Risk assessments are nothing new, and whether you like it or not, if you work in information security, you are in the risk management business. As organizations rely more on information technology and information systems to do business, the digital risk threat landscape expands, exposing ecosystems to new critical vulnerabilities.
The National Institute of Standards and Technology (NIST) has developed a Cybersecurity Framework to provide a base for risk assessment practices.
What is Cyber Risk?
Cyber risk is the likelihood of suffering negative disruptions to sensitive data, finances, or business operations online. Cyber risks are commonly associated with events that could result in a data breach.
Cyber risks are sometimes referred to as security threats. Examples of cyber risks include:
There are practical strategies that you can take to reduce your cybersecurity risk.
Though commonly used interchangeably, cyber risks and vulnerabilities are not the same. A vulnerability is a weakness that results in unauthorized network access when exploited, and a cyber risk is the probability of a vulnerability being exploited.
Cyber risks are categorized from zero, low, medium, to high-risks. The three factors that impact vulnerability assessments are:
- What is the threat?
- How vulnerable is the system?
- What is the reputational or financial damage if breached or made unavailable?
Using this simple methodology, a high-level calculation of cyber risk in an IT infrastructure can be developed:
Cyber risk = Threat x Vulnerability x Information Value
Imagine you were to assess the risk associated with a cyber attack compromising a particular operating system. This operating system has a known backdoor in version 1.7 of its software that is easily exploitable via physical means and stores information of high value on it. If your office has no physical security, your risk would be high.
However, if you have good IT staff who can identify vulnerabilities and they update the operating system to version 1.8, your vulnerability is low, even though the information value is still high because the backdoor was patched in version 1.8.
A few things to keep in mind is there are very few things with zero risk to a business process or information system, and risk implies uncertainty. If something is guaranteed to happen, it's not a risk. It's part of general business operations.
The process of quantifying cyber risks is a function of potential risks, risk tolerance, your specific cybersecurity threats, and other risk mitigation factors. To learn more about this process, refer to this post.
What is a Cyber Risk Assessment?
NIST defines cyber risk assessments as risk assessments used to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.
The primary purpose of a cyber risk assessment is to keep stakeholders informed and support proper responses to identified risks. They also provide an executive summary to help executives and directors make informed security decisions.
The information security risk assessment process is concerned with answering the following questions:
- What are our organization's most important information technology assets?
- What type of data breach would have a significant impact on our business, whether from malware, cyber attack, or human error? Think customer information.
- Can all threat sources be identified?
- What is the level of the potential impact of each identified threat?
- What are the internal and external vulnerabilities?
- What is the impact if those vulnerabilities are exploited?
- What is the likelihood of exploitation?
- What cyber attacks, cyber threats, or security incidents could affect the business's ability to function?
- What is the level of risk my organization is comfortable taking?
If you can answer those questions, you can decide what is important to protect. This means you can develop IT security controls and data security strategies for risk remediation. Before you can do that, though, you need to answer the following questions:
- What is the risk I am reducing?
- Is this the highest priority security risk?
- Am I reducing the risk most cost-effectively?
This will help you understand the information value of the data you are trying to protect and better understand your information risk management process in the scope of safeguarding business needs.
There are several risk management frameworks available. Your choice depends on your industry, your risk appetite, and any applicable regulations - like the GDPR. If you’re unsure which security assessment framework to choose, the NIST Cybersecurity Framework is popular for most general cybersecurity program requirements.
Why Perform a Cyber Risk Assessment?
There are several reasons you want to perform a cyber risk assessment and a few reasons you need to. Let's walk through them:
- Reduction of Long-Term Costs - Identifying potential threats and vulnerabilities and then mitigating them can prevent or reduce security incidents, saving your organization money and/or reputational damage in the long term.
- Provides a Cybersecurity Risk Assessment Template for Future Assessments - Cyber risk assessments aren't one of the processes; you need to update them continually; doing a good first turn will ensure repeatable processes even with staff turnover.
- Better Organizational Knowledge - Knowing organizational vulnerabilities gives you a clear idea of where your organization needs to improve.
- Avoid Data Breaches - Data breaches can have a huge financial and reputational impact on any organization.
- Avoid Regulatory Issues - Customer data that is stolen because you failed to comply with HIPAA, PCI DSS, or APRA CPS 234.
- Avoid Application Downtime - Internal or customer-facing systems must be available and functioning for staff and customers to do their jobs.
- Data Loss - Theft of trade secrets, code, or other critical information assets could mean you lose business to competitors.
