The Abuse of IT Security Risk

Organisations are always looking for ways to achieve their objectives in the most cost-effective manner, securing their critical assets from various threats especially in today’s challenging landscape is one of those objectives. It is a known fact that implementing security can be very expensive, this where IT security risk management comes in.

IT security risk management is a critical component of an organisation’s decision making process because it helps them to identify, assess, and prioritise the vulnerabilities in their assets and the potential threats that could impact their assets, and consequently their operations and strategic objectives; it enables them to make informed decisions on what security effort to invest on that will bring the most all round benefit to the organisation.

How Risk Management Aids IT Security

Here are some ways how risk management aids in IT security decision making:

1.       Identifying and Prioritising Security Threats: Risk management helps identify potential security threats and vulnerabilities within the IT environment. By understanding the likelihood and impact of these threats, security teams can prioritise their efforts on the most critical issues.

2.       Allocating Resources Efficiently: With a clear understanding of the risk landscape, organizations can allocate their security resources more efficiently. This ensures that limited budgets and personnel are focused on mitigating the most significant risks.

3.       Improving Incident Response and Recovery: Risk management involves preparing for potential security incidents by developing and testing incident response and recovery plans. This ensures that the organisation can respond quickly and effectively to mitigate the impact of security breaches.

4.       Supporting Compliance and Regulatory Requirements: Effective risk management ensures that IT security practices align with legal and regulatory requirements. This reduces the risk of non-compliance, which can lead to fines, legal action, and reputational damage.

5.       Balanced Decision-Making: Risk management provides valuable insights into the potential impacts of different security decisions, allowing decision-makers to weigh the pros and cons of various options. This leads to more informed and balanced security decisions.

IT Security Risk Abuse Primers

So we might ask the question how then does the abuse of risk come into the picture. Before we can answer that question we need to visit a few primers:

The Risk Family Dynamics - BRAIL-TAV:

The relationship among the business, risk, asset, impact, likelihood, threat, threat actor, and vulnerability is integral to understanding and effectively managing risk abuse.

1.      Business: The business is the organisation that owns and relies on the assets to achieve its objectives. The business’ success and continuity depend on effectively managing risks to its assets.

2.      Risk: Risk is the potential for loss or damage to an asset due to a threat exploiting a vulnerability. Businesses assess risk to prioritise their security efforts and resource allocation. It is a combination of the likelihood of a threat occurring and the impact it would have on the asset.

3.      Asset: An asset is anything of value to the business, such as data, intellectual property, application, infrastructure, and brand reputation. Protecting these assets is crucial for the continuity and success of the business.

4.      Impact: Impact measures the severity of consequences if a vulnerability is exploited and a threat materialises. For a business, this can mean financial losses, regulatory fines, operational disruption, and damage to reputation. High-impact incidents can have long-lasting effects on the business’s market position and customer trust.

5.      Likelihood: Likelihood is the probability that a threat will successfully exploit a vulnerability. It is influenced by factors such as the sophistication of threat actors, the attractiveness of the asset, and the effectiveness of existing security controls.

6.      Threat: A threat is any potential cause of an unwanted incident that could harm an asset. Threats can be intentional (e.g., cyber attacks, insider threats) or unintentional (e.g., natural disasters, system failures). Understanding the nature of threats helps businesses prepare and defend against them.

7.      Threat Actor: A threat actor is the entity behind the threat. This could be hackers, malicious insiders, competitors, or nation-states. Identifying threat actors helps in understanding their motives, capabilities, and tactics, which is essential for effective defence.

8.      Vulnerability: A vulnerability is a weakness or gap in security that can be exploited by a threat actor. Vulnerabilities can exist in software, hardware, human factors, or organisational processes. Addressing vulnerabilities is critical to reducing the risk to the business. The decisions taken during the different phases of an asset lifecycle can contribute to the vulnerability of the asset. The vulnerability of an asset is not static; the vulnerability evolves as the asset moves through its lifecycle.

In summary, assets has vulnerabilities, threat can potentially exploits those vulnerabilities, risk assessment determines the likelihood of a threat exploiting those vulnerability and the associated impact, a risk rating is given to the business, business uses the risk rating to make an informed decision on how to treat the risk (whether it’s worth removing the vulnerability or mitigating the threat, or avoiding, transferring or accepting the risk). Figure 2 summarises the relationship.

