At the end of the day, cybersecurity is all about finding and dealing with risk. Many organizations are hesitant to spend on cybersecurity because there is no immediate visible return from it. However there is a way to see the major benefits of a good cybersecurity program, and that is in the form of continuous risk assessment. A risk assessment identifies risk in your organization’s cybersecurity, assesses the impact they may have if exploited, and outlines the strategies for addressing and hopefully eliminating the risks. Conducting a risk assessment is an integral part of any organization’s cybersecurity program, and many find it to be one of the more complex elements in a cybersecurity program. However by following this guide, you should be able to get a good grasp on the ins and outs of cybersecurity risk assessment and management.
There are a few crucial terms that need to be defined to properly conduct a risk assessment.
A threat is a potential danger that could affect your organization. This could be a new ransomware campaign, an employee with nefarious intentions, or a natural disaster forming near your facilities.
A vulnerability is a weakness in your organization’s assets that the threat could take advantage of. If you have computers still running Windows 7 connected to the internet, then that is a vulnerability.
A risk is the likelihood that a threat will exploit a vulnerability, resulting in an impact on you organization.
Risk can be difficult to quantify, which is why risk assessment/management is such an in depth field that could warrant a framework of its own. But generally, the following equation is followed to calculate risk:
Risk = Probability * Impact
By reading the previous information, you can probably think of a few major risks to your organization off the top of your head. Even if you think that your organization is risk-free, it always certainly is not, which is why a risk assessment is needed. To begin conducting your own cybersecurity risk assessment, follow these steps:
Determine Scope: Risk assessments can and will be conducted at various times and various places. A risk assessment can be conducted on everything from the entire organization, to a single process or system. This documentation assumes that you will be conducting a full first time risk assessment on your organization’s entire technology surface. However you can and should conduct more continuous and in-depth risk assessments on different aspects of your organization moving forward. A standard rule of thumb for a great cybersecurity program is to conduct a risk assessment after a cyber incident occurs, and after a new system or process has been implemented. Besides defining the physical and logical scope of your assessment, you should prepare all employees and stakeholders by clearly communicating with them and establishing channels for keeping them informed throughout the assessment.
Identify & Prioritize Assets: in previous documentation for this framework, I have outlined steps for conducting hardware and software asset inventories, logical and physical network and site maps, data classifications, and third-party access audits. All of those documents feed into this step of the risk assessment process. Before you can understand risks, you need to have a holistic view of your digital assets. This step of the process comprises all of those audits and inventories. If you haven’t already done them, now is the time. Once you have conducted all of the audits/inventories, gather them into a centralized location and prioritize your assets according to their value. The total value of assets considers both the financial value and the necessity for proper business operations. By determining and prioritizing assets according to their value, you have prepared yourself for actually identifying and quantifying risks to your organization.
Identify Threats & Vulnerabilities: After identifying your assets, you can begin identifying threats and vulnerabilities. It is unlikely that you will identify all of them on the first try, which is why threat and vulnerability identification is a continuous process. Do your best to take into consideration all of the major threats and vulnerabilities that may impact your organization. To be as accurate as possible, research recent cybersecurity news, especially that involving your industry, to find the most prevalent emerging cyber threats. You can assemble the most recent vulnerability scan of your network infrastructure to further narrow down the most prevalent threats to your organization, specifically. But beyond just old-fashioned hacking and malware infections, you also have to account for internal threats such as system failures and human threats, both accidental and malicious. Also assess your area's proximity to major natural disasters that could physically harm or destroy your assets. Don’t worry about how messy your list looks. What is important is that you study your assets closely and list all the associated vulnerabilities and threats you can find.
Assess & Analyze Risk: Once you have uncovered as many different vulnerabilities and threats as you can, then you are ready to begin quantifying risks. In stage 2 you were instructed to rank your digital assets according to their value. In your threat and vulnerability research, you undoubtedly gained an idea of how likely it is for each vulnerability to be exploited by a threat. This step of the risk assessment is where you combine this intelligence with the ranked value of your assets to prioritize risks for remediation. This stage may be difficult for some to tackle. Luckily there are some tools which can aid in this time.
