Understanding your AIW vs your MTO – risk management and business terminologies simplified
We spend our time in cyber living in acronyms – EDR, DLP, IPS, MFA… trying to keep up to date with these. Is APT an Advanced Persistent Threat or Automated Penetration Testing? When we received that email about IAM, was it Identity & Access Management or were they discussing Incident & Asset Management?
Cyber specific acronyms aren’t the end of this either! When discussing business risk, we see a lot of clients who do not have a full understanding of the risk management lifecycle along with the supporting acronyms that are used.
When working through these, we are trying to understand the risk appetite for an organisation.
| Term | Meaning | Example |
| Risk appetite | The amount of risk that an organisation is willing to accept in pursuit of its business objectives. | Tech startups – high risk appetite (willing to take significant risks to achieve growth) Healthcare – low risk appetite (risks may affect human lives, consequences are more tangible). |
This is usually set at a leadership or board level for the organisation – allowing the teams to understand what boundaries are in place when making decisions. In pursuit of our business objectives, we usually must perform a BIA (Business Impact Analysis) on our systems, allowing us to build our IR (Incident Response) & our DR (Disaster Recovery) plans – usually supporting our overarching BCP (Business Continuity Plan).
| Term | Meaning | Example |
| BIA | Business Impact Analysis – identifying the critical business functions and how that would effect the essential function of the business. | Function: Online ecommerce system. Processing card transactions for an online retailer is likely classed as critical – its outage would result in large revenue loss and reputational damage. Function: Internal newsletter. Internal communication is important, but clients would not be affected and business could continue as usual. |
| IR | Incident Response – the approach taken to manage a security incident. | Preparing, Identifying, Containing, Eradicating, Recovering and Learning from a security incident such as ransomware. |
| DR | Disaster Recovery – the approach taken to restore business operations in the event of an ‘disaster’ | Datacentre failure causes the business to shut down temporarily. Following the DR plan allows the team to restore services at a failover datacentre bringing operations back online. |
| BCP | Business Continuity Plan – the overarching plan to ensure that the organisation can continue to operate during a disruption. | A power outage affects operations – the BCP contains the BIA, DR and procedures necessary for working in a disrupted environment until recovery is completed. |
When building our BCP, we often use the BIA process to understand what our AIW (Acceptable Interruption Window) is for each function, and how that would affect the MTO (Maximum Tolerable Outage) for the organisation. These levels are set by the business and will impact the cost of recovery – setting our RTO (Recovery Time Objective) & our RPO (Recovery Point Objective).
| Term | Meaning | Example |
| AIW | Acceptable Interruption Window – the maximum allowable downtime before it starts to have an impact on business functions. | Our sales platform can be down for 30 minutes without significantly affecting client trust & reputational damage. |
| MTO | Maximum Tolerable Outage – the maximum outage window. If this is breached, the organisation is likely going to experience financial & operational difficulties that it may not recover from. | If our sales platform is offline with no new orders for 24 hours, clients will likely go elsewhere. Coupled with difficult cashflow in the business, this would likely put us out of business. |
| RTO | Recovery Time Objective – the acceptable duration of a downtime. How quickly does a system need to be restored. | The business declares that the sales platform must be online within 4 hours – so systems much be designed to be able to restore within this time from tape, disk or cloud. |
| RPO | Recovery Point Objective – how much data are we willing to lose? What point in time can we recover from. | The business will not accept customer data being lost from over 15 minutes ago – meaning that continually snapshots, transaction logs or other methods would be required to keep data. |
These business defined terms set the boundaries – but these come at a cost. When would we look to invoke the DR plan? What is our MSL (Minimum Service Level)? More importantly, is the business willing to pay to achieve the RPO and RTO they are asking for? We can take the cost of implementing these back to the leadership team – matching the technology and processes that we design to the business objectives and risk level.
We don’t usually want to be invoking our BCP. This usually means that our IR or DR plans are not far away! We can measure and pre-empt these by measuring statistics and risk through our KRI (Key Risk Indicators) & KPI (Key Performance Indicators).
| Term | Meaning | Example |
| MSL | Minimum Service Level – the lowest acceptable level of service we can deliver. Used both pre & post event. | If our sales platform can process 10,000 orders per minute – we may decide that our MSL is 5,000 orders per minute. Ensuring that we don’t invoke our full DR for minor outages or disruptions. Also serves as a good indicator that recovery is allowing the business to operation. |
| KRI | Key Risk Indicator – a pre-emptive metric allowing to predict that an incident could be about to happen. | In cyber, we look for common attacks in similar industries, uptick in external attack attempts or dark web chatter. |
| KPI | Key Performance Indicator – a measure defining how we are achieving a set target. | When defining how many sales orders per minute, we are setting our KPI to 10,000. We can monitor against this and many other measures. |
When we can see the full picture of how business risk will shape and influences our operational resilience, our recovery expectations and how our processes can weather a disruption – it highlights how important reducing the impact of security incidents and breaches are.
For years we’ve said it isn’t a case of IF, but when these incidents happen. Ensuring that cyber security, information technology and business operations are aligned in their expectations, underpins this operational resilience – limit impact and recover quickly.
