Introduction:
It is easy to find news reports of incidents where an organization’s security has been
compromised. For example, a laptop was lost or stolen, or a private server was accessed. These incidents are noteworthy because confidential data might have been lost. Modern society depends on the trusted storage, transmission, and consumption of information. Information is a valuable asset that is expected to be protected.
Information security is often considered to consist of confidentiality, integrity, availability, and accountability (Blakley, McDermott, and Geer, 2002). Confidentiality is the protection of information against theft and eavesdropping. Integrity is the protection of information against unauthorized modification and masquerade. Availability refers to dependable access of users to authorized information, particularly in light of attacks such as denial of service against information systems.
Accountability is the assignment of responsibilities and traceability of actions to all involved parties. Naturally, any organization has limited resources to dedicate to information security. An organization’s limited resources must be balanced against the value of its information assets and the possible threats against them. It is often said that information security is essentially a problem of risk management (Schneider, 2000). It is unreasonable to believe that all valuable information can be kept perfectly safe against all attacks (Decker, 2001). An attacker with unlimited determination and resources can accomplish anything. Given any defences, there will always exist a possibility of successful compromise. Instead of eliminating all risks, a more practical approach is to strategically craft security defences to mitigate or minimize risks to acceptable levels. In order to accomplish this goal, it is necessary to perform a methodical risk analysis. This chapter gives an overview of the risk management process.
Risk analysis is a process of reviewing risks that come with a particular asset or event. It is a crucial security process for any type of company. The risk analysis includes identifying the assets most vulnerable to cyberattack.
This may include equipment, customer data, intellectual property, etc. It follows risk estimation and evaluation and then takes measures to control the risk. The idea is to monitor the process continuously and detect any suspicion right on time.
The cyber risk analysis is for every company. The size and the industry don’t matter here. Any company operating with technology and consumers needs to perform this analysis. PSUs can majorly benefit from it by greater vigilance and methods of protection.
The cyber risk assessment should be carried out by in-house teams with trained professionals. The IT staff and executives should be in this team to understand digital and network infrastructure and proprietary organizational knowledge. The main element here is to maintain organizational transparency. For smaller companies, relying on cybersecurity software is the most economic option.
Implementation:
- Step-1: Create a Risk management team
A cross-departmental team is crucial to identifying cyber threats and mitigating the risks to your IT systems and data. The risk management team can also communicate the risk to employees and conduct incident response more effectively.
At minimum, your team should include:
- Senior management, to provide oversight
- The chief information security officer, to review network architecture
- A privacy officer, to locate personally identifiable information, as required by the EU General Data Protection Regulation (GDPR)
- Someone from the marketing team, to discuss the information collected and stored
- Someone from the product management team, to assure product security throughout the development cycle
- Human resources, to give insight into employee personally identifiable information
- A manager from each major business line, to cover all data across the enterprise
The risk-based approach starts with understanding and aligning business objectives to information security goals. Therefore, you need cross-functional input.
- Step-2: Identify and Map your systems and assets
Document every device and IT asset on the network, including computers, tablets, routers, printers, servers, and phones. In addition, you must identify how they are used and interconnect with one another. The assets that your third-party vendors use should be included in your list. Third-party vendors remain a significant data breach risk.
Catalogue the software-as-a-service, platform-as-a-service, and infrastructure-as-a-service used by every department. Specify which departments and vendors have access to which services. Include types of data and categorize sensitive data separately. Note how information travels through the network and among stakeholders, and what components it touches along its journey.
- Step-3: Identify vulnerabilities and potential threats
Your risk management team will need to identify threats and vulnerabilities from all parts of your organization. Vulnerability scanners can make it easier to locate vulnerable equipment. Still, it is up to your team’s expertise to determine flawed security policies, physical vulnerabilities, and other cyber threats hidden under your network and systems.
Does your business use digitally connect “internet of things” (IoT) devices? How susceptible are employees to “phishing” emails that could allow malware on your system?
