The SEC’s cybersecurity disclosure rules mandating public companies report on their risk management programs has left companies questioning how risk assessments fit into risk management programs.
Many organizations perform cyber assessments by:
- Leveraging a proven controls framework
- Analyzing implemented controls against the framework
- Identifying gaps
- Documenting gap-related risks in a risk register
Unfortunately, this process omits several key cybersecurity risk factors and is more correctly termed a cybersecurity controls assessment.
In contrast, a cybersecurity risk assessment considers an organization’s:
- Inherent cybersecurity risk profile
- Risk tolerance levels or risk appetite
- Common cybersecurity risks
- Controls in place to mitigate cybersecurity risk
- Residual cybersecurity risk after treatment
This assessment approach helps organizations with smaller IT teams, or no IT or security team, manage their security program to prioritize cybersecurity risks.
Below is an in-depth look at key elements of the cybersecurity risk assessment methodology that can help your team create a customized security program that meets the organization’s inherent cybersecurity risk profile and better protects digital assets.
Cybersecurity Risk Profile
A cybersecurity risk profile provides an understanding of the organization’s operational environment and its attractiveness to threat actors. Questions to ask that help determine risk profile include:
- What kind of data and resources are used? How much does the organization manage? Is financial data involved? If so, how much? Is health care data involved? If so, how much?
- Is data being held for customers? Is it confidential? Are there contractual or regulatory obligations to provide certain protections?
- What’s the organization’s public profile? Is it a well-known name? Is the organization easily found online?
- Has the organization been a victim of attacks in the past? Are attacks re-occurring? Has a ransom been paid?
These types of considerations impact the organization’s risk level and can affect the likelihood or impact of a cybersecurity incident.
Scoring Common Security Risks
Once a risk profile is created, augmenting a list of common security risks can occur in several ways:
- The risk profile can add an impact or likelihood modifier to establish an accurate risk ranking.
- Risk tolerance levels can inform which risks are prioritized, and which are backlogged.
The result is a tailored list of risks and their inherent risk score that represents the threat each risk poses to the organization without any remediation efforts.
Determining Risk Tolerance
Not all digital risks will apply to any one organization. Understanding an organization’s purpose, mission, and processes can help determine its risk tolerance levels.
According to the cybersecurity CIA triad, any well-formed security program has three goals:
- Confidentiality
- Integrity
- Availability
All controls can be aligned to one or more of these key goals to help an organization meet its cybersecurity needs. Failures in a control might lead to:
- Loss of confidentiality, resulting in disclosure
- Loss of integrity, resulting in alteration
- Loss of availability, resulting in destruction
Aligning the CIA triad with organizational processes can help an organization determine the impact a risk might have along with the organization’s tolerance for the risk.
For example, an organization offering search engine results may not prioritize data confidentiality but does prioritize resource integrity and availability. Meanwhile, an organization with non-critical systems may assign a high tolerance to risks involving availability, while its internal data may consist of PII that must remain confidential.
Assessing Cyber Controls
Risk assessments can resemble a controls assessment, the key difference being that a common control framework can be scoped to controls mitigating risks that exceed the organization’s risk tolerance levels.
Additionally, the control assessment can be targeted towards the organization’s key resources. A typical control can mitigate risk by either reducing its likelihood or its impact. However, no control or collection of controls can reduce a risk score to a zero. There will always be residual risk that needs to be identified, evaluated against tolerance, and either accepted or further mitigated.
Identifying Residual Risk
Following the control assessment, a clear picture of existing gaps for specific risks will emerge. Implementing controls can help reduce the likelihood or impact of a given risk, thus reducing the organization’s overall risk for that threat.
If the residual risk exceeds the organization’s risk tolerance, additional controls can be considered to lower the risk to acceptable risk tolerance levels. Controls can include further policy, processes, protections, detections, or recovery methods. It can also include transference to insurance or external service provider, or—in the extreme—abandonment of risky processes, functions, and resources.
Prioritizing Risk Mitigation
Mitigation efforts need to be prioritized for risks exceeding acceptable risk tolerance levels. Prioritization can be accomplished by adding scaled criticality levels to residual risk scores. Timelines should be set based on criticality levels. Mitigation efforts should be reported to management and executives, including the board of directors as appropriate.
We’re Here to Help
To learn how cybersecurity risk assessments can benefit your business or for help customizing yours, contact your Moss Adams professional.