CHAP 8: RISK ASSESSMENT

WHAT IS A CYBER SECURITY RISK

ASSESSMENT?
• A cyber security risk assessment is the process of identifying, analysing and evaluating risk. It
helps to ensure that the cyber security controls you choose are appropriate to the risks your
organisation faces.
• Without a risk assessment to inform your cyber security choices, you could waste time, effort
and resources. There is little point implementing measures to defend against events that are
unlikely to occur or won’t impact your organisation.
• Likewise, you might underestimate or overlook risks that could cause significant damage.
This is why so many best-practice frameworks, standards and laws – including the GDPR
(General Data Protection Regulation) – require risk assessments to be conducted.
EXAMPLES OF CYBER RISKS INCLUDE:

• Exfiltration of sensitive or important data

• Compromised credentials
• Phishing attacks
• Denial of service (DoS) attacks
• Supply chain attacks
• Misconfigured settings
• Hardware failures
• Natural disasters
• Human errors
HOW DO YOU CONDUCT A CYBER
SECURITY RISK ASSESSMENT?
• A cyber security risk assessment identifies the information assets that could be
affected by a cyber attack (such as hardware, systems, laptops, customer data and
intellectual property). It then identifies the risks that could affect those assets.
• A risk estimation and evaluation are usually performed, followed by the selection of
controls to treat the identified risks.
• It is essential to continually monitor and review the risk environment to detect any
changes in the context of the organisation, and to maintain an overview of the
complete risk management process.
WHAT DOES A CYBER SECURITY RISK
ASSESSMENT INCLUDE?

• A typical risk assessment involves identifying the various information assets

that could be affected by a cyber attack (such as hardware, systems, laptops,
customer data, intellectual property, etc.), followed by identifying the various
risks that could affect those assets. A risk estimation and evaluation is usually
performed, followed by the selection of controls necessary to treat the
identified risks. It is important to continually monitor and review the risk
environment to detect any changes in the context of the organisation, and to
maintain an overview of the complete risk management process.
 BENEFITS OF SECURITY RISK
ASSESSMENTS

• Insight into where your most valuable IT assets resides — Some data stores, machines and other IT
assets are more important than others. Since what IT assets you have and their value can change over time,
it’s important to repeat the risk assessment process regularly.
• Understanding of risk — By identifying and analyzing the potential threats to your business, you can
focus first on the risks that have the highest potential impact and the highest probability.
• Vulnerability identification and remediation — A gap-focused IT risk assessment methodology can help
you identify and close vulnerabilities that threat actors can take advantage of. Examples include unpatched
software, overly permissive access policies and unencrypted data.
 BENEFITS OF SECURITY RISK
ASSESSMENTS
• Cost mitigation — Undertaking a security risk assessment not only safeguards your business from the
high cost of a data breach, but it also enables prudent use of budget for security initiatives that deliver the
most value.
• Regulatory compliance — Regular security risk assessments can help organizations comply with the
data security requirements of mandates such as HIPAA, PCI DSS, SOX and GDPR, and thereby avoid
costly fines and other penalties.
• Improved customer trust — Demonstrating a commitment to security can increase customer trust, which
can lead to improved client retention.
• Informed decision making — The detailed insight provided by a cybersecurity risk assessment will
facilitate better decision-making regarding security, infrastructure and personnel investments.
STEPS IN A SECURITY RISK ASSESSMENT

1. Identify and prioritize assets.

2. Identify threats.
3. Identify vulnerabilities.
4. Analyze existing controls.
5. Determine the likelihood of an incident.
6. Assess the impact a threat could have.
7. Prioritize the risks.
8. Recommend controls.
9. Document the assessment results.
STEP 1. IDENTIFY AND PRIORITIZE IT
ASSETS
• IT assets include servers, printers, laptops and other devices, as well as data like client
contact information, email messages and intellectual property. During this step, be sure to
solicit input from all departments and business units; that approach helps ensure you get a
complete understanding of the systems the organization uses and the data that it creates
and collects.
• You also need to determine the importance of each cyber asset. Criteria that are
commonly used include the asset’s monetary value, role in critical processes, and legal
and compliance status standing. You can then classify your assets into categories, such as
critical, major or minor.
STEP 2. IDENTIFY THREATS

• A threat is anything that could cause harm to your organization. Examples

include outside threat actors, malware, malicious acts by business users and
mistakes by insufficiently trained administrators.
STEP 3. IDENTIFY VULNERABILITIES

• A vulnerability is a weakness that could enable a threat to harm your

organization. Vulnerabilities can be identified using analysis, audit reports,
the NIST vulnerability database, vendor data, information security test and
evaluation (ST&E) procedures, penetration testing, and automated
vulnerability scanning tools.
STEP 4. ANALYZE EXISTING CONTROLS