Calculate Probability & Impact of Risks: The previous step spills right into this one. You can easily accomplish both of them as one master task. After you have documented discovered risks and begun analyzing them, you can start digging for more in depth information to help with prioritization. The most important factors to consider here are the probability each risk will occur and the associated impact it would cause your organization. This will entail analyzing an array of quantitative and qualitative data regarding factors such as possible monetary losses, recovery costs, reputational damage, fines, etc. It is easy to get overwhelmed trying to define these values, which is why as mentioned, tools exist to help you out.
Probably the most common tool used in this process is the risk matrix which is a visual chart that denotes likelihood on one axis and impact on the other. As you uncover risks, you place them on the chart according to their likelihood rank and impact rank, and use the resulting intersection for prioritization.
The Likelihood axis typically looks like this:
1: Highly Unlikely
2: Unlikely
3: Possible
4: Likely
5: Highly Likely
The Impact axis will then look like this:
1: Negligible
2: Minor
3: Moderate
4: Significant
5: Severe
This will produce a risk matrix looking something like this:
You should now get an idea of how to plot uncovered risks. In addition to the risk matrix, it is advised to create a risk register, which is a spreadsheet that serves as an organized list of all identified risks, as well as information about the risk's priority, decided mitigations, and the employees who are assigned to manage the risk. For optimal risk organization in your organization, share your risk register with your cybersecurity team and all appropriate employees to keep everyone aware of risks and to enable collaboration on addressing them. Feel free to use the risk register template provided below.
Loading...
Reload document 
Open in new tab Prioritize Risks: you should now be in the early stages of prioritizing risks to address. The combination of risk likelihood and impact results in a “risk level”. If you are using a risk matrix, this is the point where likelihood and impact intersect. By doing a simple ranking of risks from highest risk level to lowest, you can create a to-do list of which risks to address in which order.
Implement Security Controls: it may take several iterations of the previous steps before you have a comprehensive list of risks to address. This is perfectly acceptable, and it is important to remember that your goal is to uncover as many cybersecurity risks to your organization as possible regardless of how long and/or messy of a process it is. Once you have a solid list of risks, you can begin implementing security controls to address them. These security controls can be any of the ones highlighted in the future stages of this framework, as well as any outside this framework’s documentation. The important thing is that they effectively address the risks. If this is your first time implementing any cybersecurity controls into your organization, it is acceptable at this point to shift gears to the next stages of this framework, a this is where you will find guides on implementing controls. Just make sure that when you finish implementing controls, you return to this documentation to finalize your risk assessment.
The controls and methods you implement to address risks will usually fall under one of the following strategies:
Risk Avoidance: Take all measures possible to prevent the risk. For example, isolating IoT devices in a hardened VLAN to prevent potential intruders from pivoting off of them to critical systems.
Risk Acceptance: If a risk is low probability and low impact, you may decide that it is easier to accept the chances of it happened rather than waste effort trying to address it.
Risk Reduction: Even if the risk cannot be fully eliminated, you can implement controls to reduce the likelihood of it concurring. Many cybersecurity risks fall under this umbrella. You usually can never 100% eliminate them, but you can significantly reduce the attack surface. For example, you can close all ports on a public web server except the necessary ones to reduce the chances of attackers exploiting it.
Risk Transfer: Sometimes you may decide it is difficult for your organization to try and address every risk, and that it is in your best interest to give the responsibility to somebody else. This may entail purchasing cyber insurance or hiring a Managed Security Service Provider (MSSP).
Monitor & Document Results: once you have implemented necessary security controls, you must monitor them to determine their effectiveness. No matter how thorough you think your risk assessment and subsequent control implementation is, there is always the possibility that it will be ineffective and exploits will still slip through. This is why risk assessment is a continuous process, there will always be controls that can be tailored and replaced for better security. And even if you have successfully addressed all of the risks in your first assessment, there are bound to be new ones that emerged as a result of the changes made to your environment in the previous step.
By now you should have a rough understanding of the stages that make up a risk assessment. Once again, it is essential to understand that this is not a one and done thing like many other pieces of this framework are. Risk assessments need to be conducted frequently to ensure your organization’s cybersecurity stays continually hardened.
Example Risk Assessment
Loading...