Which action involves shifting the consequence of a risk and responsibility for its management to a third party?

Insurance

As we’ve discussed, insurance is a risk transference method and one used by many, if not all, businesses today. In some cases, your firm may be required to hold certain types of insurance; in other cases, it may be voluntary. Your BC/DR plan should have contact information for your insurance company representatives, and they should be notified upon activation of the CMT. The CMT may also perform an initial damage assessment and document it for the insurance company. This might include taking photographs or video images as well as making detailed notes. Members of the CMT team should also begin gathering documents related to insurance claims and submit loss estimates to the insurance company. Finally, someone on the CMT should review the insurance documents to determine exclusions, limitations (financial, time, location, cause, etc.), or maximums on various policies. Any issues with insurance should be escalated to management and/or legal counsel for review and resolution.

Risk transference

Risk transference involves handing the risk off to a willing third party. Many companies outsource certain operations such as customer service, order fulfillment, or payroll services. They do this in many cases, so they can focus on their core competencies, but they can also do this as part of risk management. For example, if you outsource your payroll services, you may choose to select a processing company that is not located in the same geographical region as your firm. If you’re in the southeastern United States, you may choose a company in the Northwest or one that has multiple processing sites around the United States, so it can process payroll regardless of weather events.

Another example of risk transference is purchasing insurance or other insurance types of services. In order to transfer risk, you usually have to pay some other company some amount of money to assume that risk, whether it’s an IT company that will manage your security or databases for you, or an insurance company that will pay for losses in the event of a business disruption. Figure 6.3 shows that, relative to other choices, your risk transference will usually cost more as some sort of up-front or ongoing fee, but that the overall cost usually will be somewhere in the same area as risk limitation. One important point to note, however, is that risk limitation usually has an end-point cost where risk transference can be ongoing. For example, you make insurance premium payments every month or quarter, regardless of whether or not you experience an event that requires your insurance company to step in. With risk limitation, you typically put some system in place, such as a firewall or redundant system. The cost of that implementation is finite and known and usually ends at some point in time. Of course, you then have to incur the cost of patching, maintaining, upgrading, and replacing that firewall over time, and those are ongoing costs that are sometimes omitted from the overall cost/benefit analysis. Even when those costs are included and even if they net out to the same cost as insurance, your firm may conclude that it’s a more beneficial to purchase the gear and manage it than simply buy insurance. One reason is that usually there are other benefits to having the gear (in this example) that enhance business operations. Another reason is that even if the cost nets out the same, insurance doesn’t address the risk in any manner, just the cost.

In the case of contracting with an external payroll processing firm that has multiple geographic processing centers, risk limitation makes sense and does, in fact, limit your exposure. Where it can become a bit convoluted is assessing what additional risks you’re taking on by outsourcing your payroll function. You can’t simply outsource and expect that your problems are solved.

Thus, while the near-term costs of risk limitation and risk transference may appear to be similar, it’s important to understand the duration of the cost with regard to these strategies and the operational implications of each. It’s also important to assess any new or residual risk that has developed as a result of these decisions.

Real World

Internal Policy

Internal policy is about the management-level guidance especially given to product management and engineering about the security and privacy controls appropriate for the IoT good or service, and how it is derived. Is it based on international standards or industry best practice? Is it about regulation or self-regulation?

The importance of internal policy lies in the fact that complexity is manageable, but not necessarily managed. That is, the complexity of the IoT system can get beyond management abilities, and the risk is that many vulnerabilities and threats are not addressed, or are ignored or unknown.

Internal skills and understanding must be developed to establish an appropriate internal security policy. Weak policy at the top equals weak security throughout. This might also become a major risk for IoT goods and service providers related to liability.

This notion of the importance of internal policy and internal governance is demonstrated as countries like the United States seek to enforce a degree of internal competence, at least for publicly listed companies.

Recent bills before the US government show the merit of this type of approach, for instance the Cybersecurity Information Sharing Act of 2015/2016,21 which seeks to compel an awareness of the importance of internal security, policy, and governance.

This might make a difference: forced disclosure of board-level awareness and abilities related to cyber security. It is not expensive or time consuming like audit. And fakery should be easy to detect and challenged as a shareholder (read the Board members’ CVs and decide for yourself if there is anyone on the board who knows enough about security). However, this can generate some ridiculous outcomes, too: boards members claiming to be cybersecurity experts because they once installed desktop AV on their home computer, in 1998, for instance.

While a board-level executive with a bono fide understanding of cyber security will go a long way toward managing risks associated with internal policy, his/her judgement will only be as good as the information have available; for instance, about security posture of the organization and about the supply chain. But, at least at the board level, there will now be a capability to ask questions and get diligently composed answers about security and risk management, due to regulation.

What questions should a board-level representative be asking to manage IoT risks associated with internal policy? As a starting point, a board might ask for information about the four main IoT security control points: endpoint, gateway, network, and DC/clouds.

