Nettitude Blog

The Ultimate Guide To Cyber Security Risk Assessments

Posted by Ben Rothke on Aug 14, 2018 5:43:32 PM

The world loves assessments. Be it the endless Top 10 lists on Facebook, from the Forbes 500 to the FT 1000 and more. Smaller assessments include a person’s annual physical, car inspections, report cards from school, and more. In the world of information security, a risk assessment is an invaluable method for a firm to determine their information security posture. There is a lot at stake when a firm performs a cyber security risk assessment, so it’s imperative that it be done right.

Want to learn how to do it right? Keep reading.

 

Cyber Security Risk Assessments - the ultimate guide

 

 

Just what is a cyber security risk assessment?

The NIST Cybersecurity Framework defines a risk assessment as when “the organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals”.

Risk assessments are used to identify, estimate and prioritize the many risks to organizational operations and assets resulting from IT operations. Some of the key reviews in the assessment include (but are far from limited to):

  • Asset vulnerabilities are identified and documented
  • Cyber threat intelligence is received from information sharing forums and sources
  • Threats, both internal and external, are identified and documented
  • Potential business impacts and likelihoods are identified
  • Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
  • Risk responses are identified and prioritized

Mike Chapple and Pete Lindstrom of IDC write in Digital Trust: Assessing True Risk in a Partnered World that approximately 66% of enterprises believe their security program is stronger than that of their partners, 27% believe their program is on par with that of their partners, and 7% believe their security program is less rigorous than that of their partners. That makes performing a risk assessment critical in order to truly understand the assessed level of security.

Risk is a function of the likelihood and impact that some unwanted outcome or set of unwanted outcomes will occur. Some of the unwanted outcomes involve breaches of confidentiality, integrity, availability, productivity, and/or propriety that create some set of increased costs and/or reduced revenue opportunities.

An effective risk assessment looks not just at the technology, but takes a holistic approach to various aspects, including people, processes, data and more. It requires the group performing the assessment to think about how the business operates, how employees and assets affect the profitability of the business, what the potential monetary losses are, what risks can create the largest financial losses to organization, and more.

Why is a cyber security risk assessment needed?

Legendary management consultant Peter Drucker observed that you can't manage what you can't measure. And it is a robust risk assessment that is required for any firm that wants to manage information security properly.

A risk assessment is a great way to demonstrate that the board has carried out effective due diligence, ownership and effective management of their cyber security risk.

As enterprise networks become more complex and distributed, the level of technical controls to secure them becomes more important.

The objective of a cyber security risk assessment is relatively simple – firms want to understand how their applications, systems and environments are used, to identify the cyber security risks via analysis of the data collected.

Why perform a cyber security risk assessment?

There are many compelling reasons to perform a risk assessment. First off are legal and regulatory reasons. The Payment Card Industry Data Security Standard (PCI DSS), ISO 27001, General Data Protection Regulation (GDPR), HIPAA (Health Insurance Portability and Accountability Act) and more require an entity to assess their risk.

An assessment can help ensure that the greatest risks that an organization faces are identified and addressed on a continuing basis. For example, if someone pays for expensive hurricane insurance coverage, but lives in a geographic area where there are never hurricanes, they are throwing money down the drain. They are likely not cognizant of the real environmental risks they are facing.

For those contemplating cyber security insurance, a risk assessment can often be used to negotiate lower premiums and deductibles.

Other reasons for a cyber security assessment include:

  • Determine the impact of new vulnerabilities, or to interpret the results of a recent vulnerability assessment
  • Periodic re-evaluation of critical business systems in order to assess any impacts of changes to the threat environment
  • Determine disaster recovery and business continuity planning requirements
  • Asses risks associated with new technologies or services
  • Asses risks associated with outsourcing, network connections and/or data sharing agreements with business partners
  • Determine if budgets are being used in the most judicious manner. It can provide management with justification for its cyber security investments.

How do you perform a cyber security risk assessment?

A basic risk assessment will take into consideration three factors: the importance of the assets, how critical the threat is, and how vulnerable the system is to that threat. Using those factors, you can assess the risk, which is the likelihood of a monetary loss by your organization.

The fundamental equation that is generally used is that:

risk = asset value x threat rating x vulnerability rating

There is no shortage of cyber security risk assessment templates available on Google. With that, all risk assessment methodologies have the set of basic steps:

1. Data gathering

Gather the required data and technical information required to perform the risk assessment. Some of the data inputs include previous risk assessments, threat assessment data, vulnerability assessment, vendor reports, and the like. Other sources include interviews with various IT and technology staff members, internal questionnaires, and the like.

Try to gather as much data from relevant assets as possible. The truth be told, a large company can have countless assets. Part of the risk assessment is to determine which are the most valuable. The ones to be concerned about are the assets (people, hardware, software, data, etc.) that can create a monetary loss or legal risk.

