A cyber security risk assessment is about understanding, managing, controlling and mitigating cyber risk across your organization. It is a crucial part of any organization's risk management strategy and data protection efforts.
Risk assessments are nothing new and whether you like it or not, if you work in information security, you are in the risk management business. As organizations rely more on information technology and information systems to do business, the inherent risks involved increase, risks that didn't exist prior.
The National Institute of Standards and Technology (NIST) has developed a Cybersecurity Framework to provide a base for best practice.
Table of contents
- What is risk?
- What is a cyber risk assessment?
- Why perform a cyber risk assessment?
- Who should perform a cyber risk assessment?
- How to perform a cyber risk assessment
- Step 1: Determine information value
- Step 2: Identify and prioritize assets
- Step 3: Identify threats
- Step 4: Identify vulnerabilities
- Step 5: Analyze controls and implement new controls
- Step 6: Calculate the likelihood and impact of various scenarios on a per-year basis
- Step 7: Prioritize risks based on the cost of prevention vs information value
- Step 8: Document results in risk assessment report
- Improve your cybersecurity score, automate third-party risk assessment and prevent breaches
Risk is the likelihood of reputational or financial loss and can be measure from zero, low, medium, to high. The three factors that feed into a risk vulnerability assessment are:
- What is the threat?
- How vulnerable is the system?
- What is the reputational or financial damage if breached or made unavailable?
This gives us a of cyber risk as: Cyber risk = Threat x Vulnerability x Information Value
Imagine you were to assess the risk associated with a cyber attack compromising a particular operating system. This operating system has a known backdoor in version 1.7 of its software that is easily exploitable via physical means and stores information of high value on it. If your office has no physical security, your risk would be high.
However, if you have good IT staff who can identify vulnerabilities and they update the operating system to version 1.8, your vulnerability is low, even though the information value is still high because the backdoor was patched in version 1.8.
A few things to keep in mind is there are very few things with zero risk to a business process or information system, and risk implies uncertainty. If something is guaranteed to happen, it's not a risk. It's part of general business operations.
Cyber risk assessments are defined by NIST as risks assessments are used to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.
The primary purpose of a cyber risk assessment is to help inform decision-makers and support proper risk responses. They also provide an executive summary to help executives and directors make informed decisions about security. The information security risk assessment process is concerned with answering the following questions:
- What are our organization's most important information technology assets?
- What data breach would have a major impact on our business whether from malware, cyber attack or human error? Think customer information.
- What are the relevant threats and the threat sources to our organization?
- What are the internal and external vulnerabilities?
- What is the impact if those vulnerabilities are exploited?
- What is the likelihood of exploitation?
- What cyber attacks, cyber threats, or security incidents could impact affect the ability of the business to function?
- What is the level of risk my organization is comfortable taking?
If you can answer those questions, you will be able to make a determination of what to protect. This means you can develop IT security controls and data security strategies to mitigate risk. Before you can do that though, you need to answer the following questions:
- What is the risk I am reducing?
- Is this the highest priority security risk?
- Am I reducing the risk in the most cost-effective way?
This will help you understand the information value of the data you are trying to protect and allow you to better understand your information risk management process in the scope of protecting business needs.
There are a number of reasons you want to perform a cyber risk assessment and a few reasons you need to. Let's walk through them:
- Reduction of long-term costs: identifying potential threats and vulnerabilities, then working on mitigating them has the potential to prevent or reduce security incidents which saves your organization money and/or reputational damage in the long-term
- Provides a cyber security risk assessment template for future assessments: Cyber risk assessments aren't one of processes, you need to continually update them, doing a good first turn will ensure repeatable processes even with staff turnover
- Better organizational knowledge: Knowing organizational vulnerabilities gives you a clear idea of where your organization needs to improve
- Avoid data breaches: Data breaches can have a huge financial and reputational impact on any organization
- Avoid regulatory issues: Customer data that is stolen because you failed to comply with HIPAA, PCI DSS or APRA CPS 234
- Avoid application downtime: Internal or customer facing systems need to be available and functioning for staff and customers to do their jobs
- Data loss: theft of trade secrets, code, or other key information assets could mean you lose business to competitors
Beyond that, cyber risk assessments are integral to information risk management and any organization's wider risk management strategy.
