Why You Should Make Information Security Decisions Based on Risk, Not Fear

At HBS, we talk at great length about solving information security challenges based on risk, not fear. After all, that is our mission. But what do we mean when we say that, and why should you focus on risk?

When people hear about cyber threats or learn of the most recent data breaches, the first thing they often feel is fear. Fear that their personal information may have been compromised or fear that their business may fall victim to a similar attack or maybe a fear that they have no idea what to do about cyber risk.

Fear is a powerful emotion that can distract from real issues and threats. This can lead to poor decision making and wasted resources. Cyber threats are a serious concern, but we shouldn’t allow fear alone to drive our cybersecurity decisions. Sometimes, fear is a nice wakeup call that drives action, but when you act, make sure to check your fear at the door and move forward with a risk-based approach.

Managing Cybersecurity Risk

Organizations should use the knowledge of risk to drive decisions. To properly manage cybersecurity risk, we must understand the likelihood that a security incident (i.e. Ransomware, phishing attack, data loss) will occur and the potential resulting impact. Armed with this information, organizations can determine their inherent risk, prioritize security activities, and make informed decisions about cybersecurity expenditures.

Removing fear from the equation encourages objective, risk-based decision making. This kind of decision making helps guide in developing the right cybersecurity program for your business. It also establishes the foundation for a sustainable security culture for employees and executives.

This may sound like common sense, but fear can disrupt the entire risk-based process. It’s easy to talk about maintaining an objective view, but the only way to stay true to the risk-based approach is by creating a plan before the disaster hits. Don’t wait until you have experienced an incident to focus on risk… at that point it’s no longer a risk, it’s a hazard.

Asking the Right Questions to Properly Manage Risk

According to NIST SP 800-53, there are several key questions that should be answered by organizations when addressing their security and privacy concerns:

• What security and privacy controls are needed to satisfy the organization’s security and privacy requirements and to adequately manage risk?
• Have the security and privacy controls been implemented or is there an implementation plan in place?
• What is the desired or required level of assurance (i.e., confidence) that the selected security and privacy controls, as implemented, are effective in their application?

The answers to these questions are not given in isolation, but rather in the context of an effective risk management process for the organization that identifies, assesses, responds to, and monitors on an ongoing basis, security and privacy risks arising from its information and systems.

Risk-based decisions are informed decisions. Fear decisions are guess work. Business leaders owe it to all stakeholders (employees, customers, and shareholders) to make educated, thoughtful decisions that give the company its best chance for success. Don't let fear get in the way of progress.

If you need assistance with answering these questions or help with your IT risk management process, please contact HBS. Our team will help you make decisions based on risk, not fear.