Beyond that, cyber risk assessments are integral to information risk management and any organization's broader risk management strategy.
Who Should Perform a Cyber Risk Assessment?
Ideally, organizations should have dedicated in-house teams processing risk assessments. This means having IT staff with an understanding of how your digital and network infrastructure works, executives who understand how information flows, and any proprietary organizational knowledge that may be useful during the assessment.
Organizational transparency is key to a thorough cyber risk assessment.
Small businesses may not have the right people in-house to do a thorough job and must outsource assessment to a third party. Organizations are also turning to cybersecurity software to monitor their cybersecurity score, prevent breaches, send security questionnaires, and reduce third-party risk.
How to Perform a Cyber Risk Assessment
We'll start with a high-level overview and drill down into each step in the following sections. Before you start assessing and mitigating risks, you must understand your data, infrastructure, and the value of the data you are trying to protect.
You may want to start by auditing your data to answer the following questions:
- What data do we collect?
- How and where are we storing this data?
- How do we protect and document the data?
- How long do we keep data?
- Who has access internally and externally to the data?
- Is the place we are storing the data properly secured? Many breaches come from poorly configured S3 buckets; check your S3 permissions, or someone else will.
Next, you'll want to define the parameters of your assessment. Here are a few good primer questions to get you started:
- What is the purpose of the assessment?
- What is the scope of the assessment?
- Are there any priorities or constraints I should know about that could affect the assessment?
- Who do I need access to in the organization to get all the information I need?
- What risk model does the organization use for risk analysis?
A lot of these questions are self-explanatory. What you want to know is what you'll be analyzing, who has the expertise to assess them appropriately, and whether there are any regulatory requirements or budget constraints you need to be aware of.
Now let's look at what steps need to be taken to complete a thorough cyber risk assessment, providing you with a risk assessment template.
Step 1: Determine Informational Value
Most organizations don't have an unlimited budget for information risk management, so limiting your scope to the most business-critical assets is best.
To save time and money later, spend some time defining a standard for determining the importance of an asset. Most organizations include asset value, legal standing, and business importance. Once the standard is formally incorporated into the organization's information risk management policy, use it to classify each asset as critical, major, or minor.
There are many questions you can ask to determine value:
- Are there financial or legal penalties associated with exposing or losing this information?
- How valuable is this information to a competitor?
- Could we recreate this information from scratch? How long would it take, and what would be the associated costs?
- Would losing this information have an impact on revenue or profitability?
- Would losing this data impact day-to-day business operations? Could our staff work without it?
- What would be the reputational damage of this data being leaked?
Step 2: Identify and Prioritize Assets
The first step is to identify assets to evaluate and determine the scope of the assessment. This will allow you to prioritize which assets to assess. You may only want to assess some buildings, employees, electronic data, trade secrets, vehicles, and office equipment. Remember, not all assets have the same value.
You need to work with business users and management to create a list of all valuable assets. For each asset, gather the following information where applicable:
- Support personal
- Functional requirements
- IT security policies
- IT security architecture
- Network topology
- Information storage protection
- Information flow
- Technical security controls
- Physical security controls
- Environmental security
Asset prioritization is simplified with a risk matrix indicating critical risks most likely to negatively impact your security posture. A risk matrix can also summarize your risk exposure at a third-party vendor level.
Here’s an example of a risk matrix representing the distribution of critical third-party vendors requiring greater cybersecurity attention.
Step 3: Identify Cyber Threats
A cyber threat is any vulnerability that could be exploited to breach security to cause harm or steal data from your organization. While hackers, malware, and other IT security risks leap to mind, there are many other threats:
- Natural disasters: Floods, hurricanes, earthquakes, lightning, and fire can destroy as much as any cyber attacker. You can, not only lose your data, but your servers too. When deciding between on-premise and cloud-based servers, consider the potential impacts of natural disasters.
- System failure: Are your most critical systems running on high-quality equipment? Do they have good support?
- Human error: Are your S3 buckets holding sensitive information properly configured? Does your organization have proper education policies covering common cybercriminal tactics, like malware, phishing, and social engineering?
- Adversarial threats: third-party vendors, insiders, trusted insiders, privileged insiders, established hacker collectives, ad hoc groups, corporate espionage, suppliers, nation-states
Some common threats that affect every organization include:
- Unauthorized access: both from attackers, malware, employee error
- Misuse of information by authorized users: typically an insider threat where data is altered, deleted, or used without approval
- Data leaks: Personally identifiable information (PII) and other sensitive data by attackers or via poor configuration of cloud services
- Loss of data: organization loses or accidentally deleted data as part of poor backup or replication
- Service disruption: loss of revenue or reputational damage due to downtime
After identifying your organization's threats, you'll need to assess their impact. To ensure your security teams will respond to cyber threats promptly, ensure you have a well-designed and regularly tested Incident Response Plan.