Potential threats include:
- Unauthorized access to your network
- Misuse of information or data leaks
- Ransomware attacks
- Human error or negligence
- Process failures
- Data loss
- Sensitive data breaches
- Disruption of services
Tools for risk identification
- Mind maps
- Questionnaires
- Interviews
- Documentation review
- Checklist analysis
- SWOT Analysis
Risk analysis assigns priority to the risks you’ve listed. For each risk, assign a score based on:
- Probability: The likelihood of a cybercriminal’s obtaining access to the asset
- Impact: The financial, operational, and reputational impact that a security event might have on your organization
- Step-5: Set Security Controls
Next, you need to define and implement security controls. Security controls will help you to manage potential risks so that they are eliminated entirely, or the chance of them happening is significantly reduced.
Controls are important for every potential risk. They require the entire organization to make an effort at both implementing them and assuring that those controls are continuously carried out.
Examples of controls include:
- Network segregation
- At-rest and in-transit encryption
- Anti-malware, anti-ransomware, and anti-phishing software
- Firewall configuration
- Password protocols
- Multi-factor authentication
- Workforce training
- Vendor risk management program
- Step-6: Monitor and review effectiveness
For many years, organizations relied on penetration testing and periodic audits to establish and assure their IT security.
But as malicious actors keep changing their methodologies to thwart security controls, your organization needs to adjust its security policies and maintain a risk management program that continuously monitors your IT environment for new threats.
Your risk analysis needs to be flexible, too. For example, as part of the risk mitigation process, you need to think about your response mechanisms so that you can maintain a robust cybersecurity profile.
Types of Cyber Security Risk Analysis:
· Qualitative Risk Analysis:
This method of analysing follows the probability and impact number. The chances of risk happening refers to probability while the significance of the risk refers to impact. It identifies the risk individually and then ranks them according to priority. This allows them to understand the probability of each risk and then filter them accordingly to determine risk exposure.
Ø Qualitative analysis of risk serves 3 functions:
I. Prioritise risks according to probability & impact:
As such, one of the primary goals for qualitative risk analysis is to prioritize risks based on their probability and impact. This allows project managers to focus on devising treatments for the most significant risks.
II. Identify the main areas of risk exposure:
Using this method also gives project managers a better idea of the main areas of risk exposure. You can achieve this by categorising risks by their source. This is important when it comes to prioritizing risk areas and treatment schedules.
III. Improve understanding of project risks:
Qualitative risk analysis can also improve a project manager’s understanding of risks. This helps in devising more effective risk treatments and contingency budgeting for future projects. Project managers discover much more than risk probability and consequences. They also discover trigger conditions, assumptions and affected project elements. All of this helps build up a better picture for future projects.
Ø Benefits of Qualitative Risk Analysis:
A qualitative analysis of your risk environment will help give you the clarity to prioritise tasks quickly and cost-effectively.
I. Simple assessment methods:
The project team doesn't require training, as it doesn't rely on any complicated tools or software. The qualitative risk analysis doesn’t depend on the risk occurrence frequency. So, the team performing the analysis can save time by not predicting the frequency and the exact timing of each risk. Project teams can determine areas of greater risk in a short time and without expending cost.
a. Easy prioritisation & Clear presentation options:
Qualitative risk analysis classifies risks according to their likelihood and impact. This makes it easy to determine which risks an organization should focus on – the ones falling into the highest likelihood and impact categories.
Ø Limitations:
I. Subjective Evaluation:
A qualitative risk analysis produces no metrics, it depends on the perception of a person carrying out the study. In order to minimise subjectivity, a qualitative risk analysis should involve several people. The accuracy and detail of the analysis depends on previous team experience. If the risk team hasn’t experienced a project type, they might miss some risks or assess them inadequately.
II. Limited scope:
The qualitative risk analysis assesses each risk on a project but doesn't provide an assessment of the overall project risk exposure. The analysis also won't calculate how much risk management activities and risk treatment will cost.
III. Lack of differentiation:
Once several risks fall into the same category, for example, high likelihood and medium impact, there is no further way to differentiate between the severity of risks and no way to determine which risk should be dealt with first.
Ø Type of Analysis:
I. Probability/Consequence Matrix:
To many, this is the standard method of establishing risk severity. Risk matrices will often vary in size, but they all essentially do the same thing. They provide a practical way to rank the overall severity of a risk by multiplying the likelihood of risk occurrence against the impact of the risk, should it still occur.
