The world loves assessments. Be it the endless Top 10 lists on Facebook, from the Forbes 500 to the FT 1000 and more. Smaller assessments include a person’s annual physical, car inspections, report cards from school, and more. In the world of information security, a risk assessment is an invaluable method for an organisation to determine its information security posture. There is a lot at stake when an organisation performs a cybersecurity risk assessment, so it’s imperative that it be done right.
Want to learn how to do it right? Keep reading.
Just what is a cyber security risk assessment?
The NIST Cybersecurity Framework defines a risk assessment as when “the organisation understands the cybersecurity risk to organisational operations (including mission, functions, image, or reputation), organisational assets, and individuals”.
Risk assessments are used to identify, estimate and prioritise the many risks to organisational operations and assets resulting from IT operations. Some of the key reviews in the assessment include (but are far from limited to):
- Asset vulnerabilities are identified and documented
- Cyber threat intelligence is received from information-sharing forums and sources
- Threats, both internal and external, are identified and documented
- Potential business impacts and likelihoods are identified
- Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
- Risk responses are identified and prioritised
Mike Chapple and Pete Lindstrom of IDC write in Digital Trust: Assessing True Risk in a Partnered World that approximately 66% of enterprises believe their security program is stronger than that of their partners, 27% believe their program is on par with that of their partners, and 7% believe their security program is less rigorous than that of their partners. That makes performing a risk assessment critical in order to truly understand the assessed level of security.
Risk is a function of the likelihood and impact that some unwanted outcome or set of unwanted outcomes will occur. Some of the unwanted outcomes involve breaches of confidentiality, integrity, availability, productivity, and/or propriety that create some set of increased costs and/or reduced revenue opportunities.
An effective risk assessment looks not just at the technology but takes a holistic approach to various aspects, including people, processes, data and more. It requires the group performing the assessment to think about how the business operates, how employees and assets affect the profitability of the business, what the potential monetary losses are, what risks can create the largest financial losses to the organisation, and more.
Why is a cyber security risk assessment needed?
Legendary management consultant Peter Drucker observed that you can't manage what you can't measure. And it is a robust risk assessment that is required for any organisation that wants to manage information security properly.
A risk assessment is a great way to demonstrate that the board has carried out effective due diligence, ownership and effective management of their cyber security risk.
As enterprise networks become more complex and distributed, the level of technical controls to secure them becomes more important.
The objective of a cyber security risk assessment is relatively simple – organisations want to understand how their applications, systems and environments are used, to identify the cyber security risks via analysis of the data collected.
Why perform a cyber security risk assessment?
There are many compelling reasons to perform a risk assessment. First off are legal and regulatory reasons. The Payment Card Industry Data Security Standard (PCI DSS), ISO 27001, General Data Protection Regulation (GDPR), HIPAA (Health Insurance Portability and Accountability Act) and more require an entity to assess their risk.
An assessment can help ensure that the greatest risks that an organisation faces are identified and addressed on a continuing basis. For example, if someone pays for expensive hurricane insurance coverage, but lives in a geographic area where there are never hurricanes, they are throwing money down the drain. They are likely not cognizant of the real environmental risks they are facing.
For those contemplating cyber security insurance, a risk assessment can often be used to negotiate lower premiums and deductibles.
Other reasons for a cyber security assessment include:
- Determine the impact of new vulnerabilities, or interpret the results of a recent vulnerability assessment
- Periodic re-evaluation of critical business systems in order to assess any impacts of changes to the threat environment
- Determine disaster recovery and business continuity planning requirements
- Asses risks associated with new technologies or services
- Asses risks associated with outsourcing, network connections and/or data-sharing agreements with business partners
- Determine if budgets are being used in the most judicious manner. It can provide management with justification for its cyber security investments.
How do you perform a cyber security risk assessment?
A basic risk assessment will take into consideration three factors: the importance of the assets, how critical the threat is, and how vulnerable the system is to that threat. Using those factors, you can assess the risk, which is the likelihood of a monetary loss by your organisation.
The fundamental equation that is generally used is that:
risk = asset value x threat rating x vulnerability rating
There is no shortage of cyber security risk assessment templates available on Google. With that, all risk assessment methodologies have a set of basic steps:
1. Data gathering
Gather the required data and technical information required to perform the risk assessment. Some of the data inputs include previous risk assessments, threat assessment data, vulnerability assessments, vendor reports, and the like. Other sources include interviews with various IT and technology staff members, internal questionnaires, and the like.
