Consider the fact that we, as humans, assess risk daily. We assess risk before walking across the street, catching a train, driving our car, or even eating spicy foods, so why have we been reluctant to consider cybersecurity risk assessments as the foundational approach to security and assurance?
Let us first discuss business risk. These risks have traditionally been the focus of the CEO, CFO, or COO, and are handled as such. When we think of business risk, we consider things like new competitors entering the market, decreasing market share, rising interest rates, and financial risks such as profit & loss, cash flow, M&A, and credit risk. Market risk may include rising interest rates, foreign exchange, equity, and stock market holdings. Then there’s Liquidity risk and Operational risk. I think you get the point.
When we think of cybersecurity risk, we may think of environmental issues affecting data center operations, like climate control failure, a broken water pipe, data center fire, or smoke.
The CISO may be tasked with calculating the probability of risk involving acts of nature such as lightning strikes, floods, tornados, earthquakes, tsunamis, hurricanes, or volcanoes. All are heavily dependent upon the organization’s geographic location.
There are regulatory risks, in that, if your organization is breached and found non-compliant, you may be subject to fines and/or refuted insurance claims, or a rise in interest rates. This may lead to reputational damage, loss of customers, or loss of market share. Lastly, we may store intellectual property, such as engineering diagrams, new product releases, software code, etc. so we must consider the risk of it being leaked to a competitor or sold on the dark web.
Based on the information covered in the previous few paragraphs, can we not conclude that all are in some way linked to overall business risk? And if we can agree on that, can’t we agree that Cybersecurity Risk is a Business Problem?
Cyber Risk Defined
There are many definitions of cybersecurity risk out there. If you’ve studied for your CISSP, you may have seen risk = threats x vulnerabilities, or risk = probability of harm * severity of harm, which translates to likelihood + impact. If you’ve studied the CRISC curriculum, you may have read the definition of Risk as the possibility of harm that can come to an asset or an organization.
Through my studies, and my knowledge of NIST SP 800-30 ‘Conducting a Risk Assessment’, I have defined Risk as the Probability/Likelihood that a Threat Actor/Threat Source initiates a Threat Event (Tactics, Techniques, and Procedures (TTPs), exploiting a Vulnerability that causes an adverse Impact to the organization.
See the figure for a graphical representation.
Why a Risk Assessment?
We’ve acknowledged that risk is a business problem and discussed business and cybersecurity risks that may be of concern to your organization, but I’m going to list out a few reasons why a risk assessment may be an integral part of your security program:
- Compliance Mandates
- Determine Vulnerability Posture
- Understand Potential Threats
- Increased Awareness
- Mitigating Future Risk
- Cyber Insurance
- Allocation of Funds
- Prioritizing Control Selection
- Risk Assessment Approaches
We’ve established a few compelling reasons for performing a risk assessment. Now you may be asking, but what are my options? This question is difficult to answer because it depends on several factors. One is senior leadership’s definition and perspective of risk and risk tolerance and/or appetite. Two is what the expected timeline is for the risk assessment. Three, if performed by a third party, what is the allocated budget for the risk assessment? Lastly, are you assessing an entire organization or a sample set? These questions need to be analyzed and are unique to each organization. That being said, let’s discuss the options.
Qualitative – most of you reading this may be familiar with red, yellow, green, or 5×5 risk matrix based on likelihood and impact, in most cases. It may look something like this:
Semi-Quantitative – This type of assessment associates a numerical value with High, Medium, Low, or if you’re following NIST SP 800-30, Very Low, Low, Moderate, High, or Very High. These are considered Qualitative Values but if we take Very High, for instance, it may be associated with a value of 96-100 or simply 10. The diagram below illustrates this with more clarity.
Quantitative – This method is more complex and time-intensive. It requires calculating probabilities based on upper and lower bound estimates, and confidence coefficients. Some use the Factor Analysis for Information Risk model (FAIR), while others use the Monte Carlo simulation models or Bayes probability theorems.
The Process According to NIST 800-30
Step 1: Preparing for the Assessment – Defining organizational risk, risk tolerance, and assessment method. determining purpose and scope. What potential constraints may be associated with the assessment?
Step 2: Conducting the Assessment – Identify threat source, characteristics, and events. This step is where you may review ISACS, Threat Intelligence feeds, the DBIR, or the Ponemon Institute’s ‘Cost of a Data Breach’ report to determine industry-specific financial impacts, then apply this intelligence to your organization. I like this aspect of NIST’s Risk Framework because it reduces a bit of subjectivity that exists with a strictly Qualitative or Semi-Quantitative assessment and provides clarity and justification to the board members who may be reviewing the assessment.
Identify Vulnerabilities and Predisposing Conditions – gathering software, hardware, physical or logical vulnerabilities, and residual risk left over from a prior engagement.
Determine the Likelihood of Occurrence – also an artifact from your intelligence gathering and the assessment and ranking of each assessment category.
Determine the Magnitude of Impact – potential regulatory or legal fines, loss of business, insurance premium increases, degradation of production time.
Determine Risk – the culmination of the above based on the sum of all data gathered and levels selected.
Step 3: Communicating Results – In a prior post, ‘The Modern CISO: From Data Closet to Boardroom’, I mention the delivery of cybersecurity information and assessment results to different audiences. If you’re presenting it to the board of directors or the CEO, you must present the information in a way that they understand, which may be in terms of financial impact. If you’re presenting to the CIO, it may be in terms of loss due to downtime, resilience, or data loss.
Step 4: Maintain Assessment – A risk assessment is not a one-and-done. It should involve continuous improvement and follow-up risk assessments.
To conclude, we’ll discuss risk treatment. Depending on the level or severity of the risk, the asset, segment, or location being assessed, we determine the overall risk to the business. This decision will normally be decided by the executive team and/or board of directors—and the choices normally consist of the following:
Mitigate – The determination was made to mitigate the risk either by applying a patch or purchasing a security solution reducing the risk to an acceptable level.
Accept – It was determined that the risk was either too costly to mitigate or the threat event was too unlikely to manifest so the decision was made to accept the risk.
Transfer – The decision has been made to purchase insurance or outsource the risk to a third party by offloading it to MSSP. Remember, you are still responsible for your customer’s data so be sure to assess your supply chain and/or 3rd party partners.
Avoid – This option suggests the elimination of the solution, process, or technology that produced the risk.
RISK – We can’t avoid it, and we can’t eliminate it, so we should assess it, measure it, and determine the best course of action to reduce it to an acceptable level.
By: Brett Price – Lead Cybersecurity Consultant – C|CISO, CISSP, CISM, CISA
Contact us for more information about our cybersecurity solutions.