Classic IT risk management involves the process of categorizing potential threats and risks, assessing their likelihood of occurrence, and estimating the damage that would result if they are not mitigated. The cost of potential remedial actions and controls are weighed against the potential damage. Remedial measures should be taken if they are cheaper and better implemented than risks and threats allow.
The probabilities of events have always been more like a sometimes vague estimate than a clear mathematical formula. Despite a systematic approach, is the probability of an attack in a given year now more like 20 percent or 60 percent? Difficult question. Numerically, this can make a huge difference in an evaluation. In addition, the following perhaps somewhat uncomfortable questions, topics or consequences of measures often go unnoticed:
Proactive security policy
Any risk assessment is a battle between what could happen and not doing anything. Especially if it has never happened before. As a result, quite a few people believe that doing nothing would be more beneficial, and those who wish to be proactive could be viewed as money wasters. Because if you only want to keep the status quo, you will usually hardly have any problems, as it confirms the previous successful course. In contrast, anticipating problems, especially when large amounts are involved, is far more difficult than simply waiting for the damage to occur and then fixing it.
Carry out and complete actions
Many process stakeholders know that most of the controls and remedial actions that are considered resolved are often not entirely resolved. This applies in particular to patches and backups. Many companies believe they are 99 percent to 100 percent patched. Practice teaches, however, that there are hardly any companies where the patch status reaches these values.
The same applies to backups. Again, practice teaches that most companies don’t do their backups very thoroughly. Although most companies always claim that critical backups are performed and regularly tested, one large ransomware attack is enough to show the reality.
For a test run to ensure that a backup and restore actually works, a test restore of many different systems would have to be performed at once in a separate environment. But this in turn requires a high level of resources, which many IT security teams hardly have at their disposal.
Don’t give up old habits
It’s hard to argue against the saying “we’ve always done it this way”. Especially when attacks on certain vulnerabilities have been going on for years. An example is the regular assignment of new and secure passwords. Instead, some companies still allow weak passwords to be hardly ever changed.
Tolerating risks of business interruption
Remedial measures against weak points in the network or security controls that the IT security team implements or carries out could disrupt operational processes or, in the worst case, even interrupt operations for a short time. If it were that easy to mitigate IT risk without incurring business interruption risks, everyone would be doing it.
Always one step behind
Companies are almost always fighting a risk that has already happened to others. However, some organizations prefer to wait and see what new tricks hackers have up their sleeves, and then begin remediation and controls to combat these new risks. When companies wait for the hackers’ next move, there is a time lag between discovering the new threat and evaluating the new technology, developing new control measures, and implementing them. One thing is then guaranteed: in a game of waiting, these companies are always behind.
Weighing the risk of employee dissatisfaction
Basically, no IT security manager wants to annoy the employees of his company. However, with a maximum of control, such as monitoring or blocking certain Internet access or what the employee is allowed to do on his computer, he will certainly succeed.
As of 10/30/2020
It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. You can find detailed information in our data protection declaration.
Consent to the use of data for advertising purposes
I agree that Vogel IT-Medien GmbH, Max-Josef-Metzger-Straße 21, 86157 Augsburg, including all companies affiliated with it within the meaning of Sections 15 et seq. AktG (hereinafter: Vogel Communications Group) my E e-mail address for sending editorial newsletters. Lists of the respective associated companies can be accessed here.
The content of the newsletter extends to the products and services of all the companies mentioned above, including, for example, trade journals and specialist books, events and trade fairs as well as event-related products and services, print and digital media offers and services such as other (editorial) newsletters, competitions, lead campaigns, Market research in the online and offline area, subject-specific web portals and e-learning offers. If my personal telephone number was also collected, it may be used for submitting offers for the aforementioned products and services from the aforementioned companies and for market research.
If I call up protected content on the Vogel Communications Group portals, including its affiliated companies within the meaning of §§ 15 ff. AktG, I have to register with additional data for access to this content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here.
right of revocation
I am aware that I can revoke this consent at any time for the future. My revocation does not affect the legality of the processing carried out on the basis of my consent up to the time of revocation. In order to declare my revocation, I can use the contact form available at as one option. If I no longer wish to receive individual newsletters to which I have subscribed, I can also click on the unsubscribe link at the end of a newsletter. I can find more information about my right of withdrawal and how to exercise it, as well as the consequences of my withdrawal, in the data protection declaration, section Editorial newsletters.
This request is no coincidence, because it is precisely the users who are responsible for around 70 to 90 percent of all malicious data breaches – through phishing and social engineering. But even the mere mention of restrictions on employees is met with rejection. Good skilled workers are in great demand on the labor market. Therefore, every company fights for qualified employees who do not want to be told what they can and cannot do on “their computer”.
Proactive IT security measures can also lead to a so-called political risk. Every time proactive measures are advocated that have never happened, the protagonists lose a little of their political capital. In principle, they only win if the emergency for which they have campaigned ultimately occurs. If they are successful and convince the company to put controls and remedial measures in place so that the bad never happens, then it never happens.