Six Steps to a Cybersecurity Risk Assessment

Organizations face risk every day. It’s a part of getting business done, especially in our digital world. Managing risk is critical, and that process starts with a risk assessment. If you don’t assess your risks, these cannot be properly managed, and your business is left exposed to threats. A successful risk assessment process should align with your business goals and help you cost-effectively reduce risks.

Risk assessments can be performed on any application, function, or process within your organization. But no organization can realistically perform a risk assessment on everything. That’s why the first step is to develop an operational framework that fits the size, scope, and complexity of your organization. This involves identifying internal and external systems that are either critical to your operations, and/or that process, store, or transmit legally protected or sensitive data (such as financial, healthcare, or credit card). Then you can create a risk assessment schedule based on criticality and information sensitivity. The results give you a practical (and cost-effective) plan to protect assets and still maintain a balance of productivity and operational effectiveness.

Once you determine your framework, you’re ready to embark on your individual risk assessments. When going through the process it’s important to keep in mind there are different categories of risk that may affect your organization. Here’s what these are:

• Strategic risk is related to adverse business decisions, or the failure to implement appropriate business decisions in a manner consistent with the institution’s strategic goals.
• Reputational risk is related to negative public opinion.
• Operational risk is related to loss resulting from inadequate or failed internal processes, people, and systems or from external events.
• Transactional risk is related to problems with service or product delivery.
• Compliance risk is related to violations of laws, rules, or regulations or from noncompliance with internal policies or procedures or business standards.

Now let’s look at the basic steps of a risk assessment.

1. Characterize the System (Process, Function, or Application)

Characterizing the system will help you determine the viable threats. This should include (among other factors):

1. What is it?
2. What kind of data does it use?
3. Who is the vendor?
4. What are the internal and external interfaces that may be present?
5. Who uses the system?
6. What is the data flow?
7. Where does the information go?

2. Identify Threats

There are some basic threats that are going to be in every risk assessment; however, depending on the system, additional threats could be included. Common threat types include:

1. Unauthorized access (malicious or accidental) – This could be from a direct hacking attack/compromise, malware infection, or internal threat.
2. Misuse of information (or privilege) by an authorized user – This could be the result of an unapproved use of data or changes made without approval.
3. Data leakage or unintentional exposure of information – This includes permitting the use of unencrypted USB and/or CD-ROM without restriction; deficient paper retention and destruction practices; transmitting non-public personal information (NPPI) over unsecured channels; or accidentally sending sensitive information to the wrong recipient.
4. Loss of data – This can be the result of poor replication and back-up processes.
5. Disruption of service or productivity

3. Determine Inherent Risk & Impact

This step is done without considering your control environment. Factoring in how you characterized the system, you determine the impact to your organization if the threat was exercised. Examples of impact ratings are:

• High – Impact could be substantial.
• Medium – Impact would be damaging, but recoverable, and/or is inconvenient.
• Low – Impact would be minimal or non-existent.

4. Analyze the Control Environment

You typically need to look at several categories of information to adequately assess your control environment. Ultimately, you want to identify threat prevention, mitigation, detection, or compensating controls and their relationship to identified threats. A few examples include:

• Organizational risk management controls
• User provisioning controls
• Administration controls
• User authentication controls
• Infrastructure data protection controls
• Data center physical & environmental security controls
• Continuity of operations controls

Control assessment categories may be defined as:

• Satisfactory – Meets control objective criteria, policy, or regulatory requirement.
• Satisfactory with recommendations – Meets control objective criteria, policy, or regulatory requirement with observations for additional enhancements to existing policies, procedures, or documentation.
• Needs improvement – Partially meets control objective criteria, policy, or regulatory requirement.
• Inadequate – Does not meet control objective criteria, policy, or regulatory requirement.

5. Determine a Likelihood Rating

Now, you need to determine the likelihood of the given exploit taking into account the control environment your organization has in place. Examples of likelihood ratings are:

• High – The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.
• Medium – The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.
• Low – The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.

6. Calculate Your Risk Rating

Even though there is a ton of information and work that goes into determining your risk rating, it all comes down to a simple equation:

Impact (if exploited) * Likelihood (of exploit in the assessed control environment) = Risk Rating

Download: A Guide to Cyberthreat Hunting

Take a proactive stance against cybercriminals and learn how to hunt down potentially malicious network behavior.

Some examples of risk ratings are:

• Severe – A significant and urgent threat to the organization exists and risk reduction remediation should be immediate.
• Elevated – A viable threat to the organization exists, and risk reduction remediation should be completed in a reasonable period of time.
• Low – Threats are normal and generally acceptable but may still have some impact to the organization. Implementing additional security enhancements may provide further defense against potential or currently unforeseen threats.

Using the values for impact and likelihood in the NIST Special Publication 800-30, here’s what a completed residual risk rating assessment could look like.

Regular risk assessments are a fundamental part of any risk management process because they help you arrive at an acceptable level of risk while drawing attention to any required control measures. The risk assessment process is continual and should be reviewed regularly to ensure your findings are still relevant.