Some of the many assets include:

  • hardware
  • software
  • data (break the data into various classifications and types)
  • client information
  • websites
  • documentation
  • trade secrets
  • databases

2. Process of performing the actual risk assessment

This is the heart of the project. This is where you are calculating the risks from the information gathered during the previous step. This phase can take the form of quantitative, mathematical calculation or modeling, or qualitative analysis.

The advantage of the qualitative approach is that it is a quick and easy method and has the capability to provide a significant amount of data. The output is also easier for non-security or risk management staff to understand.  Its disadvantage is that given its nature, it can provides but a limited ability to perform effective cost-benefit analysis.

As to the quantitative approach, it enables a much more numerical aggregation of the risk data. It is also much easier to do various cost/benefit scenarios. Its disadvantage is that it is much more time consuming and costly than the quantitative approach.

Think about the potential business and financial losses your organization would face is any of the assets from the previous step was made unavailable or damaged. Some of the many outcomes include:

  • System downtime
  • Facility unavailability
  • Lawsuits and other legal consequences
  • Data loss

Consider the many threats your organization faces. There are countless, some of which include:

  • Malicious insiders
  • System failures
  • Nation state attacks
  • Natural disasters
  • Accidents
  • Employee strikes
  • 3rd-party unavailability

This is a particular important area as many firms don’t have an understanding who their adversaries are.

The following table details at a high level some attackers than an average organization will face. This is just a sample and once an organization performs their assessment, they will likely find many more attack vectors

 

Attacker

Target

Motive

Impact

Insider

  • Critical infrastructure Trade secrets
  • Confidential data
  • R&D
 
  • Economic
  • Political
  • Military
  • Business cessation
  • Data break
  • Loss of intellectual property
  • Critical infrastructure disruption
  • Regulatory penalties

Hactivist

  • M&A activity
  • Corporate emails
  • Executive information / communiques
  • Financial information to be announced
  • Business partner information
  • Bragging rights
  • Political influence
  • Disruption of business activities
  • Brand reputation impact
  • Loss of consumer trust
  • Regulatory penalties

Nation state

  • Confidential business information
  • Patent information
  • Trade secrets
  • R&D info
  • Critical infrastructure
  • Military data
  • Political disruption
  • Economic interference
  • Military information or disruption
  • Data breach
  • Disruption to critical infrastructure
  • Regulatory penalties

Organized crime

  • Payment systems
  • Financial infrastructure
  • CHD / PII
  • Health records
  • Financial gain
  • Data gathering
  • Regulatory penalties
  • Consumer and shareholder lawsuits
  • Loss of consumer confidence

 

3. Reporting and interpreting the output of the assessment 

The output of the assessment is where the risk is communicated. There are various ways to communicate risk, it be can be qualitative or quantitative, or other. But the purpose is to express the risks in a manner than can be understood by the reader of the report. The output will give the reader area where improvement may be needed and the mechanism in which to do that to deal with the risk.

A risk register is often created, which is the calculations listed in the risk assessment process. This register is used to list the risks currently facing the firm’s assets, to record treatment decisions, and to track the treatment activities.

4. Create a risk management plan

Based on the previous step, a detailed plan in which to manage the many risks should be created. The following is a basic sample:

Threat

Vulnerability

Assets / Consequence

Risk

Solution

 

System failure

HIGH

 

Old HVAC system in data center

HIGH

 

Firewalls, routers, switches, servers, email, websites, etc.

HIGH

 

Potential loss of $1M per day. 

HIGH

 

Replace HVAC system.

 

Malicious attack – DDoS

HIGH

 

Properly configured firewall with effective DDoS protection

LOW

 

Websites. 

Website unavailability 

HIGH

 

Potential loss of $10k p/h of downtime.

MODERATE

 

Implement better monitoring and auditing of firewall and other critical security hardware.

 

Natural disasters

(hurricane, tornado, flooding, etc.) 

MODERATE

 

Server on a high flood about water level.

VERY LOW

 

Servers. 

Servers will be unavailable. 

HIGH

 

 

VERY LOW

 

No action needed.

 

Non-malicious person (accident, human error, etc.)

HIGH

 

Correct file permissions, IT audit software in active use, regular backups done.

LOW

 

Entire set of files on various file shares.

Critical data could potentially be lost, but high change they could be restored via backup.

MODERATE

 

 

 

LOW

 

Continue monitoring permission changes, ensure privileged users are monitors and tracked, encore backups are properly done.

 

Risk treatment options

As the above table indicates, not all risks are created equal. There are literally thousands of risks that a large organization faces. The goal is to put most of the efforts into the ones that can create the greatest risk to the organization.