• Analyze the controls that are in place to reduce the probability that a threat will
exploit a vulnerability. Examples of technical controls include encryption, intrusion
detection systems, and multifactor authentication (MFA). Non-technical controls
include security policies, administrative procedures, and physical or environmental
protections.
• Both technical and non-technical controls can be subdivided into preventive or
detective categories. Preventive controls, such as encryption and MFA, are designed
to thwart attacks. Detective controls, like audit trails and intrusion detection
systems, are utilized to identify threats that have either transpired or are currently
unfolding.
STEP 5. DETERMINE THE LIKELIHOOD OF
AN INCIDENT

• Assess the probability that each vulnerability might be exploited using

factors such as the nature of the vulnerability, the capacity and intent of the
threat source, and the presence and efficacy of your controls. Instead of a
numeric score, many organizations use labels such as high, medium and low
to denote the probability of a threat.
STEP 6. ASSESS THE IMPACT A THREAT
COULD HAVE

• Assess the potential consequences of an incident in which an asset is lost or

compromised. Key factors to consider include:
• The role of the asset and any dependent processes
• The asset’s value to the organization
• The asset’s sensitivity
• For this step, start with a business impact analysis (BIA) or a mission impact
analysis report. These documents use quantitative or qualitative measures to
assess the repercussions of damage to the organization’s information assets,
including impacts on their confidentiality, integrity and availability. The impact
can be categorized qualitatively as high, medium or low.
 STEP 7. PRIORITIZE THE RISKS
• For each threat/vulnerability pair, determine the level of risk to the IT system, based on the
following:
• The likelihood that the threat will exploit the vulnerability
• The approximate cost of each of these occurrences
• The adequacy of the existing or planned information system security controls for
eliminating or reducing the risk
• A useful tool for estimating risk in this manner is a risk-level matrix. A high likelihood that
the threat will occur is given a value of 1.0; a medium likelihood is assigned a value of 0.5;
and a low likelihood of occurrence is given a rating of 0.1. Similarly, a high impact level is
assigned a value of 100, a medium impact level 50 and a low impact level 10. Risk is
calculated by multiplying the threat likelihood value by the impact value, and the risks are
categorized as high, medium or low based on the result.
STEP 8. RECOMMEND CONTROLS

• Using the risk level as a basis, determine the actions needed to mitigate the
risk. Here are some general guidelines for each level of risk:

• High — A plan for corrective measures should be developed as soon as possible.

• Medium — A plan for corrective measures should be developed within a reasonable
time window.
• Low — The team must decide whether to accept the risk or implement corrective
actions.
STEP 9. DOCUMENT THE RESULTS

• The final step of the risk assessment process is to create a comprehensive

report that aids management in making informed decisions on budget,
policies, procedures and more. The report should delineate each threat,
associated vulnerabilities, at-risk assets, potential impact on your IT
infrastructure, probability of occurrence, and recommended control measures
and cost. Often, a risk assessment report will identify key remediation steps
that can mitigate multiple risks.
 ISO 27001 AND CYBER RISKS
• The international standard ISO/IEC 27001:2013 (ISO 27001) provides the specifications for a best-practice ISMS
(information security management system) – a risk-based approach to information security risk management that
addresses people, processes and technology.

• Clause 6.1.2 of the Standard sets out the requirements of the information security risk assessment process.
Organisations must:
• Establish and maintain specific information security risk criteria;
• Ensure that repeated risk assessments “produce consistent, valid and comparable results”;
• Identify “risks associated with the loss of confidentiality, integrity and availability for information within the
scope of the information security management system” and identify the owners of those risks; and
• Analyse and evaluate information security risks, according to the criteria established earlier.

• It is essential that organisations “retain documented information about the information security risk assessment
process” so that they can demonstrate that they comply with these requirements.

• They will also need to follow several steps – and create relevant documentation – as part of the information security
risk treatment process.
IT GOVERNANCE CYBER RISK
ASSESSMENT SERVICE
• Identifying the assets that require protection.
• Identifying relevant threats and weaknesses.
• Identifying exploitable vulnerabilities.
• Assessing the level of threat posed by threat agents.
• Determining the business impacts of risks being realised.
• Producing a security risk assessment.
• Advising on a risk acceptance threshold or level of acceptance.
• Advising on suitable control implementation.
WHO IS THE CYBER RISK ASSESSMENT
SERVICE FOR?

• A risk assessment consultancy can be performed on organisations of any size

– small, medium-sized and large enterprises – where the IT infrastructure
includes a combination of complex legacy systems and newer operating
systems whose interoperability is not always seamless.
• It is particularly useful to public-sector organisations that provide multiple
services across different channels to diverse groups of users - the interchange
of personal data across different platforms requires greater vigilance and
methods of protection.