Cybersecurity Risk Management is often seen as a daunting task for many startups and SMEs. Comprehended from a business practice standpoint, it is a way to prepare for the unknown and get your business more resilient.
In fact, Cybersecurity Risk Management actions are easy to split into different basic tasks and relate them to aspects of IT and Cybersecurity.
Risk management is at the core of the decision-making processes when it comes to determining cybersecurity protections for an IT infrastructure.
Risk and Risk Management
On the one hand, in simple terms, a risk is the possibility of something happening for better or for worse. Although this term was “only” coined several hundred years ago, the very nature of risks is known to humankind since times immemorial. A risk involves uncertainty. It is generally considered as a potential jeopardy, threat, loss, injury, damage and other unforeseen, adversarial, or undesirable circumstances. However, a risk may also entail significant rewards or major benefits.
On the other hand, in more complex terms, the concept of risk management encompasses the “identification, evaluation, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities1ˮ.
For the purposes of managing the activities of a company, the NIST Special Publication 800-39, entitled Managing Information Security Risk, divides the concept of risk into three distinct levels: Tier 1: Organization View, Tier 2: Mission and Business Process View, and Tier 3: Information Systems View where each of those levels are interdependent. We will focus on Tier 3 risks.
In a simplified view of cybersecurity, a risk refers to the probability that an IT vulnerability will be exploited by a threat agent – thereby resulting in harming an organization’s administrative processes or information systems. In other words, a cybersecurity risk is the likelihood that a cybersecurity incident could occur and the potential consequences it could have on the day-to-day management of an organization.
Why Manage Cybersecurity Risks?
The ultimate reason for undertaking Cybersecurity Risk Management is to ensure the resilience of your business. Conversely, Cybersecurity Risk Management does much more than building a company’s activities resiliency. Firstly, it provides the organization with an understanding of its vulnerabilities and insight on the optimal investment to reduce the level of cyber risk to an acceptable level for the organization. Instead of hastily buying the latest cybersecurity tool, Cybersecurity Risk Management helps the organization make an informed decision on the type of tools needed and the purchasing costs that will provide the company with a return on its investment. Secondly, instead of only coping or merely reacting subsequently to adversarial circumstances, with the inevitable delays, potential confusion and most importantly partial or total loss of capabilities, Cybersecurity Risk Management enables a company to hope for the best while proactively preparing for the worst.
Before going through the steps required in the management of risks, it is important to take a step backward and understand what are the company constituents that need to be safeguarded. What are the organization informational assets? What is the value of those assets? What would be the impact if one of those assets would be compromised?
Managing cyber risks involve several essential anticipatory actions that, once united together, form a straightforward and effective Cybersecurity Risk Management process:
1) Cyber Risks Recognition
this is usually done by detecting cyber risk scenarios. For example the possibility of someone clicking on an infected link within an email.
2) Cyber Risks Assessment
this is achieved by evaluating the probability and impact of cyber risk occurrences that could affect a company, its staff, customers, IT systems, etc. How likely would the organization be confronted with the above-mentioned scenario? What would be the consequences on the organization? Organizations often use a scale of low, medium, and high to rate these variables.
3) Cyber Risks Action Plan Determination
if the cyber risk exceeds the cyber risk appetite, the organization needs to determine an action plan to mitigate the identified cyber risk. In the above infected email scenario, the action plan could include the training of employees and the installation of an email screening system.
4) Cyber Risks Scenario Review
This is performed by reassessing each cyber risk scenario and adding new ones in order to keep the company’s cyber risk register up to date. Why? Because some cyber risk might disappear or become negligible and new risk might be identified.
Starting with simple and individual scenarios, happening once or individually, the above-mentioned preventive operation can be gradually complexified to incorporate, for instance, multiple recurrences of a single cyber risk event. Such a preventive operation usually leads all business lines of an organization to conduct an investigation about “what if this happened” onto their various processes and assets.
Cyber risk scenarios generally comprise a direct impact, which can be material or immaterial, and they often incur enough indirect impacts.
Beyond the obvious benefit of ensuring resiliency, an organization will benefit from, and can be forced into, performing such Cyber Risk Management operations, by external parties like customers and/or insurance companies. Every now and then, an organization would also be required to conduct such operations when improving their cybersecurity maturity through the adoption of compliance frameworks such as ISO, SOC2, NIST, etc.
Cybersecurity Risk Management and Various Controls Frameworks
Congratulations, your organization has now embraced Cybersecurity Risk Management operations, and it is keeping an up-to-date Cyber Risk Register, with a set of clear cyber risk scenarios associated with its mitigation/remediation plans. Using the same example as previously described, a proper mitigation plan for the infected link could be somehow simplified down to two main anticipatory actions.
The IT team will want to install a modern antivirus/endpoint protection solution on all workstations operated by collaborators within your organization, and also limit the administrative capabilities of local users on all such workstations, in order to minimize cyber risks like undesired deactivation of antivirus/protection solution and other operating systems security safeguards.