Risk control is the process by which a firms reduces the likelihood of a risk event occurring or mitigates the effects that risk should it occur. After the risks have been assessed and identified, there are generally 4 ways in which an organization can deal with the risks. This is often knows as the 4 T’s process:

  1. Tolerate – There is where no action is needed to mitigate or reduce a risk, as it is below the firm’s risk appetite. This may be due to the cost of instituting risk reduction or mitigation activity is not cost-effective or the risks of impact are at so low that they are deemed acceptable.
  2. Treat – where the risk is above the firm’s risk appetite, but treatment is proportionate; or where the treatment is so simple and cost effective that it is proportionate to treat the risk even though it falls below the firm’s risk appetite.
  3. Transfer – where the risk can’t be brought below the firm’s risk appetite with proportionate treatment, but a cost-effective option is available to transfer the risk to a third-party. This can be done via cyber-insurance.
  4. Terminate – where the risk can’t be brought below the firm’s risk appetite with proportionate efforts or resources. And there are no cost-effective transfer mechanisms available.

Use cases

Now that you know all this about cyber security risk assessments, one last thing to consider are use cases.  Just as one firm would not use the same logo as another firm, so too an approach to information risk must be customized.

Cyber security is far too complex for there to be a single approach or method that works for all firms. The benefit of using customized use-cases is that it provides a method to use fundamental risk assessment practices and concurrently use it to create a customized risk mediation program.

There are literally thousands (if not more) of potential uses cases in a large enterprise operation.  With limited staff and budget, the key is to find the most common ones that will best address and minimize risk within the organization.

Some common use case examples include assessing the cyber security risks:

  • security budgets
  • disaster recovery and business continuity planning
  • to determine the impact of zero day thread, new vulnerabilities
  • to determine the results of a recent vulnerability scan
  • for a new application, technology, operating system, etc.
  • associated with a new outsourced provider, third-party or new business partner
  • scenario-planning exercises
  • impact of a new law, regulation or standard.

Risk assessment methodologies

There are a number of risk assessment methodologies in use.  Each has its advantages and disadvantages, and it is the responsibility of a firm to determine which is the most appropriate methodology for their organization.  Some of the more popular risk management methodologies include:

COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance. COBIT provides an implementable "set of controls over information technology and organizes them around a logical framework of IT-related processes and enablers”.

ISO/IEC 27005:2018 is part of the ISO/IEC 2700x set of information security management system (ISMS) standards, and is a reference point for firms looking to attain ISO 27001 certification.  While 27005 does not provide any specific method for information security risk management, it provides guidelines for information security risk management in an organization. It is up to the organization to define their approach to risk management, depending for example on the scope of an ISMS, context of risk management, or industry sector.

FAIR (Factor Analysis of Information Risk is an excellent value at risk (VaR) framework for cybersecurity and operational risk. Created by the FAIR Institute, it’s an open standard for measuring and managing information risk. The benefit of FAIR is that it provides information risk, cybersecurity and business professionals with a common language to measure, manage and report on information risk from the business perspective.

For those looking for an excellent technical introduction to the methodology, Measuring and Managing Information Risk: A FAIR Approach by Jack Freund and Jack Jones is an invaluable resource.

NIST Cybersecurity Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk.  The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.

Caveats

Some caveats around risk are worth considering before we complete this:

  • Just as different firms have different risk tolerance levels, so do different people within your organization. Your chief legal counsel is likely much more risk adverse than the head of network operations. With that, it’s important to realize that when dealing with different business process owners within your own organization.
  • Irrespective when selective either the quantitative or qualitative model is to appreciate that risk is not an objective science. Even with advanced tools, there is still a lot of intuition that goes into the risk calculations.
  • Combining multiple risks into a single risk indicator is difficult. Often an executive will want to know the total risk. But risk aggregation is not something that is easily done.
  • Realize that risk changes over time. As different people, processes and technologies come into play into your organization, so too with the risks associated with them change.  Firms also changes their direction, business objectives, etc. It is important to keep that in mind when performing a cyber security risk assessment.

Conclusions

Cyber security risk assessments are an integral part of any information security risk initiative. Cyber security is now an issue that every member of a board of directors is concerned with. Managing cyber security risks is now a board issue. They are becoming more preemptive in evaluating cybersecurity risk exposure as an enterprise-wide risk management issue, and a key way to do that is via a cyber security risk assessment.

 


 

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats. Our experts use an award winning Threat Intelligence led approach that incorporates real-time data, ensuring that your company is protected at every stage of its journey.

Nettitude will help you make sense of all this information in pragmatic workshops and training sessions. We will help you to implement an active and relevant risk methodology.

Topics: Cyber Security, risk assessment

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

Our experts use an award winning Threat Intelligence led approach that incorporates real-time data, ensuring that your company is protected at every stage of its journey.

Receive an update when we post!

Recent Posts