Desired Security Posture
The ultimate goal of an ARA for the security of any system is to bring that system to a desired security posture. The operative term is “desired” or “intended.” Since there is no possibility of “100% secure” (since the world is full of unknowns), and particularly since merely connecting systems together and interacting through automation is fraught with cyber risk and cyber attacks against vulnerable software, a certain level of defense is almost always called for. But what is that “level of defense”?
There is no easy prescription or recipe to determine the desired risk posture. One can turn to the organization’s security policy and standards as a starting point. In organizations whose cyber-security function is relatively mature, there may exist standards that point the way to the controls that must be implemented.
Experienced practitioners may have a good “gut feeling” for what level of risk is acceptable and what is not. A mature GRC function may have conducted research into the organization’s risk tolerance and concerns. Desired posture may be calculated as a percentage of system cost or expected revenue. Or any combination of the foregoing may provide sufficient clues to derive a security posture.
In the absence of any of the above, it may come down to conducting interviews and listening to what is acceptable or not among the decision makers. In any event, it helps mitigate the influence of one’s personal risk tolerance to understand what the organization seeks from risk assessments, how much security needs to be implemented, and what risk can be tolerated.