No One Has an Appetite for Risk

A common pursuit in security risk management is the assessment or characterization of the organization’s ‘risk appetite.’ I have often wondered what this phrase means. I understand the individual words: risk and appetite, but when you combine them into ‘risk appetite’ I grow perplexed.

There are times when I have an appetite for chocolate. This appetite is evidenced by a desire to consume chocolate in some form and may manifest as a search for chocolate somewhere in the cupboard. If I am successful in that search, I am rewarded with a taste treat (preferably dark chocolate) and my appetite is satisfied.

Risk is not a taste treat. I cannot think of a time when I, or anyone else I know, said, “I could really go for some risk right now.” And, when you experience risk directly, it is not something that brings happiness or a sense of satisfaction. “That risk really hit the spot!” said no one, ever.

When I share my confusion with colleagues, two interpretations of the phrase are offered:

Related:How Third-party Risks Increase Data Breach Vulnerabilities

Let’s take a look at these explanations.

Risk Appetite = Risk Left Over When the Money Runs Out

This makes sense as a concept, but it turns the meaning of ‘appetite’ inside out. In this explanation, you don’t actually have an appetite, you simply don’t have enough money to make the risk go away. Using the word appetite in this way is akin to saying I have an appetite for sunburn if I don’t have the money to buy more sunblock or a hat. Also, this basic concept of risk appetite assumes that the amount of risk is finite and can be reduced. Many security risks are fractal and irreducible. This is why security people often say things like, “Bad guys only have to get it right once, security has to get it right 100% of the time.”

Higher Risk = Higher Reward

This interpretation comes from the arena of financial risk management. To make higher risk financial products enticing, the vendors of those products offer bigger payoffs. Does it work that way in cybersecurity? Let’s apply this to ransomware delivered via a phishing email. We could use technical controls and behavioral influence to reduce the insertion of and dangerous response to phishing emails to extremely low levels (low risk appetite?), or we could ignore the issue and let people use their own intuition and judgment (high risk appetite?). Either way, all it takes is one click on one URL by one person and the damage is done. The payoff (ransomware infection) is the same regardless of the expressed or implied ‘risk appetite.’

When you look at this from a cybersecurity management perspective, you realize that the phrase makes no sense and encourages non-security folk to make bad decisions because they are accustomed to believing that higher risk comes with the possibility of higher reward. It does not work that way in security. Higher levels of security risk increase the probability of failure and do not increase the scale of reward that might accrue (beyond mere cost savings).

I think there is a better way to express what we aim to express when we say ‘risk appetite.’ What we are talking about is the organization’s failure tolerance. How often is it okay for the organization to experience security failures? How big can the failures be (impact) and still be tolerable?

At a basic level, security is about preventing failures in system operation or employee actions which disrupt business operations and processes. Our goal is to make sure that digital processes behave in a predictable manner so that the business can plan with confidence. As failures increase, digital infrastructure behaves less predictable (unstable) and the business struggles to achieve their goals. In order to negotiate an appropriate level of security investment, the business leaders need to consider the level of failure and instability they can tolerate.

This is not a new idea. In retail sales, there is an expectation that a certain amount of product will disappear and not generate revenue. This might be through shoplifting, spoilage, accidents at sea, etc. Allowance is made for these failures when making pro forma estimates of enterprise performance. This topic is called many things (e.g., stock shrinkage) but it is never called ‘shoplifting appetite’ or ‘loss appetite.’ When losses exceed expectations, new approaches are examined to bring operations back into alignment.

A focus on failure tolerance strips away the illusion of a positive correlation of risk and reward in security and forces business and technology leaders to address the true substance of security threats to predictable business performance. What is your failure tolerance?

This article was originally published on the Gartner blog network.