Blog
5 Step Guide: How to Perform a Cyber Risk Analysis in 2021

5 Step Guide: How to Perform a Cyber Risk Analysis in 2021

Edward Kost
Edward Kost
updated Sep 10, 2021

No organization is impervious to cyberattacks. But what separates resilient businesses from data breach victims is superior risk management. 

Resilience is achieved through the meticulous calculation of all potential risks and the application of necessary control measures to mitigate them.

In this post, we present a 4-step framework for a reliable risk management plan.

What is a Cyber Risk?

The definition of risk in cybersecurity is the likelihood of damage to sensitive data, critical assets, finances, or reputation. These damages usually result from cyberattacks or data breaches.

Not all risks are equal, some have greater criticality than others.

For example, the level of risk associated with a website only displaying static information is lower than the risk associated with a web application accessing sensitive customer data.

Cyber risk is calculated by considering the identified security threat, its degree of vulnerability, and the likelihood of exploitation.

At a high level, this can be quantified as follows:


Cyber risk = Threat x Vulnerability x Information Value.


The terms cyber risk, cyber threat, and security threat, are used interchangeably, they both refer to the same security vulnerabilities.

Some examples of cyber risks include:

Examples of cyber risks include:

How to Mitigate Cyber Risks

The process of mitigating cyber risks begins by collecting data about the target ecosystem. This is achieved through risk assessments for either the internal and third-party vendor network.

In order for these risk assessments to collect the most valuable data, they need to align with business objectives.

Cyber risks should also be considered for short-term project objectives.

Cyber risks impeded project plans, so a cyber risk assessment process should be a vital component of project risk management.

The results of a cybersecurity risk assessment should identify all the risks associated with exposed assets.

This is then followed by either a qualitative risk analysis or a quantitative risk analysis in light of a defined risk appetite. The results will establish the specifications of all necessary risk responses.

A qualitative risk analysis is a more popular option since it assigns risks into categories rather than a specific dollar value. This is often more preferable since security risks are faster to address by referencing their level of criticality.

Step 1: Specify Acceptable Levels of Risk

Addressing all security risks is an inefficient use of security resources and in many cases unnecessary.

A more sustainable approach is to define a risk appetite to separate risks into four categories:

  • Avoid - Aim to reduce or eliminate risks by adjusting program requirements
  • Accept - Acknowledge risks without implementing controls to address them.
  • Control - Deploy efforts that minimize the impact and probability of risks
  • Monitor - Monitor risks for any changes in severity

This will also ensure the most critical threats are addressed first, keeping security posture's as high as possible during the most tender process of cybersecurity  - digital transformation.

Risk appetite defines the threshold of risk management
Risk appetite defines the threshold of risk management

Learn how to calculate risk appetite and residual risk.

Risk thresholds differ between assets. It's therefore important to have all exposed assets identified so that their unique thresholds can be assigned to each of them.

Digital footprint mapping will help you identify all relevant assets and their potential risks.

Learn how to create a digital footprint.

Step 2: Choose a Risk Assessment

Risk assessments have two primary objectives: 

  1. To identify all risks in a target environment.
  2. To keep stakeholders and decision-making project team members informed of the security process.

There are many risk assessment standards to choose from. Some are mandatory for highly regulated sectors to ensure resilience for industry-specific risks.

Here's a list of popular assessment standards:

  • NIST (National Institute of Standards and Technology)
  • CIS Controls (Center for Internet Security Controls)
  • ISO (International Organization for Standardization)
  • HIPAA (Health Insurance Portability and Accountability Act) / HITECH Omnibus Rule
  • PCI-DSS (The Payment Card Industry Data Security Standard)
  • GDPR (General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)
  • AICPA (American Institute of Certified Public Accountants)
  • SOX (Sarbanes-Oxley Act)
  • COBIT (Control Objectives for Information and Related Technologies)
  • GLBA (Gramm-Leach-Bliley Act)
  • FISMA (Federal Information Security Modernization Act of 2014)
  • FedRAMP (The Federal Risk and Authorization Management Program)
  • FERPA (The Family Educational Rights and Privacy Act of 1974)
  • ITAR (International Traffic in Arms Regulations)
  • COPPA (Children’s Online Privacy Protection Rule)
  • NERC CIP Standards (NERC Critical Infrastructure Protection Standards

Each of these assessments can be created manually from an assessment template. For a high-level vendor assessment, this checklist can be used.

if your requirements do not align with any of the above standards, you can design your own assessment with a custom questionnaire builder.

To speed up the risk analysis process, a security risk management tool such as UpGuard can be used. 

UpGuard manages the creation and distribution of all risk assessments, as well as any required response efforts for identified risks.

The following questionnaires are available on the UpGuard platform:

  1. CyberRisk Questionnaire
  2. ISO 27001 Questionnaire
  3. Short Form Questionnaire
  4. NIST Cybersecurity Framework Questionnaire
  5. PCI DSS Questionnaire:
  6. California Consumer Privacy Act (CCPA) Questionnaire
  7. Modern Slavery Questionnaire:
  8. Pandemic Questionnaire
  9. Security and Privacy Program Questionnaire
  10. Web Application Security Questionnaire
  11. Infrastructure Security Questionnaire
  12. Physical and Data Centre Security Questionnaire:
  13. COBIT 5 Security Standard Questionnaire
  14. ISA 62443-2-1:2009 Security Standard Questionnaire
  15. ISA 62443-3-3:2013 Security Standard Questionnaire
  16. GDPR Security Standard Questionnaire
  17. CIS Controls 7.1 Security Standard Questionnaire
  18. NIST SP 800-53 Rev. 4 Security Standard Questionnaire
  19. SolarWinds Questionnaire
  20. Kaseya Questionnaire

To see how these assessments are managed in the UpGuard platform, click here for a free trial.

Step 3: Prioritize Risks

All unacceptable risks should be further ranked by level of criticality. This can be achieved through a risk matrix which plots the likelihood of any risk being exploited and the impact on sensitive resources if it occurs.

Risk Matrix example
Risk Matrix example

All of the potential hazards identified through security questionnaires and risk assessments should then be analyzed through such a risk matrix and assigned a corresponding risk score.

This will differentiate high risks from those with a lower risk probability, setting the foundation for a more efficient remediation program.

For more information about designing an efficient remediation program, read this risk remediation planning whitepaper from UpGuard.

A variation of this classification strategy can also be applied to third-party risks to optimize vendor risk management - a process known as vendor tiering

Step 4: Implement Security Controls

With hazard identification complete, security controls can then be implemented for all types of risk that require management.

The effectiveness of each risk management process should be monitored with security scores, which evaluate security postures based on multiple attack vectors

A security score drop could be indicative of new risks that should then be fed through steps 3 and 4 of this framework.

Mitigate Cyber Risks with UpGuard

UpGuard's comprehensive attack surface monitoring engine discovers security risks both internally and throughout the vendor network. This risk management solution also manages the remediation process for all discovered risks, helping organizations address vulnerabilities before they're discovered by cyberattacks.

Click here for a free 7 day trial of UpGuard

Free

UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape