Positive risk within cybersecurity - AWS Prescriptive Guidance

Positive risk within cybersecurity

Greg Bell, Amazon Web Services (AWS)

May 2022 (document history)

Most people think of risk from the negative perspective, such as exposure to loss or managing an adverse event. However, the International Organization for Standardization (ISO) definition of risk is the “effect of uncertainty on objectives.” In this case, the effect might be positive or negative.

Actual risks might vary between industries, but this standard definition applies to all, and each industry has both negative and positive risks. In the cybersecurity industry, negative risk refers to potential loss, and positive risk refers to potential gain of assets, knowledge, improvements, or data.

Project management and IT domains have adopted the strategy of evaluating positive risks in business reports and business decisions. However, the cybersecurity industry hasn’t yet adopted this as a common practice, and many risk-management methodologies continue to focus on negative risks. If they discuss positive risk at all, it’s only briefly.

Traditionally, cybersecurity views risk exclusively through a negative lens. The following are the two common types of negative risk in cybersecurity:

  • Downside risk – Exposure to loss from external factors, such as a threat. For example, cybercriminals might introduce or increase the likelihood of a security incident.

  • Upside risk – Exposure to loss while in pursuit of a gain, such as a vulnerability that results from change. For example, when implementing an IT strategy, you might inadvertently increase the potential for a security incident. Upside risk isn’t the same as positive risk. Even though it occurs while in pursuit of a gain, upside risk is focused on the potential for loss.

Until recently, cybersecurity has considered only negative risk, and the definition of risk has focused on a potential negative outcome. Positive risks focus on the potential positive outcome at the beginning of risk identification. The exclusion of positive risk results in failure to recognize the positive outcomes in cybersecurity. Because of the focus on negative risk, executive leadership commonly perceives cybersecurity to be reactive rather than proactive and underestimates cybersecurity’s contribution to positive business outcomes.

This document defines positive risk for the cybersecurity industry and discusses the benefits and importance of including positive risks within your cybersecurity strategy.