Why Managing Risk in IT Security and IGA Isn’t Enough
When we started talking about the cost of the human factor, i.e. Costidity, people began asking me, “Why are we creating another dimension for assessing governance elements, like business policies and processes? Everybody is doing risk management. And risk already includes the human factor, in particular, the ability to lose the information by emailing it to the wrong person.”
We have researched this topic and come up with the following conclusion: risk management is taking into account part of costidity related to users for whom the policy is written, i.e. policy constituents, but completely ignores the other part related to policy makers and policy enforcers.
The reason for this is very simple. We define risk based on the protected asset, so we are interested in the probabilities of what could go wrong with accessing this asset. Since policy makers and enforcers are not accessing the asset, they are not the part of risk equation.
At the same time, Costidity focuses on human beings—no matter what role they play in the process of asset governance. This is why we need to manage risk and Costidity independently, as two equally important characteristics of the governance elements maturity.
The classical definition of risk coming from the ISACA manual: “”Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization.”
Risk management is about lowering the chances of losing control of assets and data stored in them. Costidity management is about lowering the chances of people subverting the existing governance elements. Management’s goal with both is to make company more secure to prevent potential losses, but they represent two different dimensions.
We recommend balancing risk and Costidity by creating more granular access levels for different types of assets/data/targets. For example, if file share contains regulated and non-regulated documents, instead of creating access policy around the whole share, split the share in two by separating documents. Then, create policy around sub-share with regulated-only documents. This way, we will reduce risk and lower costidity (less curiosity, less business interruptions when someone needs non-regulated documents, plus the chances of people reading regulated documents while accessing non-regulated are very small).