These questions might be posed in a matrix format, looking for summary information about the main operational requirements we have identified, as shown in the example in Table 13.2.

Table 13.2. Board Member IoT Security Due Diligence Question Matrix

Additionally, the following questions might be posed:

What security controls are transferred or outsourced to suppliers along with certain services? What are the SLAs associated with this risk transference?

What risks are being accepted? For legitimate (or not) reasons such as cost?

Other areas that will make internal policy an area of risk and complexity will be whether internal policy can be flexible enough to deal with, and how does it address:

Administrative errors and omissions

Cascading failures from one system to another or one part of the supply chain to another. These are very difficult to assess because they are frequently unimagined until an event comes to pass.22

Unintended and unforeseen user behaviors associated with:

Defective or emergent behaviors (see out discussion in Chapter 12, Threats and Impacts to the IoT, on emergent behavior).

The human-machine interface and unforeseen loads and conditions resulting from conditions of panic, frustration, impatience, sloth, negligence, and all the other deadly sins.

Internal policy cannot just be something merely mandated with the wave of an executive hand. It requires a strategic alignment between the business requirements and operational requirements. Management or board-level executives need to understand IoT security beyond just how to spell it. This also means that IoT security has to be meaningful to the business in fundamentally two ways, as we have been repeating through this book:

Internal policies about IoT security add value to goods and services and ultimately make more satisfied customers

Internal policies about IoT security generate efficiencies and save money compared to insecure systems; for instance, through less downtime, faster recovery, fewer defects

Upstream and downstream losses

In addition to the direct impact of a business disruption such as an earthquake or flood, there are indirect impacts you should consider. These can be viewed as upstream and downstream losses. Upstream losses are those you will suffer if one of your key suppliers is affected by a disaster. If your company relies on regular deliveries of products or services by another company, you could experience upstream losses if that company cannot deliver. If you run a manufacturing company that relies on raw materials arriving on a set or regular schedule, any disruption to that schedule will impact your company’s ability to make and sell its products. This is how a disaster elsewhere can impact you, even if your company is unharmed. Downstream losses occur when key customers or the lives in your community are affected. If your business supplies parts to a major manufacturer that is shut down due to a hurricane or earthquake, your sales will certainly suffer. Similarly, if your company provides any type of noncritical service to your community and there is a flood or landslide, your sales could take a hit while residents of the community deal with the disaster. If you operate a chain of restaurants or movie theaters or golf courses, residents will be more focused on dealing with the disaster than on entertainment and leisure pursuits. These are considered downstream losses even if your business, itself, has not taken the direct impact of a disaster.

Keep in mind, too, that people, businesses, and communities are interrelated; very few (if any) companies exist in isolation. A natural disaster or serious disruption can create a chain reaction that ripples through the business community and impacts the local or regional economy.

Real World

Risk Responses

Risk assessments for identified weaknesses may be formal or informal, and are conducted as needed to help system owners and common control providers characterize risk and determine what response to that risk is most appropriate [22]. It is not necessary to conduct a full risk assessment for every weakness, but in order to select the appropriate responses to risk, system owners, authorizing officials, and organizations need to have a good understanding of the nature and magnitude of the risk. Risk assessments can provide this perspective. System owners generally receive initial information regarding the significance of identified weaknesses in the contents of the security assessment report, but this information may or may not be sufficient to enable a decision about corrective actions that should be taken. Appropriate responses to risk may be determined by the system owner, alone or in consultation with others, but the response chosen is often subject to review and approval by the authorizing official or other personnel with information security management responsibility.

Responses to risk generally fall into five distinct categories: accept, avoid, mitigate, share, or transfer the risk [28]. Choices to mitigate, share, or transfer risk all involve some action that serves to reduce risk faced by the organization, the specifics of which can and should be captured in the plan of action and milestones. Risk mitigation includes any actions undertaken by the organization to bring risk down to a level that falls within the organizational tolerance. Sharing and transferring risk are choices that do nothing to change the magnitude, likelihood, or impact of risk, but shift some or all of the liability associated with the risk to another party. NIST distinguishes between risk sharing and risk transference in that sharing shifts only part of the liability, while transference shifts responsibility for the entire liability to another organization [29]. Both acceptance and avoidance mean that no corrective action will be taken to address the risk in question, but these two responses have very different implications for an information system. A decision to accept represents a risk-based determination that the organization is willing to expose whatever vulnerability the weakness or deficiency entails. In contrast, a decision to avoid risk is an acknowledgment by the organization that the risk is too high to be reduced, and that the organization will instead choose not to operate the system (or to operate the system with reduced capabilities that might make the deficient controls irrelevant) rather than exposing itself to risk.

