A cyber security risk assessment is about understanding, managing, controlling and mitigating cyber risk. Cyber risk is defined as exposure to harm or loss resulting from data breaches or cyber attacks on information systems, information technology and information security. However, this definition must be broadened. A better, more encompassing definition is the risk of financial loss, disruption or reputational damage due to the failure of an organization's cybersecurity strategy. Cyber risk management doesn't end with your organization. Many organizations fail to take into account their supply chain and service providers when measuring cybersecurity risk. Enterprise risk must take into account third-party risk and fourth-party risk. It is a crucial part of any organization's risk management strategy and data protection efforts.
Risk assessments are very important and crucial and whether you like it or not, if you work in information security, you are in the risk management business. As organizations rely more on information technology and information systems to do business, the inherent risks involved increase, risks that didn't exist prior.
What is risk?
Risk is the likelihood of reputational or financial loss and can be measure from zero, low, medium, to high. The three factors that feed into a risk vulnerability assessment are:
What is the threat?
How vulnerable is the system?
What is the reputational or financial damage if breached or made unavailable?
This gives us a of cyber risk as: Cyber risk = Threat x Vulnerability x Information Value
Imagine you were to assess the risk associated with a cyber attack compromising a particular operating system. This operating system has a known backdoor in version 1.7 of its software that is easily exploitable via physical means and stores information of high value on it. If your office has no physical security, your risk would be high. However, if you have good IT staff who can identify vulnerabilities and they update the operating system to version 1.8, your vulnerability is low, even though the information value is still high because the backdoor was patched in version 1.8.
A few things to keep in mind is, there are very few things with zero risk to a business process or information system, and risk implies uncertainty. If something is guaranteed to happen, it's not a risk. It's part of general business operations.
What is a cyber risk assessment?
Cyber risk assessments are defined by NIST as risks assessments are used to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.
The primary purpose of a cyber risk assessment is to help inform decision-makers and support proper risk responses. They also provide an executive summary to help executives and directors make informed decisions about security. The information security risk assessment process is concerned with answering the following questions:
What are our organization's most important information technology assets?
What data breach would have a major impact on our business whether from malware, cyber attack or human error? Think customer information.
What are the relevant threats and the threat sources to our organization?
What are the internal and external vulnerabilities?
What is the impact if those vulnerabilities are exploited?
What is the likelihood of exploitation?
What cyber attacks, cyber threats, or security incidents could impact affect the ability of the business to function?
What is the level of risk my organization is comfortable taking?
If you can answer those questions, you will be able to make a determination of what to protect. This means that Cyber Quotient® can help you develop IT security controls and data security strategies to mitigate risk. Before you can do that though, you need to answer the following questions:
What is the risk I am reducing?
Is this the highest priority security risk?
Am I reducing the risk in the most cost-effective way?
This will help you understand the information value of the data you are trying to protect and allow you to better understand your information risk management process in the scope of protecting business needs.
Why perform a cyber risk assessment?
There are a number of reasons you want to perform a cyber risk assessment and a few reasons you need to. Let's walk through them:
Reduction of long-term costs: identifying potential threats and vulnerabilities, then working on mitigating them has the potential to prevent or reduce security incidents which saves your organization money and/or reputational damage in the long-term
Provides a cyber security risk assessment template for future assessments: Cyber risk assessments aren't one of processes, you need to continually update them, doing a good first turn will ensure repeatable processes even with staff turnover
Better organizational knowledge: Knowing organizational vulnerabilities gives you a clear idea of where your organization needs to improve
Avoid data breaches, Data Breaches can have a huge financial and reputational impact on any organization
Avoid regulatory issues: Customer data that is stolen because you failed to comply with industry guidelines, Cyber Security Guidelines.**
Avoid application downtime: Internal or customer facing systems need to be available and functioning for staff and customers to do their jobs
Data loss: theft of trade secrets, code, or other key information assets could mean you lose business to competitors
Beyond that, cyber risk assessments are integral to information risk management and any organization's wider risk management strategy.
Cyber risk assessment with Cyber Quotient® ?
We'll start with a high level overview and drill down into each step in the next sections. Before you do anything to start assessing and mitigating risk, you need to understand what data you have, what infrastructure you have, and the value of the data you are trying to protect.We will start by auditing your data to answer the following questions:
What data do you collect?
How and where are you storing this data?
How do you protect and document the data?
How long do youkeep data?
Who has access internally and externally to the data?
Is the place we are storing the data properly secured? Many breaches come from poorly configured storage servers.
Next, we will define the parameters of your assessment.
What is the purpose of the assessment?
What is the scope of the assessment?
Are there any priorities or constraints we should be aware of that could affect the assessment?
Who do we need access to in the organization to get all the information I need?
What risk model does the organization use for risk analysis?
A lot of these questions are self-explanatory. What we really want to know is what you'll be analyzing, who has the expertise required to properly assess, and are there any regulatory requirements or budget constraints you need to be aware of.
Now let's look at what steps need to be taken to complete a thorough cyber risk assessment - Cyber Quotient®, providing you with a risk assessment template.
Step 1: Determine information value
Most organizations don't have an unlimited budget for information risk management so it's best to limit your scope to the most business-critical assets.
To save time and money later, spend some time defining a standard for determining the important of an asset. Most organizations include asset value, legal standing and business importance. Once the standard is formally incorporated into the organization's information risk management policy, use it to classify each asset as critical, major or minor.
There are many questions you can ask to determine value:
Are there financial or legal penalties associated with exposing or losing this information?
How valuable is this information to a competitor?
Could we recreate this information from scratch? How long would it take and what would be the associated costs?
Would losing this information have an impact on revenue or profitability?
