Posted on

Technology Risk Latest 2022

What is Technology Risk?

Technology risk, also known as information technology risk, is a type of business risk defined as the potential for any technology failure to disrupt a business.

Companies face many types of technology risks, such as information security incidents, cyber attacks, password theft, service outages, and more.

Technology risk, IT risk, cyber risk – what’s the difference among these commonly used terms, and is there really a distinction in a time of digital transformation?

Generally, risk management has looked at the world of risk with this hierarchy:

1-Operational Risk: Any event that affects the organization’s ability to operate

2-Technology (or IT Risk), a subset of Operational Risk: Any risk to information technology or data or applications that negatively impact business operations. This could cover a range of scenarios, including software failures or a power outage.

3-Cyber Risk, a subset of Technology Risk: Loss event scenarios strictly within the cyber realm, such as phishing, malware, data breach.

If it sounds like there’s lot of room for crossover in these definitions, that’s right. Gartner has successfully advocated for Integrated Risk Management (IRM) that takes “a comprehensive view across all business units and risk and compliance functions, as well as key business partners, suppliers and outsourced entities.”

In Gartner’s view, risk management is a continuum, as shown in this graphic, driving toward Digital Risk Management (DRM, on the left), as business processes all become digital in one way or another.

Defining Technology Risk in FAIR Terms

Factor Analysis of Information Risk is the standard for quantification of cyber and technology risk in financial terms to enable justification, prioritization, and communication of security investments within an organization.

In FAIR terms, risk is defined as the

Probable Frequency and Probable Magnitude of Future Loss

The starting point for FAIR quantitative analysis is a risk scenario or risk statement that addresses a technology problem the business needs to solve. The format is:

“[Threat Actor] impacts [Confidentiality, Integrity, Availability] of [an Asset] via [Some Method]”

For example:

“Analyze the risk associated with an external threat actor establishing a foothold on the network through a trusted security vendor’s application (e.g. SolarWinds) resulting in a breach of sensitive data in our crown jewel asset.”

The FAIR standard shows the way to break the scenario down into factors to quantify the probable frequency and impact of such an event, based on the organization’s experience or industry data.

Additional Resources

In this RiskLens case study, a furniture manufacturer wanted to determine if it should keep paying the annual subscription fee for support from the technology vendor for its order fulfillment system or bring the maintenance of the system in-house. If an employee misconfigured the system, what would that accident cost the organization in terms of lost sales, response costs, or other impacts? How would that compare with the ongoing subscription cost?

Scenario: “Analyze the risk associated with a non-malicious privileged insider impacting the availability of the order fulfillment system via a misconfiguration resulting in a suspension of fulfillment.”

Quantified risk analysis on the RiskLens platform based on FAIR showed that staying with the subscription service would shorten response time to an outage, reducing the impact to a level that justified the $1 million annual investment.

What Is an IT Risk Assessment?

Risk analysis and risk assessment are two more terms that often used interchangeably but with an important distinction.

While a risk analysis might look at a single scenario, a risk assessment gives a broader look at risk across scenarios to support business decision-making, particularly to justify, prioritize and communicate security investments. Types of technology or IT risk assessments include:

Rapid Risk Assessment:

Run a quick series of risk analyses to aggregate and compare outcomes, for instance to prioritize top risks for response based on loss exposure in dollar terms.

Aggregate Risk Assessment:

Understand and quantify the organization’s total probable loss exposure for information technology. Gain granular insights by looking across scenarios to spot which threat communities or asset types pose the greatest risk to the organization, or which business units carry the most lost exposure, relevant insight for a CISO (chief information security officer) deciding on how and where to target defenses.

To fully support business decisions, risk assessments should be presented with risk treatment options for the risks identified.

A risk treatment analysis

1-Establishes a baseline of loss exposure from the current situation

2-Runs “what-if” scenarios to compare the risk reduction (in financial terms) from the current state that alternate proposed controls process changes could achieve.

3-May include a cost/benefit or return-on-investment (ROI) analysis comparing the cost of new security investments to their effect on risk reduction.

What Is IT or Information Technology Risk Management?

Risk management is a comprehensive process that requires organizations to: (i) frame risk (i.e., establish the context for risk-based decisions); (ii) assess risk; (iii) respond to risk once determined; and (iv) monitor risk on an ongoing basis using effective organizational communications and a feedback loop for continuous improvement in the risk-related activities of organizations.

National Institute of Standards and Technology (NIST) Special Publication 800-39: Managing Information Security Risk

As NIST advises, the first step in risk management is to “frame” risk, in other words establish a common terminology and measurement system – ideally one based on a standard such as FAIR that normalizes risk vocabulary — and on quantitative analysis that measures risk in the financial terms used to communicate across the enterprise, also the output of FAIR analysis.

With risk treatment analysis, organization can also “respond” and, with ongoing risk assessments, “monitor” through a risk dashboard.

Compliance with Information Technology Risk Management Frameworks

Many organizations make information risk management a less than “comprehensive” process by focusing on compliance with frameworks – treating publications like NIST 800-39 that recommend various security practices or controls as checklists, on the assumption that the more controls implemented, the lower the risk. Without quantitative risk measurement, however, that’s an unprovable assumption.

The frameworks are good foundational guides for a security program. But their strictly technical approach to cybersecurity can’t be fully aligned with business needs, such as determining security investments or communicating the need for budget to the business based on ROI.

Technology Risk, Business Continuity Planning and Resilience

Large organizations often create a business impact analysis statement (BIA) to understand the links between processes that drive the business, and the probable outcomes of outages due to man-made or natural events that might significantly interrupt operations.

For information technology, that means business continuity plans should prioritize IT resources to minimize the effect of an outage on the business.

Read More About Third-Party Risk Management

Buy From Amazon

Leave a Reply

Your email address will not be published. Required fields are marked *