A Risk-Based Approach to Information Security

There are a lot of unknowns when it comes to information security. As a financial advisor, you aren’t expected to know everything about security, yet clients rely on you to protect them against the latest threats. How can you confidently reassure them that you’re keeping their information safe?

Rather than study up on every security topic under the sun, it’s best to take a risk-based approach to information security. Making decisions based on risk is the foundation of Commonwealth’s information security program, and it’s critical to have this perspective when developing your own program if you want it to work in all the right places. So that we have a better grasp of “knowing what we don’t know,” let’s take a glimpse at the world of risk.

Please note: A number of risk management frameworks for enterprises are in use today. Each framework may define risk terms differently. For our purposes here, we’ll rely on the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management Integrated Framework’s definitions.

According to COSO, risk is “the possibility that events will occur and affect the achievement of strategy and business objectives” (Section 2). Keep in mind that not all risk is negative. Similar to market risk, information security risk often yields opportunity (e.g., allowing e-mail at the office introduces new risk, but it also lets your staff communicate much faster than nonelectronic means). We measure risk in terms of likelihood and impact.

Reducing the phishing threat. To make risk concepts more tangible, let’s talk about the threat of phishing e-mails. Everyone with an e-mail address is bound to receive phishing e-mails (high likelihood), and successful phishing attacks can result in a victim sharing sensitive information or accidentally installing malware (high impact). So, how do we manage the threat?

At Commonwealth, we outfit all of our affiliated advisors with the Commonwealth Shield to ease the information security burden. A few notable features of the Shield include:

• A gateway e-mail filter
• Antimalware software
• HelpDesk support
• Awareness and training materials

All of these controls serve to reduce the threat of a malicious e-mail making it to our advisors’ inboxes. Our e-mail filter, for example, blocks suspicious e-mails, thus reducing likelihood. Antimalware software can be used to reduce information security risk by quarantining malware it detects on our advisors’ systems.

But no e-mail filter is perfect, and no antimalware program can catch everything (no matter what it claims!). In the end, a level of risk always remains. Our goal is not to eliminate risk but to reduce it to an acceptable level.

In order to know how you should manage risk, you need to determine what constitutes an acceptable level of risk, known as your business’s risk appetite. COSO defines risk appetite as “the amount of risk, on a broad level, an entity is willing to accept in pursuit of value” (Section 7).

For example, although phishing is a prevalent threat enabled by e-mail, using e-mail communication in your office provides significant value to your business. Your risk appetite should allow for staff to use e-mail. On the other hand, permitting staff to download pirated movies from suspect websites shouldn’t fit into any business’s risk appetite, as this activity doesn’t add value to your business and increases the likelihood of malicious software entering your systems.

Can you have an appetite of zero? Although it sounds optimal, having a risk appetite of zero isn’t always possible. You’ll find yourself investing too much in information security controls—potentially more than the threat to your business is even worth. It’s like protecting a $100 bike behind a $200 bike lock. Taking a risk-based approach to information security means defining a practical appetite that fits your business, not doing the impossible.

Once you’ve identified threats and compared them against your risk appetite, you can respond to risk in four ways. Let’s go through each type of response, continuing to use phishing as an example.

1) Risk mitigation. This describes putting a control or safeguard in place to effectively reduce information security risk.

Example: Setting up an e-mail filter helps mitigate the threat of malicious e-mails entering your environment.

2) Risk acceptance. After implementing controls to mitigate risk, there will always be a level of risk remaining. You may decide to accept this known risk, taking no further action. Note that this is not the same as ignoring risk. Accepting is an active, well-thought-out decision that should be revisited regularly.

Example: After implementing an e-mail filter, antimalware, and awareness training, the threat of phishing has still not been completely eliminated (though the risk has been reduced significantly). So, you accept the remaining risk.

3) Risk avoidance. If no other response can reduce the risk to an acceptable level, choosing not to take on the risk may be an option.

Example: If you were to get rid of e-mail entirely to avoid phishing, that would be an example of risk avoidance.

Sure, this example is ridiculous; risk avoidance isn’t always a sensible option. But we do avoid risk all the time, like when we decide not to put information in a certain cloud or not to rent office space near an active volcano.

4) Risk transference. It’s possible to transfer some risk to an insurance company to help offset the financial burden of a security incident.

Example: Purchasing cyber liability insurance helps cover the cost of forensics, breach notification, business interruption, and other expenses if a major incident occurs, which could certainly begin with a phishing e-mail.

When thinking of risk transference, it’s important to note that you can never transfer responsibility of the risk. Cyber liability insurance can help financially, but it can’t magically fix lost trust or a damaged reputation.

By adopting a risk-based approach to information security, you’ll be able to prioritize your response to threats accordingly. If you’re ever feeling overwhelmed by information security, keep in mind that risk helps remind you that you’re protecting against the right threats and investing your time and money in the most effective safeguards for your firm.

Does your firm have controls in place to reduce information security risk? How do you educate your staff on security threats and protection resources? Please share your thoughts with us below!