Cybersecurity Risk Assessment is critical because cyber risks are part and parcel of any technology-oriented business. Factors such as lax cybersecurity policies and technological solutions that have vulnerabilities expose an organization to security risks.
Failing to manage such risks provides cybercriminals with opportunities for launching massive cyberattacks. But fortunately a cybersecurity risk assessment allows a business to detect existing risks. A cybersecurity risk assessment also facilitates risk analysis and evaluation to identify vulnerabilities with higher damage potential. As a result, a business can identify suitable controls for addressing the risks.
A cybersecurity risk assessment has the following importance:
- Reduced long-term costs: Cybersecurity risk assessments enable an organization to detect and analyze existing risks. This way, it can adopt effective solutions to mitigate them. Mitigating risks prevent cyber-attacks and the resulting damages and financial implications.
- An organization achieves an improved self-awareness: Risk assessments identify weaknesses within an organization’s cyber defense. It also identifies vulnerable systems and ineffective cybersecurity policies. By doing so, a business can plan for areas requiring additional investments. It can further use the results of the assessments to create stronger cybersecurity programs leading to an improved security posture
- Enhanced visibility and communication: A cybersecurity risk assessment requires the input of all departments. Therefore it fosters communication between all departments and the IS department. Subsequently, IT staff realizes increased visibility of the available IT assets, data, and endpoint devices. The importance of such visibility cannot be underscored as it leads to closer monitoring and better risk management efforts
- Prevents cybersecurity incidences and data breaches: Identifying security risks before cybercriminals can exploit them prevents breaches. Risk assessment entails identifying risks with more severe impacts. This will pave the way for the implementation of adequate security controls.
- Legal requirements: Many regulations and international standards require businesses to carry out frequent risk assessments. This makes sure that they observe effective risk management programs to safeguard customer and employee data. Cybersecurity risk assessments allow organizations to meet their regulatory obligations.
Cybersecurity risk assessments have many other benefits, all aimed at bolstering organizational security. Cybersecurity risk assessments are critical for any company to harden its cybersecurity. Most importantly, they are the method for a company to identify the most suitable security controls needed to achieve an optimum cybersecurity approach.
Who is responsible for performing cybersecurity risk assessments?
This is the question every business must answer in order to conduct an effective cybersecurity risk assessment exercise. Normally, companies delegate the responsibility to in-house IT staff. In this scenario, the staff must possess adequate knowledge regarding the company’s operations. The staff must also have a deep understanding of the underlying IT infrastructure and network topologies.
That aside, a risk assessment team should include high-level executives with a clear understanding of the information flows within the organization. The executives must understand proprietary company data. This data affects the processes for conducting risk assessments. Including top executives and departmental heads in risk assessments increases visibility. High visibility is a critical element of effective cybersecurity risk assessments.
Alternatively, a business may lack the requisite in-house personnel required to do a risk assessment. These companies may outsources risk assessments to third-party companies. This often applies to small and medium-sized businesses. Outsourcing risk assessments should follow due process as it provides outsiders access to internal security controls, customer and employee data, and all IT infrastructures. There are plenty of individual consultants and companies capable of performing risk assessments competently. A business should consider the following guidelines before outsourcing:
- Seek recommendations: Recommendations from others can be a valuable way to find the best third-parties to outsource to. Alternatively, a company can obtain good referrals from organizations such as Better Business Bureau and Chamber of Commerce.
- Vet the selected assessor: Recommendations are not enough. A business must take the necessary steps to determine the assessor’s effectiveness. Among other ways, an organization can vet the assessor through past feedback and reviews from past clients.
- Always ask for a quoted price: Risk assessments cost consists of the critical factors that influence the decision of a risk assessor. Although quoted prices may fluctuate due to an organization’s scope and size, a quoted price provides a rough estimate of the assessment costs.
The process of a practical cybersecurity risk assessment
Now that we understand the importance of cybersecurity risk assessment and the people responsible for performing them, it is important to understand the process itself. Before commencing on a cybersecurity risk assessment, an organization should first audit the IT infrastructure and data it is securing. A data audit, for example, identifies the data a business handles and its value. The following questions can guide a data audit:
- What type of data does the business collect?
- The organization uses which options to store the data?
- What processes does the company use to secure the data and document it?
- What is the validity of the data?
Once the data audit and IT assets audit are complete, a business must define the parameters that will guide the risk assessments. The following guidelines can assist in defining appropriate parameters:
- Purpose of the risk assessment
- The scope of the cybersecurity risk assessment
- Particular constraints or priorities that can impact the risk assessment process
- The individuals responsible for providing the information needed to perform the risk assessment
- The risk model a business should use to assess risks
The parameters ensure that a cybersecurity risk assessment meets all the objectives. More importantly, they guide the process to ascertain the assessment of all critical assets. These can include information systems and data storage facilities.
The process cannot be complete without performing the risk assessment itself. National Institute of Standards and Technology (NIST) recommends a risk assessment model consisting of six main steps. They are as indicated below.
