Using Risk Assessment to Support Decision Making - ISACA

An effective and mature risk governance program drives better decision making in all directions of an organization: up to leadership and the ... ISACA_logo_RGB ProfessionalJoin RecentGradJoin StudentJoin Membership Certifications Certificates CPECertificates LearningAccess Resources OrderHistory Search For50yearsandcounting,ISACA®hasbeenhelpinginformationsystemsgovernance,control,risk,security,audit/assuranceandbusinessandcybersecurityprofessionals,andenterprisessucceed.Ourcommunityofprofessionalsiscommittedtolifetimelearning,careerprogressionandsharingexpertiseforthebenefitofindividualsandorganizationsaroundtheglobe.Today,wealsohelpbuildtheskillsofcybersecurityprofessionals;promoteeffectivegovernanceofinformationandtechnologythroughourenterprisegovernanceframework,COBIT®andhelporganizationsevaluateandimproveperformancethroughISACA’sCMMI®.Weserveover145,000membersandenterprisesinover188countriesandawardedover200,000globallyrecognizedcertifications.ISACAis,andwillcontinuetobe,readytoserveyou. WhyISACAHome WhatWeOffer Benefitfromtransformativeproducts,servicesandknowledgedesignedforindividualsandenterprises. AboutUs Informationandtechnologypowertoday’sadvances,andISACAempowersIS/ITprofessionalsandenterprises. OneInTech OneInTechisanon-profitfoundationcreatedbyISACAtobuildequityanddiversitywithinthetechnologyfield. ParticipateandVolunteer LeadershipandGovernance Advocacy ContactUs Newsroom Gainacompetitiveedgeasanactiveinformedprofessionalininformationsystems,cybersecurityandbusiness.ISACA®membershipoffersyouFREEordiscountedaccesstonewknowledge,toolsandtraining.Memberscanalsoearnupto72ormoreFREECPEcredithourseachyeartowardadvancingyourexpertiseandmaintainingyourcertifications.AsanISACAmember,youhaveaccesstoanetworkofdynamicinformationsystemsprofessionalsnearathandthroughourmorethan200localchapters,andaroundtheworldthroughourover145,000-strongglobalmembershipcommunity.ParticipateinISACAchapterandonlinegroupstogainnewinsightandexpandyourprofessionalinfluence.ISACAmembershipofferstheseandmanymorewaystohelpyouallcareerlong. MembershipHome IamISACA Weareallofyou!MeetsomeofthemembersaroundtheworldwhomakeISACA,well,ISACA. Professional ContributetoadvancingtheIS/ITprofessionasanISACAmember. RecentGraduate Startyourcareeramongatalentedcommunityofprofessionals. Student GetanearlystartonyourcareerjourneyasanISACAstudentmember. MemberBenefits MembershipLevels BrowseChapters JoinNow ContactUs Validateyourexpertiseandexperience.Whetheryouareinorlookingtolandanentry-levelposition,anexperiencedITpractitionerormanager,oratthetopofyourfield,ISACA®offersthecredentialstoproveyouhavewhatittakestoexcelinyourcurrentandfutureroles.TakeadvantageofourCSX®cybersecuritycertificatestoproveyourcybersecurityknow-howandthespecificskillsyouneedformanytechnicalroles.LikewiseourCOBIT®certificatesshowyourunderstandingandabilitytoimplementtheleadingglobalframeworkforenterprisegovernanceofinformationandtechnology(EGIT).Morecertificatesareindevelopment.Beyondcertificates,ISACAalsooffersgloballyrecognizedCISA®,CRISC™,CISM®,CGEIT®andCSX-Pcertificationsthataffirmholderstobeamongthemostqualifiedinformationsystemsandcybersecurityprofessionalsintheworld. CredentialingHome Certifications Certificates Badges CareerPathways VerifyaCertification ContactUs ISACA®isfullytooledandreadytoraiseyourpersonalorenterpriseknowledgeandskillsbase.Nomatterhowbroadordeepyouwanttogoortakeyourteam,ISACAhasthestructured,provenandflexibletrainingoptionstotakeyoufromanyleveltonewheightsanddestinationsinITaudit,riskmanagement,control,informationsecurity,cybersecurity,ITgovernanceandbeyond.ISACAdeliversexpert-designedin-persontrainingon-sitethroughhands-on,TrainingWeekcoursesacrossNorthAmerica,throughworkshopsandsessionsatconferencesaroundtheglobe,andonline.Buildonyourexpertisethewayyoulikewithexpertinteractionon-siteorvirtually,onlinethroughFREEwebinarsandvirtualsummits,orondemandatyourownpace. Training&EventsHome