In the previous blog post, we described how to define and set up risk management context and criteria. The next process in an information security risk management programme is risk assessment.
The purpose of an information security risk assessment process is to quantify or qualitatively describe the organisation’s risk. The risk assessment process should:
determine the value of the information asset;
identify the applicable threats and vulnerabilities related to the asset;
identify existing controls and their effect on the risk;
determine the potential consequences, and
rank them against the risk evaluation criteria defined in the context of the risk management programme.
The outcome helps the organisation’s leaders and managers prioritise tasks to address risks based on priority.
There are various approaches to building a cybersecurity risk assessment process, and different needs drive each. For example, the organisation can decide to use a high-level or detailed risk assessment with a qualitative or quantitative approach.
A high-level risk assessment allows risks to be addressed based on priorities. Often, implementing all controls simultaneously to address all risks is ineffective and requires more resources. Therefore, a high-level cybersecurity risk assessment process can help identify and prioritise critical risks first. Another reason to start with the high-level assessment is to synchronise risks with other business plans. When you have a bird’s eye view of the organisation’s risk profile, you can ask risk owners to provide feedback and align their response plans. For instance, it’s not sound to fully secure the local HR system if the organisation plans to migrate it to a SaaS solution.
Other benefits of implementing a high-level risk assessment include low demand on resources to implement it, easy deployment or integration with the company’s risk management processes, and building a strategic view of the organisation’s cybersecurity programme.
On the other hand, a detailed cybersecurity assessment process involves in-depth identifying and evaluating of assets and assessing threats and vulnerabilities. As a result, the consequences can be assessed using quantitative (e.g., monetary) and qualitative measures.
While it provides detailed information about each risk and the organisation’s risk profile, it also requires more resources (e.g., experience and time) and is not easy to roll out organisation-wide.
Let’s move on to the more practical part.
The cybersecurity risk assessment process should cover the following sub-processes:
Communication is an important process and should be used to inform stakeholders, asset owners, and other people at various stages of the risk management process. We will talk more about it below.
The purpose of the risk identification process is to identify assets and their vulnerabilities, threats, and existing controls, as well as the consequences, should the risk materialise.
Identification of assets
To begin the risk identification process, the risk assessor should identify the assets that fall within the scope.
Tip: The information risk management program context and scope document should specify the criteria to include information assets in the risk assessment process.
To simplify matters, we recommend starting with information systems (software), hardware, and processes related to information technology like software development, network management, and others. Since the level of information asset identification impacts the scale of the risk assessment, a good approach is to start with a small list and add new types of assets during subsequent reviews.
Tip: When developing the organisation’s information security policy, it’s important to include the information asset owners’ responsibilities, including regularly reviewing and updating the information assets they are responsible for. This helps to keep the organisation’s information asset list up to date.
Identification of threats
Next, define the source of the loss, i.e., identify threats and their source. Threats can be of various natures: they can be natural like a hurricane, or of human origin, and deliberate or accidental. They can also arise from outside or within the organisation. A good approach is to identify threats by types, such as unauthorised action, technical failure, or natural causes, and document them. Any individual threats can be further identified and categorised to ensure all threats are captured in the document.
Search for threats by type on the internet. Also, check with the asset owners or other experts in particular areas to identify threats and the likelihood of their occurrence.
Another source for finding threats is security incidents that occurred in the past. By analysing them, you can identify threats that are relevant to the organisation.
After defining the assets and related threats, determine the existing controls, vulnerabilities, and consequences. All this information will help the risk assessor to paint a complete picture of the organisational risk.
Identification of controls
Controls can be identified by reviewing documents containing controls like risk assessment results or risk treatment plans, making enquiries with staff and process managers, and conducting an on-site review.
Also, check for controls that have already been planned for implementation with the owners of the information assets or controls. Such controls have an impact on risk levels during the risk analysis and evaluation process.
Determining the relevance and effectiveness of controls is essential. It helps to evaluate the risk so that the controls can be changed if they do not address the risk.
To verify the relevance and effectiveness of controls, consider security incidents related to the asset and the results of information security audits. Such sources help to determine whether controls are effective or fail to secure the asset.
Identification of vulnerabilities
A vulnerability is a weakness in an asset (software, hardware, or process). However, without a threat that can exploit the vulnerability, it does not present any harm. That being said, vulnerabilities without an immediate threat may not require any action to remedy them, but they must be documented for future review. As the organisational environment changes, new threats may arise that exploit old vulnerabilities. Also, an incorrectly implemented or malfunctioning control can itself be a vulnerability. Another source of vulnerabilities may be in the properties of the hardware or application set up by the manufacturer. Furthermore, a lack of security awareness by staff, contractors, or external parties can create vulnerabilities within the organisation. Following the above approach, we recommend making a list of vulnerabilities by type. Again, the list can be searched for on the internet or derived from past incidents and audit reports.
Identification of consequences
The final step in the risk identification process is to define the potential consequences of a threat materialising. Given that we are aware of the threat, vulnerabilities, and existing controls, it will not be hard to define what could happen if a threat exploits a vulnerability and the consequences thereof.
Consequences may include loss of effectiveness, unacceptable operating conditions, lost opportunity or reputation, human injury, or loss of life.
Knowing the financial cost of information assets will help to determine the financial impact of the risk.