Note

The goal of information security is not to mitigate all risk, but to bring risk to a level acceptable to the organization. A decision to authorize a system to operate is a decision to accept the residual risk that remains even after all appropriate security controls are implemented [2], and is a tacit acknowledgment that risk cannot be completely eliminated. The identification of a weakness in information security controls is not an obligation to correct the weakness, unless corrective action is found to be warranted based on organizationally determined criteria. System owners should also consider what risk is posed by vulnerabilities or other weaknesses discovered through automated scanning processes, to evaluate whether a viable threat-source exists that could exploit the vulnerability. For example, many Web-based applications are vulnerable to cross-site scripting or other attacks that exploit poor input validation; the technical mitigation for such vulnerabilities is to code or configure them in such as way that all input is properly validated [30]. System owners running a Web-based application accessible only to internal agency users—such as one available on an agency intranet—may not face the same threats as they would if the applications were publicly available over the Internet, so they may be less willing to incur the costs to fix input validation weaknesses. Many organizations impose a substantial burden on system owners to provide detailed justifications in order to accept risk, providing an incentive to avoid risk-accepting decisions based on administrative requirements rather than actual risk factors. It is both reasonable and expected that some weaknesses will not be corrected, and as long as decisions to accept risk are based on sound analysis, system owners should not be reluctant to make those decisions.

How to Characterize Your Organization

All organizations react differently and have a diverse range of levels in their sensitivity to risk. The security policy adopted by the organization needs to replicate the individual sensitivity to a variety of classes of security incidents. It should then prioritize security investments based on the sensitivity going from the highest to lowest.

There are a couple key factors that determine an organization's level of sensitivity:

The consequences of a security incident. Nearly all organizations are sensitive to cost. As a security incident can cause a significant increase in costs through the recovery and restoration of services (even if no critical services are affected) there is an effect. Risk transference (including insurance, policy and contractual terms and conditions) is commonly used in an attempt to ensure that cost exposure does not alter the business financial bottom-line.

There are also political and other organizational sensitivities to consider. Some organizational cultures are derived top down from senior level management who believe any negative press (such as that which highlights a systems compromise) is a major disaster. They often feel this whether or not the incident results in any significant cost. Organizations with an open environment (e.g. universities and scientific research communities) commonly have a culture that believes an intermittent incident is better than restricting the flow of information or external access. When considering the organizations sensitivity to security related incidents, these factors need to be determined.

A critical step in the process of determining the consequences to the organization is the completion of an information asset inventory. This is discussed in more detail in other chapters of the book. Maintaining an accurate inventory of what systems, networks, computers, and databases are presently being used is not as simple as it first seems. The combination of an inventory collation exercise while producing a classification of the data can be cost effective. In this, the location of where the information is stored on-line is classified by its significance against the business goals or mission statement.

In the event that the organization's internal functions are disrupted, serious consequences can transpire. The cost a breach can be large and may consist of a combination of factors such as:

Missed opportunities

Staff down time

Data recovery and restoration

Damage to data Integrity

Breaches of privacy

An impact to an organization's external functions can have the largest effect. This includes:

Interrupted product delivery

Incorrect receipt of customer orders (e.g., theft or fraud and loss of market confidence)

These consequences of a security incident have a direct financial impact on most organizations. The disruption of services or possible impact due to the loss of trust held by their customer base has resulted in the collapse of many previously thriving organizations.

78 Five Techniques to Deal With Identified Risks

1.

Risk Avoidance: This is the process by which you reduce the risk exposure by avoiding or eliminating the activities.

Risk Loss Reduction: This is reducing the risk by reducing the maximum amount of probable loss; utilizing other venues, personnel, equipment, etc., for the activity.

Risk acceptance: This is accepting the risk as it cannot be cost effectively reduced. However, all necessary attempts should be taken to monitor any increases in risk exposure to a preestablished level. Once that level is reached, there will be no other option but total removal of the personnel at risk.

Risk Transference: This is the use of contracts, insurance, disclaimers, and/or releases of claims to transfer the liability for the expected loss to other parties involved.

Risk Spreading: This is simply spreading the largest amount of risk over a larger part of the organization or activity by manipulating the sequence or size of the events or activities.

Respond

Once the organization determines the nature, significance, and priority of risk, system owners, business owners, and risk mangers consider possible responses to risk and choose the most appropriate course of action. NIST guidance recognizes five primary responses to risk: acceptance, avoidance, mitigation, sharing, or transference [52]. Courses of action for risk response may include more than one type of response, potentially authorized and executed at multiple levels of the organization. While system owners often recommend responses to risk identified at the information system level, analysis of alternative courses of action and selection of risk response consider impacts at all levels of the organization, so typically require decision-making at mission and business or organizational levels. Depending on the governance structure and approach to enterprise risk management used in an organization, the risk management strategy developed during risk framing may include organizational policies or standards regarding risk response alternatives that provide guidance to risk managers on preferred or default courses of action. The appropriate level at which risk response decisions are made also depends in part on the scope of the response measures being considered. Risk-mitigating changes to enterprise infrastructure, operating environments, or common controls affecting the entire organization should be approved at the organizational level. Similarly, decisions to accept risk at lower levels of the organization should be consistent with organizational risk tolerance, so may require review or approval at the organizational level.