TrainYourWay ChoosetheTrainingThatFitsYourGoals,ScheduleandLearningPreference Conferences Connectwithnewtools,techniques,insightsandfellowprofessionalsaroundtheworld. In-PersonTraining LearnwhyISACAin-persontraining—foryouoryourteam—isinaclassofitsown. OnlineTraining Advanceyourknow-howandskillswithexpert-ledtrainingandself-pacedcourses,accessiblevirtuallyanywhere. CybersecurityTraining CareerHome FindTrainingbyTopic TrainingPartners SponsorshipOpportunities LearningAccess Getintheknowaboutallthingsinformationsystemsandcybersecurity.Whenyouwantguidance,insight,toolsandmore,you’llfindthemintheresourcesISACA®putsatyourdisposal.ISACAresourcesarecurated,writtenandreviewedbyexperts—mostoften,ourmembersandISACAcertificationholders.Theseleadersintheirfieldsshareourcommitmenttopassonthebenefitsoftheiryearsofreal-worldexperienceandenthusiasmforhelpingfellowprofessionalsrealizethepositivepotentialoftechnologyandmitigateitsrisk.Available24/7throughwhitepapers,publications,blogposts,podcasts,webinars,virtualsummits,trainingandeducationalforumsandmore,ISACAresources. ResourcesHome Insights&Expertise AuditPrograms,PublicationsandWhitepapers COBIT TheleadingframeworkforthegovernanceandmanagementofenterpriseIT. Journal Peer-reviewedarticlesonavarietyofindustrytopics. Store Frameworks,StandardsandModels ITAudit ITRisk Cybersecurity NewsandTrends ISACAPodcast Glossary EngageOnlineCommunities Addtotheknow-howandskillsbaseofyourteam,theconfidenceofstakeholdersandperformanceofyourorganizationanditsproductswithISACAEnterpriseSolutions.ISACA®offerstrainingsolutionscustomizableforeveryareaofinformationsystemsandcybersecurity,everyexperiencelevelandeverystyleoflearning.Ourcertificationsandcertificatesaffirmenterpriseteammembers’expertiseandbuildstakeholderconfidenceinyourorganization.Beyondtrainingandcertification,ISACA’sCMMI®modelsandplatformsofferrisk-focusedprogramsforenterpriseandproductassessmentandimprovement.Ontheroadtoensuringenterprisesuccess,yourbestfirststepsaretoexploreoursolutionsandscheduleaconversationwithanISACAEnterpriseSolutionsspecialist. EnterpriseHome Train Buildyourteam’sknow-howandskillswithcustomizedtraining. Certify Affirmyouremployees’expertise,elevatestakeholderconfidence. PerformanceSolutions Buildcapabilitiesandimproveyourenterpriseperformanceusing:CMMIV2.0ModelProductSuite,CMMICybermaturityPlatform,MedicalDeviceDiscoveryAppraisalProgram&DataManagementMaturityProgram CMMI-AnISACAEnterprise MedicalDeviceDiscoveryAppraisalProgram CMMICybermaturityPlatform CMMI-CMMC PartnerwithISACA PartnerDirectory ContactEnterpriseSolutions Home/Resources/NewsandTrends/IndustryNews/2021/UsingRiskAssessmenttoSupportDecisionMaking INDUSTRYNEWS UsingRiskAssessmenttoSupportDecisionMaking Author:TonyMartin-Vegue,CISM,CISSP,OpenFAIR DatePublished:12April2021 Aneffectiveandmatureriskgovernanceprogramdrivesbetterdecisionmakinginalldirectionsofanorganization:uptoleadershipandtheboard,downtoindividualcontributorsandlaterallytoalllinesofbusiness.Risk-awaredecisionmaking,regardlessofthedomain(e.g.,finance,technology,enterprise,cyber),isthecornerstoneofeffectiveresourcemanagementatanyorganization. COBIT®5forRiskdefinesariskassessmentas“[T]heprocessusedtoidentifyandqualifyorquantifyriskanditspotentialeffects,”describingtheidentification,scoping,analysisandcontrolevaluation.Successfulorganizationsintegratetheentireriskmanagementlifecycleprocesswithbusinessdecisionmaking,buthowdotheydoso?First,theorganizationmustknowwhatadecisionisandhowdecisionsdriveriskassessmentactivities—nottheotherwayaround.Afterthisisunderstood,therestofthepiecesfallintoplace. WhatIsaDecision? Withoutadecision,ariskassessmentis,atbest,busywork