By ranking risk probability against risk consequence, you can see the main driver of risk severity, whether that’s a probability or a consequence. This information helps identify suitable treatments to manage the risk, based on its prominent drivers.
II. Bow-Tie Analysis:
A bow-tie analysis is one of the most practical techniques for identifying risk mitigations. Bow-tie analysis starts by looking at a risk event and then projects it in two directions. On the left, you list all the potential causes of an event. On the right, you list all the potential consequences of the event.
Using this simple method, you can identify and apply treatments to each of the causes and consequences separately. This helps you tackle both sides of a risk by mitigating the probability of it occurring one side, while limiting the impact should the risk still occur.
III. Delphi Technique:
Known as the Delphi Technique, experts in a field respond to several rounds of questionnaires. The responses are aggregated and shared with the group after each round.
When applied to risk management, this technique can be applied to both identify risk, and subsequently to assess the likelihood and impact. The experts are asked to form an opinion on how likely the risk is to occur, and the consequence of its occurrence. These responses are aggregated and reviewed by the experts until a consensus is achieved.
IV. Swift Analysis:
Standing for “Structured What-If Technique”, SWIFT applies a , team-based approach to risk analysis in a workshop environment. Teams investigate how changes from an approved plan, may affect a project through a series of “What if” considerations. This technique is particularly useful in evaluating the viability of opportunity risks.
V. Pareto Principle:
Better known as the "80/20 Rule", the Pareto Principle helps in identifying risks that will be most effective. It's known as 80/20 because the principle thesis holds that 80% of achievements realised originate from 20% of the effort.
Risk managers use Pareto analysis as a tool for rapidly identifying the most critical 20% of risks that will effectively mitigate 80% of the impact.
The challenge for risk managers is knowing how to effectively score each risk. Large projects may require multi-attribute weightings for business different priorities, such as security data, and operational or compliance policies.
But, once you understand where to look and what to look at will help you hone in on the most important 20%. This offers a crucial leg up in managing the threats and vulnerabilities that have the potential to have the largest impact.
· Quantitative Risk Analysis:
This type of risk analysis follows numerical estimates of risk’s effect on project objectives. It is mainly useful for estimating contingency reserve and identify time and cost. It is not compulsory in smaller projects but is efficient for identifying overall project risk.
Ø Benefits: Individual risks are evaluated in the qualitative risk analysis. But the quantitative analysis allows us to evaluate the overall project risk from the individual risks plus other sources of risks.
I. Better business decision:
Business decisions are rarely made with all the information or data we desire. For more critical decisions, quantitative risk analysis provides more objective information and data than the qualitative analysis. Keep in mind: While the quantitative analysis is more objective, it is still an estimate. Wise project managers consider other factors in the decision-making process.
II. Better Estimates:
A project manager estimated a project's duration at eight months with a cost of $300,000. The project actually took twelve months and cost $380,000. What happened?
The project manager did a Work Breakdown Structure (WBS) and estimated the work. However, the project manager failed to consider the potential impact of the risks (good and bad) on the schedule and budget.
Ø Implementation: First, we identify risks. Then we can evaluate the risks qualitatively and quantitatively.
Consider using Quantitative Risk Analysis for:
I. Projects that require a Contingency Reserve for the schedule and budget.
II. Large, complex projects that require Go/No Go decisions (the Go/No Go decision may occur multiple times in a project)
III. Projects where upper management wants more detail about the probability of completing the project on schedule and within budget.
Ø Tools & Techniques:
Quantitative Risk Analysis tools and techniques include but are not limited to:
I. Three Point Estimate a technique that uses the optimistic, most likely, and pessimistic values to determine the best estimate.
II. Decision Tree Analysis a diagram that shows the implications of choosing one or other alternatives.
III. Expected Monetary Value (EMV) a method used to establish the contingency reserves for a project budget and schedule.
IV. Monte Carlo Analysis a technique that uses optimistic, most likely, and pessimistic estimates to determine the total project cost and project completion dates. For example, we could estimate the probability of completing a project at a cost of $20M. Or what is a company wanted to have an 80% probability of achieving its cost objectives. What is the cost to achieve 80%?
V. Sensitivity Analysis a technique used to determine which risks have the greatest impact on a project.
VI. Fault Tree Analysis (FMEA) the analysis of a structured diagram which identifies elements that can cause system failure.