Step 4: Identify Vulnerabilities
Now it's time to move from what "could" happen to what has a chance of happening. A vulnerability is a weakness that a threat can exploit to breach security, harm your organization, or steal sensitive data. Vulnerabilities are found through vulnerability analysis, audit reports, the National Institute for Standards and Technology (NIST) vulnerability database, vendor data, incident response teams, and software security analysis.
You can reduce organizational software-based vulnerabilities with proper patch management via automatic forced updates. But don't forget physical vulnerabilities, the chance of someone gaining access to an organization's computing system is reduced by having keycard access.
Identifying vulnerabilities in your ecosystem is significantly simplified with an Attack Surface Monitoring solution. Attack Surface Management is an effective strategy for minimizing the number of attack vectors in your digital footprint to reduce your risk of suffering data breaches
For an introduction to Attack Surface Management, watch this video.
Step 5: Analyze Controls and Implement New Controls
Analyze controls that are in place to minimize or eliminate the probability of a threat or vulnerability. Controls can be implemented through technical means, such as hardware or software, encryption, intrusion detection mechanisms, two-factor authentication, automatic updates, continuous data leak detection, or through nontechnical means like security policies and physical mechanisms like locks or keycard access.
Controls should be classified as preventative or detective controls. Preventive controls attempt to stop attacks through encryption, firewalls, antivirus, or continuous security monitoring; detective controls try to discover when an attack has occurred, like continuous data exposure detection.
Step 6: Calculate the Likelihood and Impact of Various Scenarios on a Per-Year Basis
Now you know the information value, threats, vulnerabilities, and controls; the next step is to identify how likely these cyber risks are to occur and their impact if they happen.
Change your mindset from "if I get impacted" to "what are my chances of success when I get impacted."
Imagine you have a database that stores all your company's most sensitive information, and that information is valued at $100 million based on your estimates. You estimate that in the event of a breach, at least half of your data would be exposed before it could be contained, resulting in an estimated loss of $50 million.
But you expect this is unlikely to occur, say a one in fifty-year occurrence, this would be equivalent to an estimated loss of $50m every 50 years or, in annual terms, $1 million yearly. For the latter scenario, it would make sense to project an annual budget of $1 million for a data breach prevention program.
Step 7: Prioritize Risks Based on the Cost of Prevention Vs. Information Value
Use risk level as a basis and determine actions for senior management or other responsible individuals to mitigate the risk. Here are some general guidelines:
- High-corrective measures to be developed as soon as possible
- Medium - correct measures developed within a reasonable period.
- Low - decide whether to accept the risk or mitigate
Remember, you have now determined the asset's value and how much you could spend to protect it. The next step is easy: if it costs more to protect the asset than it's worth, it may not make sense to use preventative control to protect it. That said, remember there could be a reputational impact, not just a financial impact, so it’s essential to factor that in too.
Also, consider the following:
- Organizational policies
- Reputational damage
- Effectiveness of controls
- Organizational attitude toward risk
- Tolerance for uncertainty regarding risk factors
- The organizational weighting of risk factors
Step 8: Document Results from Risk Assessment Reports
The final step is to develop a risk assessment report to support management in deciding on budgets, policies, and procedures. The report should describe the risk, vulnerabilities, and value of each threat, along with the impact and likelihood of occurrence and control recommendations.
As you work through this process, you'll understand what infrastructure your company operates, what your most valuable data is, and how you can better operate and secure your business. You can then create a risk assessment policy that defines what your organization must do periodically to monitor its security posture, how risks are addressed and mitigated, and how you will conduct subsequent risk assessment processes.
Whether you are a small business or a multinational enterprise, information risk management is at the heart of cybersecurity. These processes help establish rules and guidelines that answer what threats and vulnerabilities can cause financial and reputational damage to your business and how they are mitigated.
Ideally, as your security implementations improve and you address the risks discovered in assessment responses, your cybersecurity posture should also improve.Cybersecurity risk assessments help organizations understand, control, and mitigate all forms of cyber risk. It is a critical component of risk management strategy and data protection efforts.
To learn how UpGuard can help you streamline your cybersecurity risk assessment workflows, watch this video.