The table towards the bottom shows the top 25 lists of business risks as given by two different groups. The first list comes from the Lloyd's Risk Index 2011 featuring content from the Economist Intelligence Unit (EIU). The second is slightly older and is taken from the Ernst & Young Business Risk Report 2010.
These show the risks that business leaders are worried about.
What are the risks that can be leveraged to try and improve investment in Application Security programs? There's little point in saying "
Compliance and Reputation would seem to be the two main arguments that we can put forward.
Both surveys feature "changing legislation" or "regulation and compliance" towards the top of the risks that business leaders are concerned about. In our field, this would include such topics as PCI DSS, Data Protection legislation, HIPAA etc. Our first argument would go along the lines :
- "We need to improve our application security program in order to comply with XYZ"
The other main risk which we can use seems to be Reputation. The Lloyd's Risk index has Reputational Risk at number 3 while the E&Y Business Risk Report has it at number 19. I presented the E&Y table at a recent OWASP Switzerland chapter meeting. The general concensus at that event was that companies are worried about reputation and so the Lloyd's Risk Index placement at 3 is more accurate.
The argument here is:
- "We need to improve our application security program in order to protect our reputation. Look at what happened to SONY, Stratfor, etc...."
The Lloyd's Risk index mentions malicious cyber attacks as risk number 12 and cyber-risks (non malicious) at 19, whereas the E&Y report does not mention them specifically.
|Lloyd's Risk Index 2011||The Ernst & Young Business Risk Report 2010|
|1||Loss of customers/Cancelled orders||Regulation and compliance|
|2||Talent and skills shortages||Access to credit|
|3||Reputational risk||Slow recovery or double-dip recession|
|4||Currency fluctuation||Managing talent|
|5||Changing legislation||Emerging markets|
|6||Cost and availability of credit||Cost cutting|
|7||Price of material inputs||Non-traditional entrants|
|9||Corporate liability||Social acceptance risk: corporate social responsibility|
|10||Excessively strict regulation||Executing alliances and transactions|
|11||Rapid technological changes||Inability to innovate|
|12||Cyber attacks (malicious)||Maintaining infrastructure|
|13||High taxation||Emerging technologies|
|14||Failed investment||Taxation risk|
|15||Major asset price volatility||Pricing pressures|
|16||Theft of assets/Intellectual Property||Resource scarcity|
|17||Fraud and corruption||Consumer demand shifts|
|18||Interest rate change||Global (re)alignment|
|19||Cyber risks (non-malicious)||Reputation risks|
|20||Poor/Incomplete regulation||Energy shocks|
|21||Critical infrastructure failure||Supply chain and "extraprise"|
|22||Government spending cuts||Managing new business models|
|23||Supply chain failure||Capital allocation|
|24||Pollution/Environmental liability||Intermediary power|
|25||Sovereign debt||Shifting demographics|
Compliance and reputation risks are probably the two main risks to leverage when you are trying to convince management to invest in application security. This type of approach might seem a bit underhand - but all is fair in love and war.
Links to surveys(PDF):