Security Risk Management

Security Risk Management: Should You Take A Reactive or Proactive Approach?

M. Eric Johnson | September 18, 2013

reactive-or-proactive-security-risk-managementIn a world of evolving threats, executives are faced with the challenge of deciding whether to allocate scarce security resources in proactive investments that may prevent attacks or in reactive investments in response to security failures. Some researchers have argued that the most effective security investments are those based on lessons from past attacks, particularly when defending against similar incidents.


They suggest that proactive strategies require large upfront investments and that it is difficult to know where to invest because the threats are constantly evolving. Rather than proactively preparing for every possible threat, they advise first observing attacks and then allocating security resources to closing security holes. By focusing on quickly fighting attacks, the reactive crowd hopes to maximize the impact of security spending by avoiding investment in phantom threats.

On the other hand, advocates of prevention argue that proactive organizations build a deeper understanding of both the weaknesses and the threats. The research literature provides some support for this notion as studies in related areas, like product recalls, have found that proactive investments are particularly effective because they stimulate organizational learning. Rather than simply reacting to failures, proactive initiatives involve identifying and quantifying risk, and investing in mitigating the largest ones (based on probability of occurrence and likely impact).

In a study appearing later this fall, my colleague Dr. Juhee Kwon and I provide evidence that proactive strategies are more effective in managing security risk. Examining the security investment decisions and breach history of 2,386 organizations in the healthcare sector over a five year period, we found that proactive investments were associated with lower security failure rates than investments made in reaction to breaches. Considering the organizational costs of breach disclosure and remediation, we also found that proactive investments are more cost effective than reactive investments.

A data driven evaluation of overall security posture is the first step in any proactive approach. Following the evidence to learn the weak points and the related risks provides clues on where best to invest. Such an evaluation should look beyond internal systems to include risks presented by business partners. Too often, ecosystem risk is ignored. But a scan of the recent headlines shows that major security failures often occur in partner firms that form the extended enterprise. An active vendor risk assessment program can provide early warning on trouble spots and guide negotiations with partners that hold sensitive data. Proactive organizations actively manage risk by continuously evaluating current risks rather than focusing on the past.

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...


Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...


Subscribe to get security news and updates in your inbox.