This quick look will provide a high level review of The Duty of Care Risk Analysis Approach, as it applies to ensuring your security program is legally defensible by defining a clear line of acceptable risk.

Duty of Care is foundational for assessing liability in our legal system since 1842, and has been recognized and advocated by state Attorneys General to determine whether controls were legally "reasonable" during a breach. Implementing (and operating) Duty of Care demonstrates your program is legally defensible.

For background, DoCRA donated a version of its Risk Assessment Methodology to the Center for Internet Security. Note that Duty of Care Risk Analysis can be utilized with any control set.

When you review Duty of Care Risk Analysis with all other risk analysis methods, only Duty of Care estimates the magnitude of harm to others, which satisfies the liability balance test for legal liability.

So, how does Duty of Care create a Common Language between Cybersecurity and the Business? It starts by including the traditional Cybersecurity Language of Risks and Costs, AND THEN Duty of Care INCLUDES the MISSING COMPONENTS, the impacts to What you do for your customers, to your Business Goals, and to your 3rd Party Obligations. Now Cybersecurity and Business are speaking the same language by utilizing Duty of Care as a universal translator.

This is the calculated acceptable risk definition impacts - showing what is acceptable. The top portion are the definition of mission, objectives, and obligations, and the levels of 1 through 5 are the descriptions of the impacts that a risk would have on your organization. For example, a level 2 impact would be acceptable - this is somewhat impactful, but business as usual. However, if we knew that an impact at level 3 would happen tomorrow, we would invest against that from happening. Impact levels 4 and 5 are incrementally worse than level 3.

Likelihood levels are defined to be meaningful to your organization. Often organizations choose a level of 'Foreseeable, Expected' as the likelihood at which they wish to remediate.

By defining at which Impact level, and Likelihood level we must take action; we are then defining our RISK APPETITE, which is the line at which we remediate at. In this example, Business impacts that are Unacceptable along with Likelihood that is Foreseeable is when we must remediate. Therefore, an 8 is our line of acceptable risk and a risk score of 9 or greater is when we will remediate.

We then start to view our risks, sorted by risk score, showing which risks we will remediate and which risks, are below the line, and we can accept.

This quick look provided a high level review of The Duty of Care Risk Analysis Approach, as it applies to ensuring your security program is legally defensible by defining a clear line of acceptable risk.