Guidance

Principles of effective cyber security risk management

Published 5 March 2015

This guidance was withdrawn on 11 July 2016

This content has been moved to the CESG website: https://www.cesg.gov.uk/risk-management-collection

This BETA publication proposes a set of principles to support management of cyber security risks when making technology decisions.

Our goal is to support the creation of a culture and environment where risk management activities are effective, with people creating systems with an excellent user experience and ‘good enough’ security to meet business needs. The approach we’re investigating is not about replacing current risk management processes or discarding what already exists.

Effective decision making in technology requires an understanding of business and user needs, security and other important factors. This guidance sets out principles which support effective decision making through a better understanding of security. We have further developed and validated these principles through our findings following a detailed analysis of more risk management approaches taken from a number of user interviews. We are also gaining confidence in the wider applicability of these principles from the feedback we have received.

This BETA release is intended to continue discussion and gather feedback. Any feedback will inform further work and be reflected in the subsequent ‘Live’ publication.

1. The importance of culture and environment

For the ALPHA we analysed the risk management approaches of three sample projects. We conducted interviews, from which we collated, and analysed over ninety user stories. In addition, we looked at the challenges these projects experienced, and how these were overcome.

During the BETA we looked at the challenges the business experienced when delivering enterprise IT. We conducted further interviews, from which we collated, and analysed over seventy user stories.

Again we observed that the existing methods and tools used for risk management, though important, are not the most crucial success factors. What we found to be essential was for the business to create a culture and environment in which their risk management activities were effective.

Our work has identified the value of:

• Enabling the business over governance and process
• Informed decisions made by competent people over adherence to methods
• Business language over specialist terms
• Timely decisions over the elimination of uncertainty
• Continuous risk management over one-off assessment

So for example, whilst there is value in ‘governance and process’, it should not be pursued at the expense of ‘enabling the business’.

2. Principles of effective risk management approaches

Through the further analysis conducted and the feedback received during the BETA, we have begun to validate the eight fundamental principles of an effective approach to risk management, which we introduced in the ALPHA:

These principles are not the preserve of any one method or process. Instead, by creating an environment and culture where these principles are displayed, we observed the business was able to better address the technology risk management challenges it faced.

Effective cyber security risk management is built on sensible decision making.

Ensuring that your business embodies the principles, described below, throughout your processes will help to support the effective management of cyber security risks.

3. A smarter way of working

The principles below are about a smarter way of working and you may well recognise them in your current risk management practices. We believe that they can be used to:

• Validate that what is happening today is sensible
• Identify where things can be improved
• Demonstrate to others that a sensible approach is being taken

We do not believe that the principles are an exhaustive or prioritised list. Use them to help think about how you do risk management, not as a tick list to comply with.

4. Our next steps

Having begun to validate the principles through further business and user needs analysis with this BETA release, our next steps are to continue to gather feedback, and identify how we can gain further confidence in their applicability and value in support of the ‘Live’ publication.

5. How you can use this

This guidance is now in BETA. Feel free to test out the principles and look at our earlier case studies. Please let us know what works for you.

We would like to hear your feedback via email to enquiries@cesg.gsi.gov.uk

5.1 Accept there will always be uncertainty

In striving for security we constantly have to deal with uncertainty, yet there is often a desire for absolutes; risks are not always predictable and cannot be eradicated. Any approach to risk management needs to accept that there will be uncertainty, so that people know they can ask for help, admit mistakes, and seek advice from trusted sources.

Key messages:

• You will have to make the best decision based on the information available to you at the time. In hindsight, some decisions may be wrong
• Information and expertise help to reduce uncertainty, but rarely to zero. Become comfortable with uncertainty
• Cyber security incidents and mistakes will happen, so plan for this. Don’t seek blame - learn from them
• Independent advice from trusted sources can help build confidence

5.2 Make everyone part of your delivery team

Security is often given as the reason why something can’t be done. Security-focussed staff, like everyone else, must be committed to the overall success of the objectives, as defined by the business and user needs. All parties need to work together to understand and agree these goals.

Key messages:

• Ensure everyone understands what the business is trying to achieve
• The team must have shared goals if it is going to be effective and successful
• Team activities need to be transparent so that everyone feels included

5.3 Ensure the business understands the risks it is taking

Unless your team can communicate using the same language as the business, the interpretation of risks can differ. Describing risks in plain English will save time, help the business to understand them, and identify what’s important.

Key messages:

• Support the business to communicate its technology requirements through needs analysis
• Assist the business with receiving and understanding the security implications of technology
• Describe risks in a language that is understood by the business; hiding meaning or uncertainty behind technical or security terms will not help
• Ask the business to articulate where it is comfortable taking risk and where it isn’t

5.4 Trust competent people to make decisions

Decision-makers will often claim to trust their teams, but fail to demonstrate this through their actions. Without trust, delegation and empowerment is difficult. Decision making without trust will often be questioned. Engender trust by allowing people to feel comfortable to admit they don’t know something or acknowledge their mistakes. If your team doesn’t have enough knowledge to make an informed decision, seek specialist help. This is not a sign of weakness.

Key messages:

• To work effectively, people need to be empowered to make decisions
• People need to know what risks they are allowed to take
• Recognise when you need specialist input, identify where to get it, facilitate its access, and realise its value
• Trust is built on honesty, evidence and experience

5.5 Security is part of every technology decision

Security is often seen by the business as an expensive add-on, running independently and interfering with successful delivery. Security needs to be valued by the business alongside other technology factors such as user experience and value for money.

Key messages:

• Security allows the business to obtain value from its technology choices
• Risk management needs to support business processes, not run alongside it
• Risk management is a continuous activity; one-off risk assessments are not effective

5.6 User experience should be fantastic - security should be good enough

Unusable systems encourage users to find workarounds, resulting in systems that are unproductive and insecure. Well-designed systems are both enjoyable to use, and more secure as a result.

Key messages:

• Good solutions support user needs whilst maintaining sufficient security
• Make the right choice the easy choice for the user

5.7 Demonstrate why you made the decisions - and no more

Occasionally you will need to convince others that the decisions you took were sensible, and leave a historical trail that others can understand. Produce only what is required to demonstrate how you reached important decisions; documentation in itself makes you no more secure. Independent assessment activities can help to validate decisions, especially when they are challenging.

Key messages:

• Transparency in the decision making process invites peer review and helps others to learn from your actions
• Consider what is really needed in terms of documentation, committees, and governance
• Use business context to help explain why decisions were made
• Independent design reviews, compliance activities, and evaluation schemes can help to validate decisions and establish consistency

5.8 Understand that decisions affect each other

Throughout the lifecycle of your technology you need to be able to respond to change. A security risk which was accepted previously may not be sensible now. As decisions are made they open or close options in other areas, so it is important not to consider decisions in isolation. The interconnected nature of decisions can have an impact on security, so it’s important to be able to see the big picture when it comes to risk.

Key messages:

• Accepting or avoiding risk in one area will change your options elsewhere
• Consider the big picture when making decisions
• Decisions need reviewing as things change