In drafting the report for a client on a recent information security audit, there was nothing unexpected in the findings. The usual suspects lined up: access control, physical security, and network security. But there was something missing, the elephant in the room. There was no defined or formalized statement of the client's information security risk appetite.
Typically, organizations do not formally consider and document their information security risk appetite. Although most organizations have an information security policy framework and supporting processes and procedures, many of those policies seem to have been written without an end goal in mind. Specifically, they don't state that the policy is based on an information security risk appetite position or statement. Organizations spend significant resources on information security, but if they do not know what systems and data are to be secured, and to what extent, how do they go about securing them?
A first step toward drafting a risk appetite statement should be undertaking an internal information security risk assessment to determine where the organization is and where it needs to be. This assessment will involve facing some truths that may not be palatable to senior management, but it will help identify the organization's unique risks and what it needs to do to address them.
Work up an Appetite
The Committee of Sponsoring Organizations of the Treadway Commission's Enterprise Risk Management–Integrated Framework defines risk appetite as "The degree of risk on a broad-based level that a company or another entity is willing to accept in pursuit of its goals." A June 2009 study by insurance and risk company Marsh and the University of Nottingham, Research Into the Definition and Application of the Concept of Risk Appetite, breaks risk appetite into five categories:
- A limit or boundary set on the risk heat map (usually the top right-hand column).
- Economic measures (including capital changes/impact, profit or loss, and tolerable levels).
- Changes in credit ratings.
- Changes in targets or thresholds of key indicators.
- Qualitative statements (e.g., zero tolerance for license breaches or loss of life).
The appetite for security risk should be based on the organization's overall risk appetite. The consequence and likelihood of the risk occurring should determine the level of acceptable risk. For example, the impact of not conducting periodic user access reviews on applications may be rated as "medium," which is within the the organization's defined risk appetite. Consequently, management can prioritize resources for taking action based on the appetite it has set. In contrast, a denial of service risk may have the capacity to bring the organization's website down, so the rating of this risk may be outside the acceptable tolerable levels and require appropriate emergency action.
The organization needs to articulate its risk thresholds and then obtain sign-off from management. A risk mature organization may have multiple levels of risk appetite statements across platforms and technologies. The key to success is aligning these area-specific risk statements with the overall information security risk appetite and the organization's risk appetite statement.
Some areas where risk appetite may be considered include:
- Asset management.
- Access control.
- Physical and environmental security.
- Operations security.
- Communications security.
- System acquisition development and maintenance.
- Supplier relationships.
- Information security incident management.
- Business continuity management.
Make a Statement
The organization's information security risk statement should be based on its overall risk statement. For example, a financial institution's information security risk appetite statement may be pitched and agreed to at a high level of detail prescribed by regulatory authorities, while a start-up company may provide less detail. Factors influencing the standard could be the number of customers, financial impact, and level of risk senior management and the board are willing to accept.
An example of an organization's overall risk appetite statement is:
The organization has a tolerance for risk that will allow it to achieve its business objectives in a manner that is compliant with the laws and regulations in the jurisdiction in which it operates. We specifically will not tolerate any negative impact on employee and customer health and well-being.
Based on this overall risk appetite statement, the organization's information security risk appetite statement could be:
The organization has a low risk appetite for the loss of its business and customer data.
Moreover, information security risk appetite statements for specific areas could include:
- Asset Management: The organization has a medium risk appetite for physical information security assets and will track assets greater than US$2,000. Information assets will be protected per the organization's data classification framework.
- Access Control: The organization has a high risk appetite for access controls. All access to the organization's mission-critical systems will be controlled via biometric authentication.
Defining Acceptable Risk
Having an information security risk appetite statement ensures the organization has defined what it considers an acceptable level of risk. Without such a statement, the organization is saying either that all information is important and will be protected, or that no information is important and therefore will be freely available. Both of these scenarios could be a survival risk for the organization in the long term.
Information security risk appetite is the next step in an organization's maturing and understanding of risk management. By giving information security special attention, the organization is acknowledging that this area needs to be addressed specifically.