The Arithmetic of Risk

• By David W. Dodd
• 03/01/16

Institutions today are facing a rapidly growing challenge involving risk identification and risk management across multiple areas. A briefing published by the Association of Governing Boards lists four areas or risks that institutions must confront: traditional operational risk (e.g. weather disaster); legal and regulatory risk (e.g. litigation and compliance); financial risk (sudden decline in revenue); and political and reputational risk. Since this is a column dealing with emerging technologies, I will mention my constant concern with cybersecurity risks. But the reality is that this in itself points to the extraordinarily complex nature of risk management.

Of enormous concern is ensuring the privacy and security of our networks, systems, data and users’ identities. The challenge is in understanding the risks surrounding privacy and security, and how to operationalize a reasonable response. The only way to do so from a hypothetical perspective would be to eliminate existence and action. By definition, that would be to eliminate actions taken to pursue the institution’s mission and goals, and the ability to capitalize on them — things such as educating students and conducting research. Logically, this would mean that the vast majority of institutions would cease to exist.

Managing Risk

So how do we go about the business of risk management? The reality is that managing risk, including security, compliance and all its other aspects, is a balancing act. Further, this balancing act is as much informed by judgment and intuition as it is by actual data. To move the needle that could theoretically increase security and simultaneously lower risk, takes resources — lots of resources.

Because nearly all of us work at institutions where resources are limited, we are required to find a point of reasonableness. The question is how much to spend on preventive measures and how much to spend on recoverability, should a risk manifest into an actual incident. This is a difficult proposition, which occurs in the context of imperfect data and a highly dynamic external environment. Concerning cybersecurity, the hard reality is that building a hardened, secure, bulletproof environment is unachievable. If the experiences of numerous disastrous breaches over the past few years have taught us anything, it is this: Even the best can be beaten on any given day, and we are all subject to becoming a potential target.

This is a challenge we are all dealing with, and increasingly in a collaborative way across sectors including business, government, healthcare and higher education. In this spirit of collaboration, I would offer several important considerations.

Steps to Take

First, ensure you have solid professionals at the controls of your cyber defenses. This is not a role for amateurs, and no place to try and save a few salary dollars. Second, invest in reasonable cybersecurity technology. Make your environment a difficult target to penetrate by implementing effective countermeasures. They aren’t cheap, but in the scheme of things they are certainly justified. Even hackers deal with the cost-benefit question of which targets to spend their time on.

EDUCAUSE (2014) cites a crucial consideration that represents the third recommendation: communication and end-user management. Humans, including students, employees and contractors, are among the most problematic challenges for cybersecurity. Take steps to ensure they understand and accept the responsibilities of living and working in a networked world.

Fourth, monitor, manage, monitor. Simply putting countermeasures in place is ineffective. Attacks occur constantly. It is reported that half a million attacks occur in cyberspace every minute. Awareness of the types of attacks, appropriate management and updating of technology, and quickly responding to incidents such as spear phishing are among the essential ongoing activities required. Fifth, proactively engage partners to evaluate your security posture through penetration testing and other means. Better to be hacked by a friend than an enemy.

Sixth, plan for recoverability. Current wisdom is that it is not whether an organization gets hacked; it is only a matter of when. News reports would support this. Cyber liability insurance, validated and secured data backups, and business continuity capabilities should all be in place for what will be for some the inevitable attack that succeeds.

As noted in a Harvard Business Review (2012) article, risk is difficult to talk about and many leaders don’t want to spend money on risk mitigation “when the sun is shining.” Our lot in higher education is made more difficult because “the arithmetic of risk” doesn’t operate as favorably as it would in many sectors. But risk identification, risk management and planned recoverability are essential requirements for the world in which we live and work.

You could ask those who didn’t take this seriously enough, but some may no longer be around to answer.

This article originally appeared in the issue of .