- Determine the sources of security threats
- Identify the risk events
- Identify the existing vulnerabilities and the conditions under which cybercriminals can exploit them
- Determine the likelihood that cyberattacks will occur and their success rates
- Determine the potential impacts
- Identify the risks posed
Determine the sources of security threats
There are two main sources of security threats to an organization’s data and IT assets. The threats can be caused by adversaries, or they can be as a result of non-adversarial causes such as security negligence or weak cybersecurity programs. Either way, they provide malicious cybercriminals with avenues for exploiting them. Examples of adversarial threats are:
- Organizations: suppliers, competitors executing corporate espionage, partners, etc.
- State-sponsored attacks
- Individuals: including insiders and third parties with access to internal controls
- Groups: such as established hacker groups
All the identified threats must then be assessed. After all, that is why we conduct risk assessments. For adversarial threats, the assessments should cover the intentions and capabilities of potential cyber attackers, including their potential targets. Each threat should be assigned a quantitative value such as very high, high, medium, etc. to be used during risk calculation.
Identify the risk events
Risk or threat events comprise of the actual attacks an attacker can execute against the organization. The threat sources with a potential of perpetrating cyber-attacks on the organization characterize the risk events. The description of each event must apply to the company’s cybersecurity posture. Otherwise, the wrong risk event description may cause poor risk assessments due to misinformation. The following table illustrates two examples of risk events and their descriptions, as recommended in NIST risk management publications.
|Conduct network scanning||Cybercriminals may use software programs for scanning a company’s network perimeters. This is to obtain a better understanding of the underlying IT infrastructure to successfully execute attacks|
|Phishing and social engineering tactics||Cyber adversary’s counterfeits information from trustworthy sources to dupe victims into divulging sensitive information. Such could include passwords and usernames. Perpetrated through all communication channels, including phone calls, instant messaging, emails, etc.|
Identify the existing vulnerabilities and the conditions under which cybercriminals can exploit them
The previous two steps are hypothetical, and they include a list of all potential security occurrences. In this step, the risk assessment processes measure the threats against the organization’s actual IT infrastructure and security implementations. This determines the severity levels of a particular vulnerability. Vulnerability severity refers to the process of assessing it in relation to the importance level of mitigating it. As such, the assessor must determine the vulnerabilities that coincide with the identified threats and at the same time, consider the available security controls for mitigating the event.
Determine the likelihood that cyberattacks will occur and their success rates
Now, since the threats and risks applicable to the organization’s cybersecurity posture are known, the risk assessor must determine the likelihood of subsequent cyberattacks occurring. This stage not only measures the likelihood, but it also determines the potential success rate should they occur. A risk assessment employs factors such as the attackers’ capabilities, their intentions, and their past targets. Normally, a company assesses risk likelihood through considering a set of vulnerabilities and the influencing conditions. For instance, for non-adversarial risk events, a business can consider the anticipated duration and severity as described in the event. The likelihoods are assigned qualitative values. Factor influencing the methods assessors use to determine likelihood include:
- The company’s attitude towards the risks
- Uncertainty tolerance in regards to specific risk factors
- The company’s weighting of its risk factors
Determine the potential impacts
Factors that influence the risk impacts are the location where a risk event occurs and whether a business manages to contain the event from spreading. Impact assessment involves determining potential targets or assets of the threat sources. These should include information resources that can be impacted by the threat sources and consists of applications, data repositories, and information systems. The impacts assessments should cover different categories like digital and physical assets to ensure a holistic cybersecurity risk assessment.
Identify the risks posed
To identify the cybersecurity risks to the organization, an assessor must obtain the confluence of the event’s likelihood occurrence and potential impacts. The likelihood values and potential impacts are factored against each other, and the results reflect the organizational risks.
Risk management framework
Since a cybersecurity risk assessment identifies existing risks, what then? How should an organization manage them to ensure it is secure from cyber-attacks? This calls for the adoption of a risk management framework.
A risk management framework (RMF) provides a series of steps for managing risks to organizational IT systems. According to the NIST SP 800-37 publication, a risk management framework should have six steps.
1. Categorize the information systems
An organization should assign new IT systems with security roles based on the business objectives and mission. The organization’s risk management strategy should guide the creation of the security role.
2. Identify security controls
A business must identify and select suitable security controls to mitigate cybersecurity risks. The organization’s leadership should approve the controls. Other controls specific to a particular system or risk can be used to supplement existing ones. The minimum IT assurance requirements as indicated during the risk assessment exercise, determines the controls to be used.
3. Implementing the security controls
This step involves enacting the controls identified in the previous step. Once a business completes this stage, it should demonstrate that it has implemented the minimum requirements needed for mitigating the identified risks. It should also demonstrate a clear understanding of using the controls to enhance security.
4. Assess the controls
An unbiased assessor must assess the controls to determine their effectiveness in mitigating risks and providing long-term security. An organization can be called upon to improve on weak controls.
The organization must authorize the controls to be incorporated as part of its cybersecurity strategy. The authorization package should include risk assessment results and the use of the implemented controls to mitigate them.
A business should continuously monitor the security controls so that they are updated whenever there are new technological changes.