertions that aren’t quantified.

Yes, it requires a bit more work because it’s more analytical. But when we take a step back and look at the hard figures, it takes the emotion out of it and helps us make better decisions.

Consistency across the organisation

Different teams are naturally biased towards the risks directly affecting them. Specialist software going down, for example, will be seen as a high-impact incident by a team that depends on it, but low-impact by teams that don’t use it.

How do you distinguish team level risk assessments from organisational level assessments?

That happens not just at a team level – it can be on an individual level, too.

Within a larger IT team, you might have one specific person responsible for keeping a certain platform or system live. Maybe they even have some kind of bonus plan tied to the availability of that system and related to service level agreements with customers. You address individual or departmental bias by taking a holistic approach. The more inputs and opinions you seek, from different parts of the organisation, the more balanced and realistic an overview you’ll get.

So, speak to process owners. Speak to IT. Speak to finance. Speak to HR. And so on.

Learn how to manage your risks

This interview only covered the tip of the iceberg when it comes to cyber security risk management.

To gain an in-depth understanding of how to manage your risks, take our three-day Managing Cyber Security Risk Training Course.

Delivered by an expert practitioner such as Damian, and full of real-life examples, this course gives you the tools to plan and implement a cyber security risk strategy.

Don’t just take our word for it

Here’s what our customers say:

Matt:

Good course, instructor had lots of real-world experience and feel like we can start our cyber journey now. Lots of slides in this course!!

Julie:

Great course – as a risk manager I felt I needed to enhance my cyber risk skills and this course definitely helped me do that! Highly recommended.

Stewart:

As an IT Director starting out on how to devise, construct and start down the road of an IT security programme, this was a very helpful course.

It set out the different control frameworks, put them within context of each other and so painted a journey to progress from first steps along the maturity curve. Very helpful in understanding how all the different standards and government advice can fit together.

See why professionals trust our training to meet their cyber security risk management needs

About Damian Garcia

Damian has worked in the IT sector in the UK and internationally, including for IBM and Microsoft. In his more than 30 years in the industry, he’s helped both private- and public-sector organisations reduce the risks to their on-site and Cloud-based IT environments.

He also has an MSc in cyber security risk management and maintains various professional certifications.

As our head of GRC consultancy, Damian remains deeply committed to safeguarding organisations’ information and IT infrastructures, providing clients with pragmatic advice and support around information security and risk management.

We’ve previously interviewed Damian about the insider threat and common cyber security and ISO 27001 myths.

We hope you enjoyed this edition of our ‘Expert Insight’ series. Explore our full index of interviews here.

We first published a version of this blog in October 2022.