The ‘a Stich in Time’ Principle

Addressing vulnerabilities early in the asset lifecycle is significantly more cost-effective than fixing them later. This principle is well-supported by numerous studies and industry experts.

For instance, the Systems Sciences Institute at IBM found that fixing a vulnerability during the implementation phase costs about six times more than fixing it during the design phase. The cost can escalate dramatically if the vulnerability is found later, such as during testing or after the asset is in production, potentially costing up to 100 times more than if it had been addressed during the design phase​. See figure 3.

The ‘Secure by Design’ Principle

The Secure by Design principle emphasises building security intrinsically with the asset; so that security is not another activity. This proactive approach ensures that security is a fundamental aspect of the activities involved in the development of an asset, significantly reducing the risks associated with vulnerabilities and potential threats. It enforces good security hygiene so that basic security is implemented such that unnecessary vulnerabilities have been designed out, or threats to the vulnerabilities that cannot be designed out have been well thought through and mitigations implemented.

By incorporating security early, organisations can prevent many security issues before they become critical problems. As a result, systems are more robust and resilient, and the costs and challenges of addressing security issues later in the lifecycle are minimised. Ultimately, Secure by Design leads to more secure, reliable assets and protects the business from potential security breaches and their associated impacts.

What is IT Security Risk Abuse - The Abuse of IT Security Risk Management Practise

So then the question is what exactly is risk abuse?

Risk abuse - The abuse of the IT security risk management practice is when vulnerabilities that are supposed to have been designed out by good security hygiene or threats to vulnerabilities that cannot be designed out, but are supposed to have been mitigated by standard good security practices have been overlooked, missed or ignored and have now become a serious security problem - a significant security risk. This typically manifest in the later phase of an asset lifecycle, such that it now warrants risk management (I call this type of risk illegitimate risk or unnecessary risk).

A good common and simple example is building APIs without proper protection mechanism such as authentication and authorisation or without any at all.

What usually happens is that it’s always too late in the lifecycle of the asset when those chickens of behaviours come home to roost, such that its either very costly to retrofit security into the asset or even nearly impossible, depending on the size, age or complexity of the architecture that makes up the asset in question.

This is where the abuse of IT security risk raises its ugly head and these risks find their way into the organisation's risk register.

If the risk registers of many organisations are looked at critically, it will be discovered that most of the items on those registers are candidates of IT security risk abuse; they should not be in the register at all if good secure by design practice have been followed.

These IT security risk abuse candidates are usually discovered by audits, a regulatory requirement that comes into effect or at the very worst case, a security breach, and it will usually involve very expensive and lengthy project or activity and resource intensive effort to fix.

To summarise, the characteristics of IT security risk abuse are below:

1.       During design phase, vulnerabilities that could have easily and cheaply been designed out of an asset were not.

2.       During design phase, threat to vulnerabilities that could not be designed out but mitigations could have easily and cheaply been designed in to mitigate those threats were not.

3.       The vulnerabilities and threats and have now become a significant risk issue in operation phase.

4.       In operation phase, the only risk treatment appropriate is mitigation (not acceptance, avoidance or transfer)

5.       Risk treatment is now, complex, costly and resource intensive.

Figure 4 summarises this.

Factors Contributing to the Abuse of IT Security Risk Management

As we have already established risk management is a crucial tool for security in the hands of the business, but when risk is abused it can lead to the exact opposite of the benefits it’s meant to provide, of course it’s not as straight forward as it always seem, there are many reasons why this happens, some of the factors that lead to the abuse of IT security risk include:

1.       Lack of security best practice: Failure to adopt secure by design principles, and adopting standard security hygiene especially in the early phases of an asset lifecycle.

2.       Subject matter expertise: Teams may lack the necessary security expertise or training to identify vulnerabilities and mitigate threat to vulnerabilities effectively.

3.       Resource: Limited time, budget, or tools dedicated to security can hinder thorough vulnerability assessment and mitigation efforts. ​

4.       Cultural constrains: Overreliance on previous security measures, tribalism and a belief that existing controls are sufficient can lead to missed vulnerabilities.

