Why we manage vulnerability, not risk or threat
Someone asked us the other day why we say we manage vulnerability, not risk. Why are we vulnerability managers, not risk managers? In order to understand this, it is important to refresh your memory about the fact that risk is derived as the product of other factor. It is not itself an underlying characteristic that can be controlled.
Risk is calculated as:
Risk = probability × impact
Probability = threat × vulnerability
So that risk becomes:
Risk = threat × vulnerability × impact
Now, we cannot generally control a threat. That is to say, we do not, either as individuals or corporations, have a whole lot of control over whether someone wants our information. We know that most of us work for companies that have competitive intelligence departments because our companies want information on our competitors. And we know that they have competitive intelligence departments, too, and that there isn’t any reason to assume that their staff is significantly less competent than is ours. We also know that foreign competitors, and sometimes even foreign governments, want our information. Even worse, we know that some of these adversaries willingly commit illegal acts to get what they want. There is not a lot we can do to reduce this threat.
In terms of impact we are equally powerless: It is what it is. If a competitor takes our marketing plans or the production figures for our top sales people or our trade secrets, there will be an impact. We will be able to assess the damage, but the result of the assessment is pretty much out of our control.
This leaves vulnerability, in which we do have some control in three areas. We can manage it, we can transfer the vulnerability, and we can accept it.
Managing vulnerabilities means we can find ways to identify and reduce the vulnerabilities. In the case of information, we can try to make it more difficult to steal. As an example, if you are a U.S. citizen you probably wouldn’t want your tax returns made public. Neither would Uncle Sam. So the people in India who process your returns are not allowed to bring in cameras or notebooks, or, hopefully, anything else that would allow your information to be copied.
If you have trade secrets, you might put them on particularly eye-catching paper, lock them in a special place, require two trusted staff members to get access to them, have a room next to where they are stored that is the only place they can be seen.
You might figure out which of your adversaries is willing to go the extra mile to get your information, what exactly they need, how (or through whom) they are planning to get the information they need, and put in countermeasures to reduce the likelihood of their success.
Through insurance, you can transfer the cost of damages caused by adversaries and competitors exploiting your vulnerabilities. If you suffer a loss of information, some of your loss is repaid.
You may decide, either deliberately or because you haven’t thought about it, that your vulnerability is sufficiently low that the ensuing risk doesn’t bother you, and take no defensive actions.
But here’s the rub: Accepting the risk that is attached to your vulnerability is generally a decision that is not actually made. Rather, it is often something that simply happens because nobody has given it any thought. Thus, even companies that have established competitive intelligence departments are unlikely to have anyone responsible for combating espionage, and therefore nobody is responsible for the identification of vulnerabilities – the only piece of the puzzle that can be managed.
So when you bring us in to help you assess your risk, what you are really looking for is help in determining the threats against you, determining the impact if these threats are fulfilled, and managing your vulnerabilities to help minimize your risk.