Would losing this data impact day-to-day business operations? Could our staff work without it?
What would be the reputational damage of this data being leaked?
Step 2: Identify and prioritize assets
The first step is to identify assets to evaluate and determine the scope of the assessment. This will allow us to prioritize which assets to assess. You may not want to perform an assessment on every building, employee, electronic data, trade secret, vehicle, and piece of office equipment. Remember, not all assets have the same value.
You need to work with business users and management to create a list of all valuable assets. For each asset, gather the following information where applicable:
Software
Hardware
Data
Interface
End-users
Support personal
Purpose
Criticality
Functional requirements
IT security policies
IT security architecture
Network topology
Information storage protection
Information flow
Technical security controls
Physical security controls
Environmental security
Step 3: Identify threats
A threat is any vulnerability that could be exploited to breach security to cause harm or steal data from your organization. While hackers, malware, and other IT security risks leap to mind, there are many other threats:
Natural disasters: Floods, hurricanes, earthquakes, lightning and fire can destroy as much as any cyber attacker. You can not only lose data but servers too. When deciding between on-premise and cloud-based servers, think about the chance of natural disasters.
System failure: Are your most critical systems running on high-quality equipment? Do they have good support?
Human error: Are your data servers properly secured. Does your organization have proper education around malware, phishing and social engineering? Anyone can accidentally click a malware link or enter their credentials into a phishing scam. You need to have strong IT security controls including regular data backups, password managers, etc.
Adversarial threats: third party vendors, insiders, trusted insiders, privileged insiders, established hacker collectives, ad hoc groups, corporate espionage, suppliers, nation-states
Some common threats that affect every organization include:
Unauthorized access: both from attackers, malware, employee error
Misuse of information by authorized users: typically an insider threat where data is altered, deleted or used without approval
Data leaks: Personally identifiable information (PII) and other sensitive data, by attackers or via poor configuration of cloud services or data servers.
Loss of data: organization loses or accidentally deleted data as part of poor backup or replication
Service disruption: loss of revenue or reputational damage due to downtime
After you've identified the threats facing your organization, we will need to assess their impact.
Step 4: Identify vulnerabilities
Now it's time to move from what "could" happen to what has a chance of happening. A vulnerability is a weakness that a threat can exploit to breach security, harm your organization, or steal sensitive data. Vulnerabilities are found through vulnerability analysis, audit reports, the National Institute for Standards and Technology (NIST) vulnerability database, vendor data, incident response teams, and software security analysis.
You can reduce organizational software-based vulnerabilities with proper patch management via automatic forced updates. But don't forget physical vulnerabilities, the chance of someone gaining access to an organization's computing system is reduced by having keycard access.
Step 5: Analyze controls and implement new controls
Analyze controls that are in place to minimize or eliminate the probability of a threat or vulnerability. Controls can be implemented through technical means, such as hardware or software, encryption, intrusion detection mechanisms, two-factor authentication, automatic updates, continuous data leak detection or through nontechnical means like security policies and physical mechanisms like locks or keycard access.
Controls should be classified as as preventative or detective controls. Preventative controls attempt to stop attacks like encryption, antivirus or continuous security monitoring, detective controls try to discover when an attack has occurred like continuous data exposure detection.
Step 6: Calculate the likelihood and impact of various scenarios on a per-year basis
Now you know the information value, threats, vulnerabilities and controls, the next step is to identify how likely these cyber risks are to occur and their impact if they happen. It's not just whether you might face one of these events at some point, but what it's potential for success could be. You can then use these inputs to determine how much to spend to mitigate each of your identified cyber risks.
Imagine you have a database that store all your company's most sensitive information and that information is valued at RM or $100 million based on your estimates.You estimate that in the event of a breach, at least half of your data would be exposed before it could be contained. This results in an estimated loss of $50 million. But you expect that this is unlikely to occur, say a one in fifty year occurrence. Resulting in an estimated loss of $50m every 50 years or in annual terms, $1 million every year. Arguably justifying a $1 million budget each year to be prevented.
Step 7: Prioritize risks based on the cost of prevention vs information value
Use risk level as a basis and determine actions for senior management or other responsible individuals to mitigate the risk. Here are some general guidelines:
High - corrective measures to be developed as soon as possible
Medium - correct measures developed within a reasonable period of time
Low - decide whether to accept the risk or mitigate
Remember, we have now determined the value of the asset and how much you could spend to protect it. The next step is crucial if it costs more to protect the asset than it's worth, it may not make sense to use a preventative control to protect it. That said, remember there could be reputational impact not just financial impact so it is important to factor that in too.
Also consider:
Organizational policies
Reputational damage
Feasibility
Regulations eg. PDPR, GDPR
Effectiveness of controls
Safety
Reliability
Organizational attitude towards risk
Tolerance for uncertainty regarding risk factors
Organizational weighting of risk factors
Step 8: Document results in risk assessment report
The final step is to develop a risk assessment report to support management in making decision on budget, policies and procedures. For each threat, the report should describe the risk, vulnerabilities and value. Along with the impact and likelihood of occurrence and control recommendations.
Aswe work through this process, we will understand what infrastructure your company operates, what your most valuable data is, and how you can better operate and secure your business. We can then create a risk assessment policy that defines what your organization must do periodically to monitor its security posture, how risks are addressed and mitigated, and how you will carry out the next risk assessment process.
Whether you are a small business or multinational enterprise information risk management is at the heart of cybersecurity. These processes help establish rules and guidelines that provide answers to what threats and vulnerabilities can cause financial and reputational damage to your business and how they are mitigated.
Ideally, as your security implementations improve and you react to the contents of your current assessment, your cybersecurity score should improve.