Try to gather as much data from relevant assets as possible. Truth be told, a large company can have countless assets. Part of the risk assessment is to determine which are the most valuable. The ones to be concerned about are the assets (people, hardware, software, data, etc.) that can create a monetary loss or legal risk.
Some of the many assets include:
- hardware
- software
- data (break the data into various classifications and types)
- client information
- websites
- documentation
- trade secrets
- databases
2. Process of performing the actual risk assessment
This is the heart of the project. This is where you are calculating the risks from the information gathered during the previous step. This phase can take the form of quantitative, mathematical calculation or modelling, or qualitative analysis.
The advantage of the qualitative approach is that it is a quick and easy method and has the capability to provide a significant amount of data. The output is also easier for non-security or risk management staff to understand. Its disadvantage is that given its nature, it can provide but a limited ability to perform an effective cost-benefit analysis.
The quantitative approach, it enables a much more numerical aggregation of the risk data. It is also much easier to do various cost/benefit scenarios. Its disadvantage is that it is much more time-consuming and costly than the quantitative approach.
Think about the potential business and financial losses your organisation would face if any of the assets from the previous step were made unavailable or damaged. Some of the many outcomes include:
- System downtime
- Facility unavailability
- Lawsuits and other legal consequences
- Data loss
Consider the many threats your organisation faces. There are countless, some of which include:
- Malicious insiders
- System failures
- Nation-state attacks
- Natural disasters
- Accidents
- Employee strikes
- 3rd-party unavailability
This is a particularly important area as many organisations don’t have an understanding of who their adversaries are.
The following table details at a high level some attackers that an average organisation will face. This is just a sample and once an organisation performs their assessment, it will likely find many more attack vectors
|
Attacker |
Target |
Motive |
Impact |
|
Insider |
|
|
|
|
Hacktivist |
|
|
|
|
Nation-state |
|
|
|
|
Organised crime |
|
|
|
3. Reporting and interpreting the output of the assessment
The output of the assessment is where the risk is communicated. There are various ways to communicate risk, whether it be can be qualitative or quantitative, or other. But the purpose is to express the risks in a manner than can be understood by the reader of the report. The output will give the reader area where improvement may be needed and the mechanism in which to do to deal with the risk.
A risk register is often created, which is the calculation listed in the risk assessment process. This register is used to list the risks currently facing the organisationirm’s assets, to record treatment decisions, and to track the treatment activities.
4. Create a risk management plan
Based on the previous step, a detailed plan in which to manage the many risks should be created. The following is a basic sample:
|
Threat |
Vulnerability |
Assets / Consequence |
Risk |
Solution |
|
System failure HIGH |
Old HVAC system in data center HIGH |
Firewalls, routers, switches, servers, email, websites, etc. HIGH |
Potential loss of $1M per day. HIGH |
Replace HVAC system. |
|
Malicious attack – DDoS HIGH |
Properly configured firewall with effective DDoS protection LOW |
Websites. Website unavailability HIGH |
Potential loss of $10k p/h of downtime. MODERATE |
Implement better monitoring and auditing of firewall and other critical security hardware. |
|
Natural disasters (hurricane, tornado, flooding, etc.) MODERATE |
Server on a high flood about water level. VERY LOW |
Servers. Servers will be unavailable. HIGH |
VERY LOW |
No action needed. |
|
Non-malicious person (accident, human error, etc.) HIGH |
Correct file permissions, IT audit software in active use, regular backups done. LOW |
Entire set of files on various file shares. Critical data could potentially be lost, but high change they could be restored via backup. MODERATE |
LOW |
Continue monitoring permission changes, ensure privileged users are monitors and tracked, encore backups are properly done. |
Risk treatment options
As the above table indicates, not all risks are created equal. There are literally thousands of risks that a large organisation faces. The goal is to put most of the efforts into the ones that can create the greatest risk to the organisation.
Risk control is the process by which an organisation reduces the likelihood of a risk event occurring or mitigates the effects of that risk should it occur. After the risks have been assessed and identified, there are generally 4 ways in which an organisation can deal with the risks. This is often known as the 4 T’s process:
- Tolerate – There is where no action is needed to mitigate or reduce risk, as it is below the organisation’s risk appetite. This may be due to the cost of instituting risk reduction or mitigation activity is not cost-effective or the risks of impact are at so low that they are deemed acceptable.
