Hi there! If you are reading this article, then you already have certain knowledge on cybersecurity management. Chances are, you're also aware that cybersecurity itself is not a goal, but a process, aimed at achieving Company's business goals and decreasing potential impact. But have you considered security risk assessment as the best way to prove the necessity of the expenses related to cybersecurity to Company management?
Let’s introduce the term: according to ISO 31000, risk is the effect of uncertainty on objectives, whether positive or negative.
Cybersecurity risk is determined by a degree of possibility that the threats will be implemented via the exploitation of vulnerabilities, thus delivering impact to the Company. Sufficient task list for identifying cybersecurity risks includes identifying threats, vulnerabilities and potential impact. We'll cover the nuances and the challenges of each of these tasks in the forthcoming articles.
In general, cybersecurity risk assessment comprises several important steps:
- Context establishment: identifying cybersecurity risk domains, external and internal factors
- Risk assessment, including: cybersecurity risk identification, cybersecurity risk analysis, comparative cybersecurity risk evaluation, residual cybersecurity risk assessment (if necessary)
- Cybersecurity risk mitigation (avoidance, reduction, sharing, retention)
- Cybersecurity risk monitoring and evaluation
- Documentation and reporting.
To make things easier let's consider a simplified real-life case which is not associated with cybersecurity directly, but definitely helps grasp the concept of the risk management process.
Meet Jack. Jack lives in Singapore, works as a project manager for a large IT company and he's at the office every working day.
Okay, that's the context being established.
One thing Jack knows about himself is that his immune system is somewhat weakened,
This definitely looks like a vulnerability.
and the highest risk for him is getting sick.
There! Risk identification complete!
One of the threats capable of impacting Jack's health enough to get him ill is getting soaked in the rain. So one day he goes work wearing regular clothes and forgets his raincoat. That raincoat was, in fact, Jack's protection measure, though somewhat insufficient to protect him from the rain completely. After a brisk five-minute walk a thought crosses Jack's mind: ”Hey, it’s Singapore! Expect raining anytime!”
Just like that Jack has assessed the threat, that can increase the risk of him getting sick, as high.
Suppose his next thought is: “If I get sick, I will fail to close that certain project before the deadline and I'll get fired”.
The risk has been associated with an impact and has been fully evaluated.
So now Jack is considering whether to continue on his way to the office or return home and get an umbrella or that raincoat.
This is what comparative security risk evaluation is: deciding to either do nothing (and accept the risk) or consider other risk mitigation options.
However, we're not done just yet. Let’s assume that Jack has opted to return home for the umbrella. He has dealt with the risk of getting sick, but there is a residual risk – he might be running late for work. Luckily for Jack, nobody would have paid any attention to the fact that he has arrived a few minutes later (Thank you, flexible working hours, you're awesome), so he accepts the residual risk like a boss and goes on to get his protective measures.
Jack has assessed and treated the risk and accepted residual risk. But let's not forget risk monitoring and evaluation. Tomorrow he might be flying to Oslo on a business trip and his risk of getting sick will depend on an entirely different set of factors.
So why is risk assessment important? The assessment provides company management with a rationale to facilitate making informed decisions on security risk mitigation procedures and the associated expenses.
Naturally cybersecurity risk assessment is quite a bit more complex than deciding whether one would need an umbrella. Here are a few of the numerous different risk assessment approaches available today.
| Criteria |
ISO 27005 |
FRAP |
OCTAVE |
FAIR |
| Company business nature (application sphere) | Applicable to companies of any size and industry | Applicable to companies of any size and industry | Applicable to companies of any size and industry | Applicable to companies of any size and industry |
| Application complexity | Requires significant expenses and highly qualified personnel | Requires moderate expenses but the security personnel should be highly qualified | Requires moderate expenses but highly qualified personnel because risk assessment is performed by the company without engaging third parties | Requires significant expenses and highly qualified personnel |
| Security risk assessment scales | Examples are available | Examples are available | Examples are available | Examples are available |
| Security risk mitigation methodology | Methodology examples are available | No risk mitigation methodology | No risk mitigation methodology | Methodology examples are available |
| Relation with adjacent methodologies (IT, general risks, economic risks etc.) | Is part of the ISO risk management standard series | No direct relation to adjacent methodologies, requires adaptation | OCTAVE methodologies comprise several risk assessment methodologies, for different company sizes and risk assessment goals | No direct relation to adjacent methodologies, requires adaptation |
| Commercial usage | Can be used for internal risk assessment after purchase | Can be used for internal risk assessment | Can be used for internal risk assessment | Publicly available, commercial usage is limited |
We're planning on publishing a few more articles to support you in choosing the most suitable approach for your company, so stay tuned.
And definitely get in touch with us if there are questions left unanswered. Do not hesitate to contact our experts, If none of the described methods look relevant for your company or you’re looking for help with assessing the security risks. And of course, our services remain available.
P.S. The table above includes methods that have limits on commercial usage (OCTAVE and FAIR). Provided the methods' authors give their consent, we'll cover them in detail later. However, in case of a negative answer, we will focus on other methods besides OCTAVE and FAIR. You can leave your suggestions regarding further cybersecurity risk assessment method reviews in the comments or e-mail them to info@udvtech.com.
Stay safe and secure!
© 2024 UDV MENA INFORMATION TECHNOLOGY SERVICES CO. L.L.C. All rights reserved.