Cyber Risk Management and a 5 Step Cyber Risk Assessment
What Is Cyber Risk Management?
Ineffective cybersecurity protection poses risks to any business operation. The threat landscape is constantly changing; new vulnerabilities are discovered on a daily basis, and potentially vulnerable devices are frequently added to networks, increasing the attack surface. This is particularly true with the growth in mobile work, the cloud, and the Internet of Things (IoT).
After an initial vulnerability risk assessment identifies all of an organization's digital assets and reviews existing security measures, ongoing cybersecurity risk management is required as the organization and its external threat landscape evolves. Cyber risk management ensures that cybersecurity controls in place are sufficient to effectively address these threats.
This is part of a series of articles about cyber crime.
Why Is Cybersecurity Risk Management Important?
Every business should have a cybersecurity strategy, and this strategy should be incorporated into a general risk management plan that considers all possible business risks.
When considering cybersecurity and associated risks, businesses must identify their key cybersecurity risks and develop cybersecurity programs and controls that can prevent data breaches.
Cybercrimes are often, but not always, financially motivated. Cybercriminals often want to cause some form of financial loss or cause damage for the challenge, to achieve fame, or for social causes (hacktivism). Regardless of the cybercriminal's motives, a business can face financial burdens from a successful cyberattack, and so there is a need to plan how to prevent and respond to cybercrimes.
Developing a robust cybersecurity risk management program for your business can help identify the most important cybersecurity risks and the potential business impact of these risks; understand the company’s vulnerabilities and security gaps; develop a strategy to better protect the business and address the gaps; mitigate risks through risk transfer; and verify that cybersecurity measures are reducing the incidence and impact of cyberattacks.
What Is a Cyber Security Risk Management Framework?
Enterprise risk management frameworks are designed to manage unexpected impacts to the business. Cybersecurity risk management frameworks are similar—they enable cost-effective risk management and efficient use of limited resources.
Cybersecurity risk management helps prevent incidents or minimize their harmful effects, by identifying risks early and taking appropriate actions. This allows an organization to make informed business decisions and achieve business goals.
A cybersecurity risk management framework simplifies the risk management process by providing templates that guide organizations through risk assessment, analysis, implementation of security strategies, and cybersecurity maturity assessment. The most commonly used cyber risk management frameworks today are ISO 27001, the Payment Card Industry Data Security Standard (PCI DSS), and the NIST Cyber Security Framework.
How to Perform Cybersecurity Risk Assessments in 5 Steps
1. Determine the Scope of the Risk Assessment
A risk assessment begins by identifying what is within its scope. It can be organization-wide, but will usually cover a specific location, business unit, or business aspect, such as a payment processing system or web application.
All activities within the scope of activities must be fully supported by stakeholders. To support resource-intensive operations, you may need a third party that specializes in risk assessment.
All parties should be familiar with terms such as “likelihood” and “impact”, used in risk assessment, to have a shared understanding of how risk is structured. Before conducting any risk assessment, it is recommended to review standards (i.e., ISO/IEC 27001) and frameworks (i.e., NIST SP 800-37). This helps inform organizations to evaluate cybersecurity risks in a structured way, and ensure that mitigation controls are in place.
Several laws and standards and laws, including the PCI DSS, HIPAA, and Sarbanes-Oxley,, require organizations to perform formal risk assessments, and provide guidance and advice on completing these assessments. However, meeting compliance requirements does not mean that your organization is not at risk, so you should avoid a compliance-focused checklist approach when conducting an assessment.
2. Threat and Vulnerability Identification
A threat can be any event that compromises an organization's assets or processes. Threats can be internal or external, malicious or accidental. Many threats are unique to organizations, and many occur across industries. Therefore, all potential threats must be thoroughly blocked.
A vulnerability is a security flaw that can create damage to an organization. Vulnerabilities can be identified using analytics, audit reports, NIST vulnerability databases, vendor data, information security testing and assessment (ST&E) methodologies, penetration testing, and automated vulnerability scanning techniques.
Do not limit your analysis to technical glitches. There are also physical and human flaws. For example, placing data rooms in basements makes them more vulnerable to flooding. And if you don't educate your employees about the risks of phishing attacks, you're more vulnerable to social engineering.
3. Analyze Risks and Determine Potential Impact
Determine the likelihood that the risk scenarios described in the previous step will actually occur, and their impact on the business. In cybersecurity risk assessment, risk probability (the likelihood that a particular threat can exploit a particular vulnerability) is not measured by past events, but rather by:
4. Determine and Prioritize Risks
A risk matrix can be used to classify each risk scenario. Organizations should prioritize scenarios that exceed the acceptable risk tolerance level. The three ways to do this are:
Avoid—if the risks outweigh the benefits, avoiding activity may be your best option.
Transfer—by outsourcing cyber insurance or certain tasks to third parties, you can share the risk and security responsibility.
Mitigate—implement security measures and controls to minimize the level of likelihood, impact and risk.
No environment or system is 100% secure - there will always be some risk involved, known as residual risk. Senior stakeholders must formally accept this risk as part of an organization's security strategy.
5. Document All Risks
It is important to record all the risk scenarios identified in a “risk register”. This should be reviewed and updated regularly to keep management informed of the latest cybersecurity risks. It should include:
Date of identification
Current security measures
Current risk level
Planned actions and schedules to keep risk within the agreed risk tolerance level
Progress in implementing the planned actions.
Residual risk—level of risk after implementation of the treatment plan.
Risk owners—the person or group of people responsible for maintaining the residual risk at an acceptable level.
Cybersecurity risk assessment is an ongoing and complex task, so you need to free up time and resources to improve your organization's future security. It must be repeated while new threats emerge and new activities and systems are introduced. However, over time it can have significant benefits, by reducing the impact of cyberattacks on business objectives, and providing repeatable processes and templates for future risk assessments.