- Treat – where the risk is above the organisation’s risk appetite, but treatment is proportionate; or where the treatment is so simple and cost-effective that it is proportionate to treat the risk even though it falls below the organisation’s risk appetite.
- Transfer – where the risk can’t be brought below the organisation’s risk appetite with proportionate treatment, but a cost-effective option is available to transfer the risk to a third party. This can be done via cyber insurance.
- Terminate – where the risk can’t be brought below the organisation’s risk appetite with proportionate efforts or resources. And there are no cost-effective transfer mechanisms available.
Use cases
Now that you know all this about cyber security risk assessments, one last thing to consider is use cases. Just as one organisation would not use the same logo as another organisation, so too an approach to information risk must be customised.
Cybersecurity is far too complex for there to be a single approach or method that works for all organisations. The benefit of using customised use cases is that it provides a method to use fundamental risk assessment practices and concurrently use it to create a customised risk mediation program.
There are literally thousands (if not more) of potential use cases in a large enterprise operation. With limited staff and budget, the key is to find the most common ones that will best address and minimise risk within the organisation.
Some common use case examples include assessing the cyber security risks:
- security budgets
- disaster recovery and business continuity planning
- to determine the impact of zero-day thread, new vulnerabilities
- to determine the results of a recent vulnerability scan
- for a new application, technology, operating system, etc.
- associated with a new outsourced provider, third-party or new business partner
- scenario-planning exercises
- impact of a new law, regulation or standard.
Risk assessment methodologies
There are a number of risk assessment methodologies in use. Each has its advantages and disadvantages, and it is the responsibility of an organisation to determine which is the most appropriate methodology for their organisation. Some of the more popular risk management methodologies include:
COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance. COBIT provides an implementable "set of controls over information technology and organises them around a logical framework of IT-related processes and enablers”.
ISO/IEC 27005:2018 is part of the ISO/IEC 2700x set of information security management system (ISMS) standards and is a reference point for organisations looking to attain ISO 27001 certification. While 27005 does not provide any specific method for information security risk management, it provides guidelines for information security risk management in an organisation. It is up to the organisation to define its approach to risk management, depending for example on the scope of an ISMS, context of risk management, or industry sector.
FAIR (Factor Analysis of Information Risk is an excellent value-at-risk (VaR) framework for cybersecurity and operational risk. Created by the FAIR Institute, it’s an open standard for measuring and managing information risk. The benefit of FAIR is that it provides information risk, cybersecurity and business professionals with a common language to measure, manage and report on information risk from the business perspective.
For those looking for an excellent technical introduction to the methodology, Measuring and Managing Information Risk: A FAIR Approach by Jack Freund and Jack Jones is an invaluable resource.
NIST Cybersecurity Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework’s prioritised, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.
Caveats
Some caveats around risk are worth considering before we complete this:
- Just as different organisations have different risk tolerance levels, so do different people within your organisation. Your chief legal counsel is likely much more risk-averse than the head of network operations. With that, it’s important to realise that when dealing with different business process owners within your own organisation.
- Irrespective when selective either the quantitative or qualitative model is to appreciate that risk is not an objective science. Even with advanced tools, there is still a lot of intuition that goes into the risk calculations.
- Combining multiple risks into a single risk indicator is difficult. Often an executive will want to know the total risk. But risk aggregation is not something that is easily done.
- Realise that risk changes over time. As different people, processes and technologies come into play in your organisation, so too with the risks associated with the change. Organisations also change their direction, business objectives, etc. It is important to keep that in mind when performing a cyber security risk assessment.
Conclusions
Cyber security risk assessments are an integral part of any information security risk initiative. Cybersecurity is now an issue that every member of a board of directors is concerned with. Managing cyber security risks is now a board issue. They are becoming more preemptive in evaluating cybersecurity risk exposure as an enterprise-wide risk management issue, and a key way to do that is via a cybersecurity risk assessment.
About Nettitude
Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats. Our experts use an award-winning Threat Intelligence led approach that incorporates real-time data, ensuring that your company is protected at every stage of its journey.
Nettitude will help you make sense of all this information in pragmatic workshops and training sessions. We will help you to implement an active and relevant risk methodology.
