As we discussed in the context of an overall cybersecurity risk management process, there are four major steps:
Let us concentrate now on the last point. It is worth repeating that risk can never really be entirely eliminated. There will always be residual risk. That is simply a fact of business life. It is much more important to think in terms of what level of risk you are willing and able to live with, or “tolerate”, in formal jargon. You don’t necessarily have to bring down risk to a zero level – you only have to bring it down to a level that you are willing to tolerate. If the residual risk is tolerable for you, then nothing needs to be done – your cybersecurity risk management process is in good shape for now.
But what if the level of residual risk is more than you are willing to tolerate? Then you have to make some decisions – you have to manage your residual risk. The possibilities include:
Risk acceptance. Management can decide that the best course of action is to simply accept the risk, to “take your chances”. In that case, it must be a formal action so that the responsibility for doing so is clear.
Risk reduction. If management feels the level of residual risk is intolerable, then it could go back to the third step of the process and search for other possible mitigation measures to lower the risk. This may involve a search for new measures that haven’t been tried yet, or may involve spending more money on measures that have already been tried. For example, it might buy a more technologically advanced firewall or install expensive data monitoring software, or introduce more complex multiple factor authentication schemes. Here, a tradeoff between expense and benefit of the new measures will have to be managed.
Risk avoidance. If management is neither willing to accept the residual risk nor willing (or able) to spend the extra money to lower the level of risk, then it might search for a way to avoid the risk altogether. For example, if the risk of cyber-intrusion remains too high for certain critical data, then management might take a decision to take the data offline – to physically close off that data from the Internet, thereby eliminating the cybersecurity risk. Note that this may mean the loss of certain functionality (such as convenient remote access to data), but that is part of the tradeoff to consider.
Risk sharing / insurance. This is where a whole new perspective opens up: bring in the concept of insurance to the cybersecurity landscape. Insurance allows the enterprise to avoid having to adopt one of the other options by sharing risk through an appropriate policy. Cyber risk insurance is becoming a more and more attractive solution to the problem of residual risk management because it is quick and efficient to implement without undue disturbance to the operations of the enterprise. It can be particularly attractive for smaller enterprises who do not necessarily have the resources to undertake the possibly onerous investigations and analyses associated with risk reduction and avoidance measures. Although cyber security insurance is at its beginnings, it is increasingly occupying a well-defined niche in the overall cybersecurity risk management process.
By adopting the systematic approach outlined above to the management of residual risk, management ensures that nothing is overlooked in the search for the best solution that not only mitigates negative risk, but also maximizes positive risk (opportunities) and safeguards the bottom line of the company.