Ø Examples:
Let’s look at a simple Expected Monetary Value (EMV) example:
Keep in mind that risks include both threats and opportunities. Threats have adverse impacts on cost. Opportunities are benefits that reduce cost. Expected Monetary Value = Probability x Impact.
Notice we subtracted the benefit of the Opportunity from the EMV. The Total EVM represents the project risk exposure and the amount of our Contingency Reserve.
Difference b/w Quantitative & Qualitative:
Benefits of Risk Analysis in Cyber Security:
I. Reduction in Costs:
Spending money on regular assessments to identify risk and vulnerabilities is cheaper than paying ransoms later. This can help organizations save money and have secure management in the long term.
II. Provides Assessment Framework:
The analysis is not a uniform process and must update with time. But having a template in place even once can help organizations find an efficient structure for the future as well.
III. Increases Organizational Knowledge:
The regular assessment allows companies to understand where they lack as an entity. It can help them understand the organization better and improve it accordingly.
IV. Avoid data breaches and Loss:
All companies deal with some or the other data which is essential for them to function. And having regular assessments can ensure the security of this data and not hinder its functionality.
V. Avoid regulatory issues:
The regulations by the government keep changing and companies must comply with them. Following them on regular basis can make the security assessments stronger and more reliable.
VI. Avoid Application Glitches:
The employees and the consumers access the organization’s application on regular basis. Having regular updates can ensure that they are able to use it faster and easily without any interference.
Uses of Cyber Security Risk Assessment
- To avoid adverse outcomes and anticipate them for minimum effect
- To keep a plan ready for the resources which might be comprised
- To recognize potential risk in a project
- Identify the possibility and make amends for it
Steps in the risk analysis process:
I. Determine information value:
The account planning for every company is done at the start of the financial year. And a limited budget is put for information risk management as well. This becomes a limitation as now the company has to prioritize business-critical assets. This helps them save money and have a more well-planned analysis.
A few things to consider while making this list –
- Financial or legal penalties of information
- Value of information to a competitor
- Information recreation and time to do so
- Value of information in revenue or profitability
- Impact of information on business operations
- Reputational damage associated
- IT security policies
- IT security architecture
- Network topology
- Information storage protection
- Information flow
- Technical security controls
- Physical security controls
- Environmental security
II. Identify cyber threats:
The assessments are to identify the vulnerabilities of an organization. And looking at potential risks and previous breaches can allow experts to identify future situations as well. And now, threats are not just limited to hackers, malware, but much more than that. They are –
a. Natural disasters:
These situations are something the management can look at according to geographic location and climate.
b. System failure:
Sometimes the most important information is available on low-quality equipment which can lead to its corruption,
c. Human error:
Lack of employee training can lead to frequent human eros and thus loos of data. This can also happen due to a lack of attention and management.
d. Adversarial threats:
there are insiders, ethical hackers, suppliers, and sometimes even clients who can leak important information.
Some examples of cyber risks are –
- Ransomware
- Data leaks
- Phishing
- Malware
- Insider threats
- Cyberattacks
Some common threats that affect every organization:
- Using different malware for unauthorized access
- Using information for personal gain by authorized users
- Leaking data for unethical reasons
- Losing data by some human error
III. Identify Vulnerabilities:
After knowing what kind of threats, you might face, you identify the weakness that a threat can exploit. If the data suggests a high number of human errors in history, you make your training stronger. If there are chances of software-based vulnerabilities then go for proper patch management.
IV. Analyse Controls:
Having proper control can reduce the chances of a threat or vulnerability. This is possible by using encryption, detection mechanisms, authentication, automatic updates, etc. Other non-technical ways are following security policies and physical mechanisms.
Controls are either preventative or detective. Preventative controls are for stopping the attack by taking precautions. While detectives are to identify the threats by continuous security monitoring.
V. Calculate the Impact:
After knowing what is at risk, the next step is to find out what will be the impact. If you are presuming a natural disaster, then you know that your physical equipment is at risk. This can help you identify the budget you will need to overcome the situation.