.Atworst,itproducesanunfocused,time-intensiveeffortthatdoesnothelpleadersachievetheirobjectives.Informationriskprofessionalsoperateinafast,ever-changingandoftenchaoticenvironment,andthereisnotenoughtimetoassesseveryrisk,everyvulnerabilityandeveryasset.Identifyingtheunderlyingdecisiondrivingtheriskassessmentensuresthattheactivityismeaningful,tiestobusinessobjectivesandisnotjustbusywork. Theideathatriskanalysishelpsdecisionmakingbyreducinguncertaintyisasoldasprobabilisticthinkingitself.TheconceptwasformalizedbyRonA.Howard,adecisionscienceprofessoratStanfordUniversity(California,USA),inhisinfluential1963paper,DecisionAnalysis:AppliedDecisionTheory.1Heformalizedanddefinedthecomponentsofadecision,allofwhichcanbeusedtofocusriskassessmentactivities. ComponentsofaDecision Howardidentifies3componentsofadecision:choice,informationandpreference(figure1).2Togethertheyarethefoundationofdecision-making;withoutall3,adecisioncannotbemade.Thedecisionmakeruseslogictoidentifyandevaluatethecomponentsindividuallyandtogether,leadingtoaconclusion. Figure1—TheComponentsofaDecision Oncetheriskanalystunderstandsthecomponentsandhowtheyworktogether,itiseasytoseehowtheysupportariskdecision: Choice—Thisdescribeswhatthedecisionmakercando.Theremustbemultiplecoursesofactionpossibleforadecisiontobemade.Withonlyonecourseofaction,thereisnodecision. Preference—Thedecisionmakermusthaveapreferenceorinclinationforadesiredoutcome.Forexample,ininformationrisk,thedecisionmakeroftenpreferstooptimizeuserfunctionality,effectivesecurity,efficientresourceallocation(i.e.,money,time,people)orsomecombinationoftheseoptions.Understandingtherequestor'spreferencesisavaluableexercisetohelpscopeariskassessment.Thedecisionmakershouldbeabletoarticulatewhattherequestorwantstoachieveasanoutcomeofthedecision. Information—Informationisanequalpartofthetriowhenmakingadecision,andinformationisalsoanintegralpartofanyriskassessment.Whenmakingadecision—andbyextension,assessingrisk—informationisavailablefromavarietyofsources. FramingaRiskAssessmentasDecisionSupport Ifanyofthesecomponentsaremissing,thereisnodecisiontobemadeand,byextension,ariskassessmentwillbeanexerciseinfrustrationthatwillnotyieldvaluableresults.Iftheriskanalyststartsariskassessmentbyidentifyingthechoice,preferenceandinformation,theassessmentwillbeeasiertofocusandscope.Alternately,onemayconcludethatariskassessmentisnotnecessaryoradifferentmethodologymaybemoreappropriate. ISACA’sRiskITFramework,2ndEditiondescribes3high-levelstepsintheriskassessmentprocess: Riskidentification Riskanalysis Evaluatingthebusinessimpact(s)oftheidentifiedrisk Integratingthedecision-makingprocessintoriskassessmentstepsrequirestheanalysttoaskquestionstounderstandthefullscopeofthedecisionbeforeandduringtheriskidentificationphase.Thisprovidestheopportunitytoalignassessmentactivitieswiththeorganization’sstrategicobjectives. Figure2providesasimplematrixthatillustratesthis. Figure2—UnderstandingtheDecisionBeforeandDuringRiskIdentification Real-WorldExamples Hereare3commonexamplesofpoorlyscopedriskassessmentrequestsandtipsfortheriskanalysttoclarifythedecisionanddetermineifriskanalysisistherighttool. RiskAssessmentRequest1 “AnemployeeonthedevelopmentteamkeepsunjoininghiscomputerfromtheActiveDirectoryDomainService(ADDS)toavoidsystemupdatesandrequireddevicemanagement.Canyouperformariskassessmentonthissowecanforcetheemployeetostopdoingit?" WhatIsMissing? Choice.Thereisnotaclearlyarticulatedchoiceoralternatives.Therequestorispresentingonlyonechoice:forcinganemployeetodosomethingspecific.Inotherwords,therequestordoesnotneedhelpindecidingwhattodo. WhatIsanAlternativeApproach? Managementorhumanresources(HR)actionandescalationaremostappropriatehere,assumingthereisawrittenpolicyforsecuritycircumventionandITmanagementsoftwareuninstalls.Ariskassessmentwouldbeappropriatehereiftherewereachoicetobemadesuchas,“Shouldtheenterpriseletuserscircumventendpointmanagement,and,ifso,whatistherisk?”Ariskassessmentwouldhelpmanagementweightheriskandbenefitsandmakeadecision. RiskAssessmentRequest2 “Weareevaluating2differentantivirusvendorstoreplaceourexistingsolution,andweneedariskassessmenttohelpusdecide.” WhatIsMissing? Preference.Thedecisionmakerhasnotexpressedthedesiredoutcomefromthedecision.Aretheresecurityconcerns,costsavingsorusabilityissueswiththecurrentsolution?Withoutaclearlydefinedpreference,theassessmentwillbeunfocusedandcouldanalyzethewrongrisk. WhatIsanAlternativeApproach? Interviewingleadershipandaskingwhytheyareconsideringswitchingvendorsandwhatinformationneedstobeincludedintheriskassessmentwillaidthedecision.Arequirementscomparisonmatrixwouldbeagoodfirststep,comparingproductfeaturesandpotentialsecurityissues.Afterdevelopingalistofgapseachproducthas,ariskassessmentmaybethebestpathforward,butitneedstobescoped.Forexample,apotentialgapmightbe,"ProductYischeaperthanProductZ,butitismissingthese3securityfeatures.WhatadditionalriskexposurewouldProductYintroducetotheorganization?"  RiskAssessmentRequest3 “Iwouldlikeyoutoassessblackswancyberevents.” WhatIsMissing? Information.AccordingtoNassimTaleb,whocoinedandpopularizedtheterminthemodernbusinesscontext,ablackswaneventisan“outlier,asitliesoutsidetherealmofregularexpectations.”3Onlyatrueclairvoyantcanlookintothefutureandpredicteventsthatareunknowabletoday. WhatIsanAlternativeApproach? Thedecisionmakermaybemisunderstandingtheterm“blackswan.”Itwouldbeusefultoask,“Doyoumeanhigh-impact,low-probabilityevents?”Ifthatisthecase,aseriesofriskassessmentscanbeperformedtoidentifycontrolweaknessesthataffectbusinessresilience. Riskassessmentsareanexcellenttooltoreduceuncertaintywhenmakingdecisions,buttheyareoftenmisappliedwhennotdirectlyconnectedtoanoveralldecision-makingprocess. Conclusion Riskassessmentsareanexcellenttooltoreduceuncertaintywhenmakingdecisions,buttheyareoftenmisappliedwhennotdirectlyconnectedtoanoveralldecision-makingprocess.Thefailuretoframeariskassessmentasdecisionsupport,supportedbythe3decisioncomponents,decouplestheanalysiseffortfrombusinessobjectives.Timeiswastedbyperformingassessmentswhenthereisnotadecisiontobemade,whenthereisalackofcompleteinformationorwhenthereisnounderstandingofthepreferenceoftheindividualsresponsibleforthedecisions.Havingclear,completeinformationandunderstandingthemotivationsandoptionsbehindadecisionhelpframetheassessmentinameaningfulmanner. Thisunderstandingwillhelpdeveloparesponsethenexttimesomeonedropsoffa170-pagevulnerabilityscanreportandasksforariskassessmentonit. Endnotes 1Howard,R.A.;“DecisionAnalysis:AppliedDecisionTheory,“ProceedingsoftheFourthInternationalConferenceonOperationalResearch,”1966 2Edwards,W.;R.F.Miles,Jr.;D.VonWinterfeldt(eds.).;AdvancesinDecisionAnalysis:FromFoundationstoApplications,CambridgeUniversityPress,USA,2007 3Taleb,N.N.;“TheBlackSwan:TheImpactoftheHighlyImprobable,”TheNewYorkTimes,22April2007 TonyMartin-Vegue,CISM,CISSP,OpenFAIR Isawriter,speakerandriskexpertwithapassionfordata-drivendecision-making.Heuseshisexpertiseineconomics,cyberriskquantificationandinformationsecuritytoadvisesenioroperationalandsecurityleadersonhowtointegrateevidence-basedriskanalysisintobusinessstrategy.Martin-VegueservesontheboardoftheSocietyofInformationRiskAnalystsandistheco-chairoftheSanFranciscochapteroftheFAIRInstitute—2professionalorganizationsdedicatedtoadvancingriskquantification.Hecanbecontactedatwww.tonym-v.com. PreviousArticle NextArticle QuickLinks Resources COBITISACAJournalPressReleasesResourcesFAQs InsightsandExpertise AuditProgramsandTools Publications WhitePapers EngageOnlineCommunity News&Trends @ISACA IndustryNews ISACANowBlog ISACAPodcasts ISACATV ISACAVideos FrameworksStandardsandModels ITAudit ITRisk Glossary CallforCaseStudies