The value of risk organizations

  1. What risks does the organization face?
  2. How might the security team reduce these risks?
  3. Were the associated costs worth the reduced risks?
  • Costs are the clear expenses that result from a bad day. Avoiding bad days is an upside that funds security.
  • Opportunities are the upsides that may attract good outcomes for a business by having good security, and funds security.

The concept of “direct” versus “imposed” risk.

Imposed risk has nothing to do with our own losses. It’s about the consequences to others. Example:

It’s a sum of the risks to yourself and others.

But how do we measure imposed risks in justifying the resource for a security organization? This is where our typical estimation of direct risk… avoid breaches and get customers… leaves us with a perspective on risks from the 1800s.

1800's food manufacturing imposed absurd levels of risk on others.

The US food supply near the end of the industrial revolution is a fantastic example of this. Food suppliers felt fine putting formaldehyde, borax, and bleach into food to prevent the risk of spoilage (direct) which of course killed a bunch of people (imposed).

Tech companies impose risks on consumers and society.

An organization may impose risks simply because they exist. This is equal to putting others at risk by going on the road for our commute and varies depending on how much risk they impose (are they driving safely, or driving drunk).

  • Adobe: Adobe’s code signing certificate was once used to sign malware. Adobe suffered the standard reputation damage needing to write that blogpost (direct), but this also created signed malware for use at targeted companies (imposed). The same thing happened with Bit9. In neither case was it necessary for the malware’s victims to actually have been customers of Bit9 or Adobe.
  • Equifax: One of the most surprising aspects of this breach was the fact that most victims weren’t even customers of the company. Equifax had enormous legal costs (direct) but only a percentage of the victims worked to reclaim this in small claims.
  • Google: The fight against Bread has similar qualities. Google has several direct costs. Employees investigate this fraud family. Maintenance and development of detection and prevention systems. Lost revenue from customers that stop using the Google ecosystem (direct). The victims foot the bill from SMS billing and Toll Billing (and I suspect ) are unlikely to be refunded. (imposed)

Bottom line impact is only the starting point in valuing an organization that mitigates risk. It’s far from the end.

Risk quantification methods are often dollar based. They hope to focus on the bottom line risk and approximate the resource for a security organization.

Finding a balance: Assuming a part of the imposed risks

Let’s imagine an extreme policy response on behalf of 1800’s food manufacturers: pay for the hospital bills for anyone who drank our milk.

Forcing the movement of imposed risks to direct risk

There are many examples where the risks an industry imposes on its customers are transferred back to an organization as a direct risk. It happens in court, by regulatory bodies, or in contracts. However, none of the following examples are uniformly enforced. An organization that only considers direct risks would only see a portion of the overall impact it has imposed come back to haunt them. We undervalue risk mitigation if we assume that lawsuits approximate our risks to others. Here are some examples:

1. Lawsuits transfer imposed risks into direct risks.

Lawsuits transfer some of the risk an industry imposes back to their own bottom line.

Regulation transfers imposed risks into direct risks.

Regulation forces an industry to transfer some of the risk they impose on others into their own bottom line.

Vendor compliance transfers imposed risks into direct risks.

A contract, a security questionnaire, or a requirement for a certification are all examples of a customer forcing a vendor to limit the risks they impose on the customer, or at least describe them. These push direct costs to the vendor.

1858 Bradford sweets poisoning. Manufacturing shortcuts harm consumers.

Self regulation is the voluntary treatment of imposed risks as direct risks.

An organization that identifies the risks they are imposing to others and finds reasonable balance in minimizing those risks can be described as one that self regulates. This would have to happen before risks are required to be mitigated by regulation and law.

My favorite ketchup came from self regulation.

Heinz took advantage of the rising interest in safe food before it was regulated. (1:09:0). The company created a ketchup recipe without preservatives and embarked on a marketing spree standing behind “Pure Food” with a shelf-stable ketchup due to its natural acidity. Henry J. Heinz himself led lobbying efforts to support the Pure Food and Drug Act in 1906. (1:10:20)

Summary: The value of a risk organization

We have covered the topics necessary to inspect whether a security organization is valued across broad areas of risk within an organization. Here’s our points, in summary:

  • Does the business at least minimize its own risks?
  • Can the business offer opportunities to generate revenue?
  • Does the business minimize imposed risks with customers and or society?



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store