VI. Prioritize Risks based on costs and value:
Follow the data collected from information value and use risk level to mitigate the risk. If the risk is high, come up with measures as soon as possible. If the risk is medium then take a reasonable period of time. And in case of low risk, take a call to accept or mitigate.
Consider things like –
- Organizational policies
- Reputational damage
- Feasibility
- Regulations
- Effectiveness of controls
- Safety
- Reliability
- Organizational attitude
- Tolerance for uncertainty
VII. Make Assessment Reports:
The last and the most important step is to make a collective assessment report. This report becomes the basis for the team to take action and make decisions. The ending is usually the control recommendations that companies can refer to. This entire process helps to understand the company better and the scope of improvement.
Real-Life Examples:
I. Call Accounting risk assessment:
This risk analysis example considered a process that Campton College wanted to implement—a new call accounting system that both administrators and medical students could utilize for billing, tuition, and dorm expense payments; actually, every department of the medical school. Their antiquated system was from the 1990s and they felt it was time to move into the next generation.
In this risk assessment example, first a team was formed to determine which tech company could offer the best system without too much down time for the current system. The company chosen was a widely known call accounting provider – TACS. The challenge was to find a better way for data collection, database improvements, and purging information.
The risk assessment team was challenged with looking at vulnerabilities, threats, and risks and coming up with ways to avoid or minimize risk to the already-valuable assets contained within the current system—the private and secure records as well as accessibility of online interactions, payment histories, and account information.
Campton College was able to determine that over $2 million assets (information) could be at risk including data integrity, private information, access and down time, passwords, and liability costs to the college if private information was accessed.
Not happy with trusting these assets to a switchover right away, the team was able to work with TACS to find ways to mitigate risks such as using compatible software interchanges like Microsoft and an encrypted repository.
Finally, the risk assessment team was able to identity 14 various risks with solutions to those risks that lowered a forecasted 249% risk they had previously determined to a mere 54.3% risk. By lowering the percentage of risk through secure processes, the college was able to introduce a newly updated system.
II. Passport security protocol:
A joint effort was used in this risk assessment example that included PPSLC, a Texas student loan provider, and Microsoft. The project at hand was to see if PPSLC could utilize Passport Security, which is a web-hosted protocol that gives users who are signed in access to many different merchants—here, the student loan merchant website.
The risk here, of course, was how severely would online fraud or attempts at fraud affect the clients of PPSLC?
In this joint effort both Microsoft engineers and PPSLC techs examined the true cost of damages if a student’s private information was stolen and at what amount per student. They also included the company’s liability if such fraud occurred and student (customer) trust in the system.
Once these risks or threats were defined, the joint teams worked together and also aligned with Passport Security to lower risks through mitigation, software solutions, firewalls, and other technological online advances that would indeed keep the student information safe and secure.
III. Networked medical devices:
In our final risk assessment example, a Microsoft-based network medical device that monitored patients throughout their stay at a hospital was looked at to see if the risks outweighed the cost of the device as well as if the device would be practical for use.
The three largest risks here were the device’s accessibility to all staff, network capabilities, and patient confidentiality. The risk analysis team talked to hardware and software people in order to first identify all threats to patient confidentiality. This was considered to be the most important risk; how would the network medical device be protected from hacks and potential attacks?
Next came the device’s accessibility as well as authorized use. What were the risks if non-authorized personnel had access to the device and in what ways would these situations be prevented? Last, the in-house network that accessed an outside server needed to be secure enough to face the challenge of hospital confidentiality and regulation rules on patient information.
These risks and threats to the new device were tackled via teams that tested defects, encryption protection, password safety, up and down times, and the use of binary formats. They also looked at single user stations and if USB devices were utilized—and how easily they could be infected.
Because the largest risk was patient confidentiality, countermeasures were designed to constantly scan, upgrade, and improve threats. A plan was developed for online or server attacks and accessibility was agreed upon via a management team that would oversee and sponsor the use of the medical device.
Conclusion:
The risk analysis will ensure the long-term growth of any company. It can assure smooth functioning of business and a more secure work environment. Following these simple steps can ensure the safety of any company from multiple cyber threats. Companies need to take it seriously and implement such a process at right time.
The benefits of doing so are clear and can bring positive responses to the company. Make sure that be it any organization, having an analysis plan should be the priority.