5.       The way an architecture has evolved over time: Some organisations have evolved over time, this could be as result or mergers, acquisition, organisational restructure or just for the mere fact that the organisation has been around for several years and this has consequently impacted the way their IT architecture has evolved, and this in turn has resulted in the maintenance of the architecture lagging behind the security demands of present times, or it has resulted in complexity in the architecture due to several changes and updates that has occurred over those period. This can introduce new vulnerabilities that were not present during the initial development stages.

6.       Outright abuse: Because of the way organisation structures are set up, sometimes the perpetrator of the abuse of the IT security risk is not the entity that ends up owning the risk, the knowledge of this fact encourages certain entities to perpetuate risk abuse.

Impact of the Abuse of IT Security Risk Management

The impacts of the abuse of It security risk management on the business can be substantial and far-reaching:

1.       Financial Losses: Unmitigated vulnerabilities can lead to data breaches, theft of intellectual property, or financial fraud, resulting in significant monetary losses. The costs associated with breach recovery, legal fees, regulatory fines, and compensations can be substantial. Risk abuse is a money pit for organisations and it’s one of the sources of invincible costs.

2.       Reputational Damage: A security breach can severely damage an organisation's reputation, eroding customer trust and loyalty. Negative publicity and loss of customer confidence can lead to a decline in market share and long-term brand damage, which can be difficult to recover from​.

3.       Operational Disruptions: Security incidents can disrupt an organisation’s operations, leading to downtime and loss of productivity. This can impact the ability to deliver services, meet customer expectations, and maintain competitive advantage.

4.       Regulatory Penalties: Non-compliance with industry regulations and standards due to missed vulnerabilities can result in hefty fines and legal consequences. Regulations like GDPR, HIPAA, and others impose strict data protection requirements, and breaches can lead to significant penalties.

5.       Increased Remediation Costs: Addressing vulnerabilities after they have been exploited is often much more expensive than mitigating them early in the lifecycle. Post-breach remediation involves not only fixing the vulnerability but also conducting forensic investigations, enhancing security measures, and managing public relations.​

6.       Legal Consequences: Security breaches can lead to legal action from affected customers, partners, or stakeholders. Lawsuits and settlements can result in additional financial strain and further damage to the business's reputation​.

7.       Loss of Competitive Advantage: Proprietary information and trade secrets stolen during a breach can fall into the hands of competitors, diminishing a business's competitive edge. This can impact innovation, product development, and market positioning​

Steps to Prevent the Abuse of IT Security Risk Management

To prevent or reduce the abuse of It security risk management, a multifaceted approach is necessary. This includes identifying and acknowledging the issue, implementing a solid secure by design framework, a robust assurance and governance framework, continuous training and awareness programs, and active involvement from senior stakeholders. Here are the key steps:

1.       The first step is identifying and acknowledging this phenomenon and key cause of invisible costs and developing a robust solid plan and commitment to mitigate its occurrence.

2.       Solid Secure by Design Framework: Ensure security is intrinsically part of the asset lifecycle, integrating security early in the asset lifecycle, adopting and enforcing good security hygiene will ensure those unnecessary vulnerabilities / threats have been captured early and treated.

3.       Robust Assurance and Governance Framework: Establish comprehensive governance policies that mandate regular security assessments, compliance checks, and adherence to organisational and industry policies and standards, regulations​ and best practices. Implement a robust risk management process that includes regular risk assessments and the development of mitigation strategies to address identified vulnerabilities and threats. Leverage the audit framework to conduct regular internal and external audits to ensure compliance with security policies and regulatory requirements. Addressing any identified gaps promptly​.

4.       Training and Awareness: Provide continuous security training for all employees, with specialised training for developers, IT staff, and security teams. This ensures they are aware of the latest threats and best practices​ and they also have awareness of the significance of imbibing secure by design principles.

5.       Senior Stakeholder Involvement: Ensure senior stakeholders buy-in and that they actively support and sponsor a secure by design culture. Their involvement is crucial for securing the necessary resources and driving a security-by-default culture

Conclusion

Risk abuse is a money pit for organisations and major source of invincible cost, identifying it and taking steps to mitigate it will involve collective effort from the whole organisation, it must be driven from the very top, by integrating these steps, businesses can achieve a cleaner and leaner IT security risk profile that ensures that the IT security risk that ends up on the risk registers are legitimate risks and not candidates of risk abuse.