The Cost of Ignoring Low-Level Risks

By Roddy

The British Library’s report on the cyber attack which it suffered in October 2023 contains some insightful points on early lessons. No 7 is:

“The Library’s risk management processes appropriately escalated out-of-appetite security risks for remediation, but were less effective in modelling the amount of low-level risks being carried in aggregate.”

“LEARNING LESSONS FROM THE CYBER-ATTACK: British Library cyber incident review” 6 March 2024

How might this lesson, drawn from the very serious effects of a significant incident, affect other organisations’ risk management practice? I think that there is one direct and one indirect point here.

The direct point is to consider the multiplication effect of several lower-level risks being instantiated at the same time. If none of them has been assessed as exceeding the organisation’s risk appetite (based on potential financial cost, or any other measure) the standard procedure would be to accept them. But if two or more of these risks take effect together, the impact may exceed the risk appetite.  That seems logical but what should we do about this? Should we assess the risk associated with every combination of the risk set? That could be a lot of work. I don’t have a simple answer yet, but my next point may give us some guidance.

I think that the indirect point is to consider why such risks could occur together. An obvious answer is coincidence and we can use the likelihood scores (subjective though they may be) for each risk to determine the multiplied likelihood. This is going to be a low probability. However, as we know, a low probability for a potential event does not mean that it won’t happen: there is a possibility of error in the calculations and, even if that is not the case, sometimes the odds are against you. So, consideration of simple coincidence doesn’t provide very strong guidance. I think that all we can do is:

  1. set a threshold for the number of coincident risks (probably two) that you can plan for,
  2. set your risk management software (there’s no shame if it’s just a spreadsheet) to work out the multiplied cost of every combination within the threshold (e.g., of every pair of risks) and
  3. consider the response to any results which exceed the risk tolerance.

The more interesting answer to the question (of why multiple risks might occur together) is to look in detail at the risk factors. Are there more ways that each risk could occur than we have so far identified? Could the same factor trigger multiple low-level risks, causing a larger impact than we have so far calculated? Could one risk’s instantiation trigger another? Could one risk increase the likelihood of another, for example, by making it easier for an attacker to get in?

Again, this could be a lot of work but it may be very important and so worth the effort. It all comes down to your overall risk appetite.