Information risk is often managed independently of other types of business risk due to generally dissimilar oversight and reporting requirements;123 however, it is generally in the best interest of an organization to manage all business risk holistically as part of a broader ERM program as this will help ‘min-max’ its return on investment and reduce strategic, reputational, operational, compliance, and financial risk.124 While some of these risks have no clear ‘bright line,’ such as the view that reputational risk can be viewed as a strategic risk, this categorization allows risk managers to think of risk across the enterprise more holistically than they otherwise might.
HITRUST subsequently views information risk through the lens of these other risks as shown below.
Figure 21. The Relationship of Information and Organizational Risk
Organizations should ensure they identify, evaluate, and communicate information risk in the same way other business risks are communicated to senior decision-makers. Further, by integrating information risk into enterprise-level business risk management processes, organizations can help increase the likelihood their information protection programs receive the attention, resources, and dollars necessary for successful implementation.
To do so, organizations should track information risks in one or more information risk registers, which in turn should be integrated with other risk registers (e.g., financial and regulatory compliance) to create an Enterprise Risk Register (ERR). The ERR should then be used to create an enterprise risk profile to help senior decision-makers determine which risks should be addressed, to whom responsibilities should be assigned, and how resources should be allocated. Note the risk profile should be updated whenever the underlying cybersecurity risk registers are updated, e.g., after a risk assessment or when risk responses are completed.
In addition to integrating information into enterprise risk management (ERM), we can further classify information risk based on their operational risk as either directly or indirectly attributable to a threat event as shown in the figure above.
Although some frameworks include legal and regulatory/compliance risks along with write downs, loss of recourse, restitution, and loss or damage of assets in their definition of direct operational risk,125 the ERM model we use gives them their own category of risk. We also classify them as indirect since such losses result from a decision made by another stakeholder. And, of the two types of operational losses that could be classified as indirect —near miss and latent losses—the former means losses were successfully avoided and the latter means losses are unrealized, i.e., asset values could potentially recover, and we discount them as well.
We subsequently classify operational risk, in general, as direct risk and the other forms of enterprise risk, in general, as indirect risk. Information risk can be represented as any of these.
123 Stine, K., Quinn, S., Witte, G., and Gardner, R. (2020, Oct). Integrating Cybersecurity and Enterprise Risk Management (ERM) (NISTIR 8286). Gaithersburg, MD: NIST, p. 2.
124 Ibid., pp. 4, 42-43.
125 Banking and Financial Services BA (2012, May 10). Basil II – Direct vs. Indirect Operational Loss (Blog).