How to Perform a Cybersecurity Risk Assessment (to identify and prioritize your program)

by | Aug 15, 2022 | Blogs

A great cybersecurity program starts with a risk assessment process. A proper cybersecurity risk assessment clarifies the cyber risks to the business so that cyber initiatives and a road map can be put to together to address the risks.

Challenges:

When the risk assessment gets skips or short circuited, the program falls into becoming reactive and will focus time and money on efforts that do not provide the greatest reduction of risk for the investment. I like to call this Return on Risk Investment (RoRI).

Many cybersecurity roles have not been trained on how to conduct a proper cybersecurity risk assessment. In addition, many of the academic methods are long, tedious, require too much time and investment from too many roles. The sad truth is that most never get completed. Most of this cybersecurity risk assessments are designed for enterprises size companies and lack the applicability for a small and mid-sized business.

Goal:

This article will attempt to break down the process and provide guidance on the system I use to accurately and confidently identify the top risks and cybersecurity initiatives to reduce cyber risks.

Process:

In cybersecurity we use a lot of terms. One term at the core of cybersecurity is ‘risk’. We will often decide how we qualify risk. Are we going to use a quantitative methodology, or a qualitative methodology? More importantly, I believe it is most important how you decided to define risk. Currently there is not a certified, authoritative risk formula. You are free to develop your way on how you define irks.

Here is my equation to calculate cybersecurity risk;

Data (asset value) x Threat x Vulnerability = Risk

 

This definition has worked very well for me and my clients. It attempts to keep it simple and provide clarity over each step of this risk equation. It is understandable, approachable, and repeatable.

Let’s break down each of the three components that we need to qualify to define risk.

  • Data (asset value): This can be measured by the sensitivity of the data, and the volume of the data. This is about qualifying what data crown jewels a business has. For example, if a company only has data they consider ‘public’, then you’re risk equation will almost always equal zero, or no risks. That is because no matter how many threats are trying to steal your data, and no matter how many vulnerabilities you have open and available for exploitation, the worst case is that the attacker gets a bunch of public data. Risk accepted.

Qualifying data and assets values is most commonly done by performing a data classification exercise in which business stakeholders are interviewed with the goal of learning and defining what data is public, vs sensitive or restricted. These can be any data classification labels you choose. The result is a Data Classification Policy that will list all the data types or elements that need to be considered restricted. Once complete this can act as a source to qualify how much of that data exists, and where.

  • Vulnerabilities: This data is pretty easily collected when a vulnerability scanning tool is in place, or can be put in place temporarily. There are two main types of scanning, credentials and non-credentialed. I’m sure that makes sense, but the more important things to note is that a credentialed scan will provide much greater visibility into the true vulnerability status. The other important principle is to scan everything listed in your IP inventory, not just your Microsoft Windows machines. We need to scan anything a threat can have access to.

Qualifying vulnerabilities is pretty quick and easy. All you need is a scanner like Qualys, or Tenable, or Rapid 7. The challenge is more often not feeling overwhelmed by the results and trying to fix everything right away. The first goal should be to prepare a simple report (I recommend an Excel pivot chart) that shows how many critical, high, and medium vulnerabilities were identified across the environment. (You can skip the low and informational for now).

  • Threats: Now you have two of the three data values to calculate in your risk equation. The last one is identifying threats. There have been several methodologies to review threats and, in my opinion, they have all been overly complicated to the point of preventing a successful threat exercise from completing due to the overwhelming nature. Here is the process I recommend:

Scope: 

My first recommendations is scoping the threats. I recommend scoping the cybersecurity threats to focus on confidentiality. I understand that availability is important, but when we include this is a risk exercise we open the scope of qualified threats to volcanoes, tornados, and air plane crashes – it becomes ridiculous. Instead recommend the business leaders prepared a business continuity plan that should address the availability risks. For this exercise only focus on threats via a digital vector.

List:

Use a list of the top ten to twenty-five threats. You need to start somewhere and an approach like this is a quick catalyst to get a first draft completed successfully. The completion of a threat exercise based on the top ten threats, is better than a non-completed threat exercise that never got completed. I have a list I created and maintain by continually updating it based on threat intelligence.

Impact & Likelihood:

Plot the threats on a page that helps visually indicate the impact and likelihood. Lay it out in four quadrants with impact on the vertical and likelihood on the horizontal. This will help reveal the threats that re most concerning.

 

Bringing it all together.

The final step in a cybersecurity risk assessment is part science and part art. The goal is to overlay the threats with the vulnerability data and qualify if the there is a vulnerability in the systems that an applicable, qualified threat can take advantage of.

With the list of applicable threats and vulnerabilities that qualify for review, overlay them with the systems that contain restricted data (Crown Jewels) and qualify if a threat actor exploited a vulnerability would it lead to gaining access to restricted data.

One thing to consider is that people can be a vulnerability. For example, when looking one of the top cybersecurity threats of Business Email Compromise (BEC), you might review vulnerability data for your email platform and find you don’t have any vulnerabilities. Before feeling to confident to remove this from your risk equation, consider that this is often a social type of attack and the vulnerability is the person receiving fraudulent emails.

 

Review

Review your findings with leadership. There are two goals in doing this. First is to show leadership you have a best practice process for qualify risk. It is repeatable and you performed the process to do it right. Most leaders will have no idea on how to complete a cybersecurity risk assessment, so when talking to you their goal will not be to correct your data and findings, but instead to understand how you conducted it and if that process makes sense. Your goal is show them that you have a process, and it makes sense.

The second goal for the leadership review is to share the risk. The primary goal of the cybersecurity role is to identify risks and provide visibility of those risks to the business leadership.  When leadership is able to review the risks and approve of risk treatment measures, can the cybersecurity role proceed with helping reduce the cyber risk to the business.

 

Summary:

A cybersecurity risk assessment as at the foundation of a good cybersecurity program. All investment in personal, tools, and processes should come from the objectives identified in a risk assessment.

Symptoms that are I not happening are when the cyber role is responding to leaderships concerns about what they are reading in the news, or what’s happened to the company their colleague works at. This is responsive.

Proactive cybersecurity starts by identifying and prioritizing the risks, reviewing them with leadership, and getting approval (including budget) to reduce these risks through risks treatment steps including; remediation, mitigation, transfer, or acceptance.

 

Offer:

If you have any questions about how to improve your risk assessment process, or tips or tricks I can use to improve my process please follow up. I’m happy to help you improve your process (free of charge).

If you’d like a professional cybersecurity risk assessment conducted for you, I offer a Rapid Risk Assessment. Our Rapid Risk Plan identifies your crown jewels, assesses your vulnerabilities, and reviews the threats against your organization to clarifies your cybersecurity risks. We then build an annual road map and prioritized objective list to help give you the traction on the people, processes, and technology you need to achieve your cybersecurity goals. Contact me and mention this article.

Schedule a call with me by clicking ‘Schedule a Call’ in the upper right. Or you can email me at tony@ashersecurity.com, or feel free to call me directly at 952-228-6173 (expect to leave a voicemail – I get a lot of spam calls).

7 Ways to Improve Your Cybersecurity Reporting to Executives and the Board of Directors

A guide for cybersecurity leaders that will help you gain the reputation of a solid leader, while preventing you from making the mistakes I made when I was projected into reporting. This guilde will equip you and remove the stress and anxiety so that you can be clear and bold in your opportunity to prove you're the right person for the role, and your plan is on track!

You have Successfully Subscribed!