It’s crucial to identify the consequences, so use the list below for different scenarios:
time to investigate and restore;
the financial cost to investigate and recover, including the cost of skills;
lost working time;
health and safety of staff;
damage to reputation and brand.
As an outcome, you will have a list of incident scenarios with their consequences related to the information asset.
Risk analysis is a process by which the frequency and magnitude of cybersecurity risk scenarios are estimated. It includes analysing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats. Risk analysis is a complex and essential process needed to provide the data necessary for risk response activities. There are two main methods for analysing risk: quantitative and qualitative. However, many organisations use a combination of these two methods, called the semiquantitative or hybrid method.
Quantitative risk assessment (objective)
Quantitative risk assessment is based on numerical calculations, such as monetary values. Its reliance on numbers makes it precise. It is particularly suitable for cost-benefit analysis because the risk mapped to monetary values can be quickly and directly compared to the costs of risk responses. On the other hand, the cost associated with a particular risk can be challenging to quantify, especially if it includes subjective elements such as reputation and employee morale.
Qualitative risk assessment (subjective)
Qualitative risk assessment assigns values on a comparative basis such as high, medium, and low, or a numerical scale (1-3 or 1-10). The assignment of qualitative values relies heavily on experience and expert knowledge, but such reliance does not make qualitative risk assessment any less effective than quantitative risk assessment. Some types of risk are challenging to calculate in purely numerical terms. Controlling for the unknown variables in a quantitative process can require many assumptions, rendering the precise results relatively unhelpful. In contrast, the relative values produced by a qualitative process can typically be used to order response actions in terms of perceived importance. When the perception is based on a broad enough sample of stakeholders, the resulting course of action is likely to be acceptable to those stakeholders.
Semiquantitative/Hybrid risk assessment
Semiquantitative risk assessment combines the value of qualitative and quantitative risk assessments. A hybrid approach has the realistic input of a qualitative assessment combined with the numerical scale used to determine the impact of a quantitative risk assessment. The goal is to provide a scale with a wide range to assess risk reasonably precisely. Semiquantitative risk assessment can be an effective solution when the impact is quantifiable, but the likelihood is not. Under such circumstances, applying a basic scale of high, medium, and low values may not offer sufficient precision to generate helpful risk ratings. In contrast, using a more granular range of likelihood values with quantified impact can support specific recommendations for risk response.
The next stage in the cybersecurity risk assessment process is identifying the likelihood of incident scenarios. Once the risk assessor has identified all incident scenarios, including information assets, threats, vulnerabilities, and existing controls, it’s necessary to assess the likelihood and impact of cybersecurity risks. The assessment focuses on how often a threat occurs and the degree of vulnerability that can be exploited.
When defining the likelihood, consideration should be given to:
the threat’s experience to exploit a vulnerability;
motivation and capabilities of the threat;
existing vulnerabilities in the information asset.
For example, let’s assume we have an HR system that was developed in-house. It has multiple medium- and high-level vulnerabilities. To exploit those vulnerabilities, the threat should have experience with the information system and specific software code language. Also, the threat should be connected to the internal network. The organisation has perimeter security tools that do not allow outbound connections, and the HR system does not have access to the internet. Taking all this information into account, we consider the risk of external threats exploiting vulnerabilities in the HR system is low. But the risk of an insider threat exploiting vulnerabilities in the HR system is high.
Risk rating determination
The organisation should use the risk assessment results to prioritise cybersecurity risks in an order that can be used to direct risk response efforts. The risk rating is derived from all components of risk, including the characteristics and capabilities of a threat source, the severity of a vulnerability, the likelihood of attack success when considering the effectiveness of controls, and the impact to the organisation of a successful attack. When these factors are combined, they indicate the level of risk associated with a threat.
The risk rating determination can be carried out using qualitative and quantitative methods. While there are different methods to determine a risk rating, the primary source is the organisation’s cybersecurity framework. The cybersecurity risk management framework describes how to calculate the risk rating and risk acceptance criteria.
Risk evaluation is the measurement of cybersecurity risk against the risk evaluation and risk acceptance criteria. The risk assessor should consider the cybersecurity risk environment when evaluating cybersecurity risks. The cybersecurity risk environment includes:
criticality and sensitivity of the system or process being reviewed;
dependencies of the system or process being reviewed;
operational procedures, configuration, and management of the system or technology;
effectiveness of controls and monitoring of the system or business process;
how data and system components are decommissioned;
training of users and administrators.
Risk communication and feedback
Communication during a cybersecurity risk assessment is crucial. It helps to keep involved parties up to date and increases the efficiency of the process. The risk assessor communicates the information about the risk and its assessment to parties such as the risk and control owner and key stakeholders. These individuals can provide feedback from a business perspective and influence the outcome of the risk assessment.
Also, informing security and IT personnel about the risk helps them react appropriately to related incidents.
The benefits of open communication on cybersecurity risks include:
more informed risk decisions by executive management;
greater awareness among all stakeholders of the importance and value of integrating risk management practices into their daily duties;
transparency to external stakeholders.
The consequences of poor communication on risk include:
false sense of confidence at all levels of the enterprise;
lack of direction or strategic planning to mandate risk management efforts;
the perception that the organisation is trying to hide risks from stakeholders.