Ideally your organization has personnel in-house who can handle it. This means having IT staff with an understanding of how your digital and network infrastructure work, as well as executives who understand how information flows and any proprietary organizational knowledge that may be useful during assessment. Organizational transparency is key to a thorough cyber risk assessment.
Small businesses may not have the right people in-house to do a thorough job and will need to outsource assessment to a third-party. Organizations are also turning to cybersecurity software to monitor their cybersecurity score, prevent breaches, send security questionnaires and reduce third-party risk.
We'll start with a high level overview and drill down into each step in the next sections. Before you do anything to start assessing and mitigating risk, you need to understand what data you have, what infrastructure you have, and the value of the data you are trying to protect. You may want to start by auditing your data to answer the following questions:
- What data do we collect?
- How and where are we storing this data?
- How do we protect and document the data?
- How long do we keep data?
- Who has access internally and externally to the data?
- Is the place we are storing the data properly secured? Many breaches come from poorly configured S3 buckets, check your S3 permissions or someone else will
Next, you'll want to define the parameters of your assessment. Here are a few good primer questions to get you started:
- What is the purpose of the assessment?
- What is the scope of the assessment?
- Are there any priorities or constraints I should be aware of that could affect the assessment?
- Who do I need access to in the organization to get all the information I need?
- What risk model does the organization use for risk analysis?
A lot of these questions are self-explanatory. What you really want to know is what you'll be analyzing, who has the expertise required to properly assess, and are there any regulatory requirements or budget constraints you need to be aware of.
Now let's look at what steps need to be taken to complete a thorough cyber risk assessment, providing you with a risk assessment template.
Most organizations don't have an unlimited budget for information risk management so it's best to limit your scope to the most business-critical assets.
To save time and money later, spend some time defining a standard for determining the important of an asset. Most organizations include asset value, legal standing and business importance. Once the standard is formally incorporated into the organization's information risk management policy, use it to classify each asset as critical, major or minor.
There are many questions you can ask to determine value:
- Are there financial or legal penalties associated with exposing or losing this information?
- How valuable is this information to a competitor?
- Could we recreate this information from scratch? How long would it take and what would be the associated costs?
- Would losing this information have an impact on revenue or profitability?
- Would losing this data impact day-to-day business operations? Could our staff work without it?
- What would be the reputational damage of this data being leaked?
The first step is to identify assets to evaluate and determine the scope of the assessment. This will allow you to prioritize which assets to assess. You may not want to perform an assessment on every building, employee, electronic data, trade secret, vehicle, and piece of office equipment. Remember, not all assets have the same value.
You need to work with business users and management to create a list of all valuable assets. For each asset, gather the following information where applicable:
- Support personal
- Functional requirements
- IT security policies
- IT security architecture
- Network topology
- Information storage protection
- Information flow
- Technical security controls
- Physical security controls
- Environmental security
A threat is any vulnerability that could be exploited to breach security to cause harm or steal data from your organization. While hackers, malware, and other IT security risks leap to mind, there are many other threats:
- Natural disasters: Floods, hurricanes, earthquakes, lightning and fire can destroy as much as any cyber attacker. You can not only lose data but servers too. When deciding between on-premise and cloud-based servers, think about the chance of natural disasters.
- System failure: Are you most critical systems running on high-quality equipment? Do they have good support?
- Human error: Are your S3 buckets holding sensitive information properly configured? Does your organization have proper education around malware, phishing and social engineering? Anyone can accidentally click a malware link or enter their credentials into a phishing scam. You need to have strong IT security controls including regular data backups, password managers, etc.
