Cyber heatmaps: do we need to stop rating our risks or categorising them by colour?

Vince Dasta of Protiviti makes a good point (pun intended – as will be explained shortly) in Cyber Risk Assessment: Moving Past the “Heat Map Trap”. 

Here are a few excerpts:

Given the limits on time, attention and resources with which every cyber team must conend, risk assessment plays a critical role in helping set priorities and decide between options. Having a rigorous and accurate risk assessment process goes a long way in determining an organisation’s cybersecurity performance.

Unfortunately, our observation has been that most cybersecurity professionals significantly overestimate the quality of their risk assessment programmes. The common weakness? A reliance on what can be called “pseudo-quantitative” methods, in which risks, benefits and other factors are given labels or colours (such as red, orange, yellow and green) or ratings on an ordinal scale that run, say, from 1 to 5. These approaches have the veneer of objectivity but are actually highly subjective. The illusion of objectivity is all the more deceptive because of the frequent use of scientific-looking heat maps.

Monte Carlo simulations generate a probability distribution curve plotting the likelihood of a loss exceeding a certain amount.

Vince argues for a process that considers what might happen, identifies the various potential impacts should that happen, then uses Monte Carlo methods to develop a chart that shows the range of those potential effects.

In Making Business Sense of Technology Risk, I explain why even this would fall short.

For example:

Before you can assess whether the level of risk is unacceptable, you need to decide whether you need to take the risk in order to achieve business objectives. Looking only at the threat side of risk and reward will not lead to a quality business decision.

Using only monetary loss measures to ‘value’ the level of risk is not always meaningful to executives making business decisions. They need to be able to compare the need to invest in cyber to the need to invest in product development, marketing, the implementation of new technologies, acquisitions, and so on.

Boards and executives are (or should be) focused on achieving objectives. They will be able to make more informed and intelligent decisions if all the risks and opportunities are expressed in terms of their potential effect on the likelihood of achieving enterprise objectives.

Heat maps are focused on ‘risks’, assuming (incorrectly) that the level of risk is a point when in fact there is a range of potential effects, each with its own likelihood. Decision-makers should not focus on risks to avoid or mitigate but on the success achieved by taking the right risks.

Even so, I commend Vince for his initiative to help organisations get a better handle on cyber and its potential effect on the organisation.

I would like to see everybody considering cyber as just another source of business risk that needs to be weighed, with all other risks to objectives, when making strategic and tactical decisions.