Your organization will likely establish at least two specific controls to govern such activities in a standardized manner, one for the antivirus, and the other one for the removal of administrative access for standard users.
As you may already know, controls can be classified into three groups: preventative, detective, corrective, and can be of three types – physical, technical, and administrative.
Implementation and effectiveness of those controls will be the core focus of most cyber risk treatment plans in order to reduce their associated cyber risk likelihood/impact. Residual cyber risks can be further mitigated with other controls, not necessarily dedicated to that particular cyber risk scenario. An example would be to have a set of controls governing how often and which training is provided to the workforce with regards to Information Security & Awareness, getting staff to read and agree to a set of policies implemented within your organization, etc.
All those controls are generally standardized and included in all Information Security Frameworks.
Cyber Risk Appetite: Level of cyber risk that an organization is willing to take while pursuing its business objectives, before having to act on a given cyber risk scenario and address the related cyber risk.
Cyber Risk Scenario: Description of a specific cyber risk, usually affecting a particular asset (or group of assets).
Cyber Risk Rating: Cyber risk scenarios are ranked on both their probability and impact, the overall rating being a combination of both.
For example if using numeric values, likelihood could be defined on a scale from 1 to 5 – 1 being the lowest, or maybe once every 5 years – 5 being the highest, or maybe once a month.
The impact could be defined on a scale from 1 to 5 – 1 being the lowest, no disruption/material/financial impact – to 5 being major disruption of the entire business, significant financial impact threatening the organization’s future.
An example of a cyber risk rating formula could be:
Likelihood x (Impact * 10), such that a [ Likelihood 1 – Impact 3] cyber risk is rated 30, but a [ Likelihood 3 – Impact 1] cyber risk is only rated 3.
The overall cyber risk rating of all cyber risk scenarios will be used to prioritize cyber risk treatment plans.
Cyber Risk Acceptance: The organization decides to accept the cyber risk as it is and does not implement any mitigating measures.
Cyber Risk Avoidance:The organization takes steps to avoid or prevent any particular cyber risk of happening.
Cyber Risk Reduction or Mitigation: The organization defines and implements a cyber risk treatment plan meant to reduce a specific risk to acceptable levels (the remaining cyber risk factor will be again assessed and can be accepted/transferred/mitigated).
Cyber Risk Transference: The organization decides to shift the cyber risk to another entity, such as, for example, an insurance company.
Single Loss Expectancy: This is the monetary value loss expected from the occurrence of a cyber risk against an asset.
Cyber Threat: A Cyber Threat is the potential to exploit an Information Technology vulnerability within an organization. This can include various types of malicious actors, such as hackers, malware, insider threats, and more.
Cyber Vulnerability: A Cyber Vulnerability is a cyber weakness or cyber flaw inside an IT system, application, or process that could be exploited by a cyber threat to compromise the confidentiality, integrity, or availability of data or resources.
Cyber Impact: Cyber Impact refers to the potential negative outcomes that can occur if a cyber threat successfully exploits a cyber vulnerability. Cyber impacts can include data breaches, financial loss, operational disruption, reputational damage, legal and regulatory consequences, and more.
Cyber Risk Management Relationship to Various Framework
All major standardization organizations have defined a Cyber Risk Management Framework aligned with their standardized framework that defends the security of their information technologies. Among several of these standards, we are concisely describing the following three:
The International Organization for Standardization publishes the ISO/IEC 27005:2011 Information Security Risk Management Standard, which fulfills the requirement of the ISO 27001 Framework concerning the actions to address cybersecurity risks. It covers the Information Security Risks Management operations, such as Information Security Risks Assessment and Treatment.
NIST SP 800-39
The National Institute for Science and Technology – Special Publication 800-39 produced by the U.S. Department of Commerce describes the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations. It provides a structured and flexible process for managing cybersecurity and privacy cyber risk (including information cybersecurity categorization; control selection, implementation, and assessment; IT systems and common control authorizations; and continuous monitoring).
While AICPA SOC2 itself does not describe any specific cyber risk management “standard,” it requires the service organization to undergo regular cyber risk assessment activities and maintain a cyber risk register. Each identified cyber risk must be rated (likelihood/probability of occurrence and impact), each management decision (accept, avoid, reduce/mitigate, or transfer) must be acknowledged, and a cyber risk treatment plan must defined, implemented, and tracked.
Cybersecurity Risk Management helps companies become more resilient and prepared for antagonistic events, specifically in the IT realm. While being an integral part of many Information Cybersecurity Frameworks, organizations should not wait until preparing their readiness for audit or certification, and start as early as possible with a simple spreadsheet containing a list of defined cyber risks vs. assets, likelihood/impact scores, decision taken by the company on how to address each scenario, and who is assigned the responsibility of managing such cyber risks.
Start as early as possible with a simple spreadsheet