- Adversarial threats: third party vendors, insiders, trusted insiders, privileged insiders, established hacker collectives, ad hoc groups, corporate espionage, suppliers, nation-states
Some common threats that affect every organization include:
- Unauthorized access: both from attackers, malware, employee error
- Misuse of information by authorized users: typically an insider threat where data is altered, deleted or used without approval
- Data leaks: Personally identifiable information (PII) and other sensitive data, by attackers or via poor configuration of cloud services
- Loss of data: organization loses or accidentally deleted data as part of poor backup or replication
- Service disruption: loss of revenue or reputational damage due to downtime
After you've identified the threats facing your organization, you'll need to assess their impact.
Now it's time to move from what "could" happen to what has a chance of happening. A vulnerability is a weakness that a threat can exploit to breach security, harm your organization, or steal sensitive data. Vulnerabilities are found through vulnerability analysis, audit reports, the National Institute for Standards and Technology (NIST) vulnerability database, vendor data, incident response teams, and software security analysis.
You can reduce organizational software-based vulnerabilities with proper patch management via automatic forced updates. But don't forget physical vulnerabilities, the chance of someone gaining access to an organization's computing system is reduced by having keycard access.
Analyze controls that are in place to minimize or eliminate the probability of a threat or vulnerability. Controls can be implemented through technical means, such as hardware or software, encryption, intrusion detection mechanisms, two-factor authentication, automatic updates, continuous data leak detection or through nontechnical means like security policies and physical mechanisms like locks or keycard access.
Controls should be classified as as preventative or detective controls. Preventative controls attempt to stop attacks like encryption, antivirus or continuous security monitoring, detective controls try to discover when an attack has occurred like continuous data exposure detection.
Now you know the information value, threats, vulnerabilities and controls, the next step is to identify how likely these cyber risks are to occur and their impact if they happen. It's not just whether you might face one of these events at some point, but what it's potential for success could be. You can then use these inputs to determine how much to spend to mitigate each of your identified cyber risks.
Imagine you have a database that store all your company's most sensitive information and that information is valued at $100 million based on your estimates.
You estimate that in the event of a breach, at least half of your data would be exposed before it could be contained. This results in an estimated loss of $50 million. But you expect that this is unlikely to occur, say a one in fifty year occurrence. Resulting in an estimated loss of $50m every 50 years or in annual terms, $1 million every year.
Arguably justifying a $1 million budget each year to be prevented.
Use risk level as a basis and determine actions for senior management or other responsible individuals to mitigate the risk. Here are some general guidelines:
- High - corrective measures to be developed as soon as possible
- Medium - correct measures developed within a reasonable period of time
- Low - decide whether to accept the risk or mitigate
Remember, you have now determined the value of the asset and how much you could spend to protect it. The next step is easy: if it costs more to protect the asset than it's worth, it may not make sense to use a preventative control to protect it. That said, remember there could be reputational impact not just financial impact so it is important to factor that in too.
- Organizational policies
- Reputational damage
- Effectiveness of controls
- Organizational attitude towards risk
- Tolerance for uncertainty regarding risk factors
- Organizational weighting of risk factors
The final step is to develop a risk assessment report to support management in making decision on budget, policies and procedures. For each threat, the report should describe the risk, vulnerabilities and value. Along with the impact and likelihood of occurrence and control recommendations.
As you work through this process, you'll understand what infrastructure your company operates, what your most valuable data is, and how you can better operate and secure your business. You can then create a risk assessment policy that defines what your organization must do periodically to monitor its security posture, how risks are addressed and mitigated, and how you will carry out the next risk assessment process.
Whether you are a small business or multinational enterprise information risk management is at the heart of cybersecurity. These processes help establish rules and guidelines that provide answers to what threats and vulnerabilities can cause financial and reputational damage to your business and how they are mitigated.
Ideally, as your security implementations improve and you react to the contents of your current assessment, your cybersecurity score should improve.
We can help you continuously monitor, rate and send security questionnaires to your vendors to control third-party risk and improve your security posture.
To prevent breaches, avoid regulatory fines and protect your customers trust use UpGuard BreachSight's cyber security ratings and continuous exposure detection.