Welcome dear Networkseclearners to this new tutorial on Cybersecurity Risk Management. If you remember my tutorial on Cybersecurity Threat Actors, you probably know that there are some “bad guys” also known as threat actors in the digital realm that can exploit the vulnerabilities in our systems in order to cause harm. As a reminder and in a nutshell, a vulnerability is any weakness in our system’s design, implementation, or security procedures that could be exploited by individuals in order to cause harm. And a threat actor is any individual or entity trying to exploit any vulnerabilities in a system in order to cause harm. As you might guess, when there are vulnerabilities that can be exploited by threat actors, there is a risk of successful cybersecurity breach that can have severe operational and financial consequences. Therefore, it is crucial to identify such risks and mitigate them in order to avoid such consequences. That’s why we need Cybersecurity Risk Management which is basically the practice of identifying, evaluating, and prioritizing risks to an organization’s information systems and implementing strategies to mitigate or manage those risks. Also, some regulations and standards in the Cybersecurity domain require organizations to put in place risk management in order to be compliant. Examples of these regulations and standards are ISO/IEC 27001, NIST SP 800-53, NIST Cybersecurity Framework (CSF), GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), PCI DSS (Payment Card Industry Data Security Standard) and also for the automotive industry, ISO/SAE 21434 and UNECE WP.29 (R155).
After this article that will focus on generic principles of the risk management, there will be a second article that will focus on the risk management in the automotive industry namely the TARA as required by the standard ISO/SAE 21434 and the regulation UNECE WP.29 (R155). TARA stands for Threat Analysis and Risk Assessment. If you are interested in TARA and are impatient to learn everything about this topic, stop reading and go subscribe to my Newsletter to be notified as soon as the TARA article is released.
Also, I would like to inform you that if you are planning on taking the CompTIA Security+ exam, you are at the right place because first, Risk Management is part of the exam and secondly because this article covers comprehensively the associated objectives of Risk Management of the exam. Indeed, Risk Management is part of Domain 5 : Security Program Management and Oversight and Objectives 5.2 Explain elements of the risk management process.
In the next sections, I would like to present you an overview on the risk management process or lifecycle, risk assessment frequency and risk management strategies. I will then end with risk monitoring and reporting. Let’s get started dear networkseclearners.
1. Risk Management Process
The Risk Management Lifecycle is a systematic process for identifying, analyzing, treating, monitoring and reporting risks to an organization’s information assets and operations. Let’s discuss into more details each step of the risk management process.
1.1 Risk Identification
The first step in the risk management process is the risk identification. But, wait, how do we identify risk at the first place? I hope you will guess the answer, otherwise, I will kindly ask you to read again the introduction section! But, don’t worry, I will repeat the answer. Anh, I am kind, right? Haha
Well, from Cybersecurity perspective, a risk exists when there is any vulnerability in our systems that can be exploited by some threats actors. When a vulnerability exists but there is no threat actor associated with, there is no risk. And when there is a threat actor whereas there is no vulnerability, this also means there is no risk. So, as you might guess, identifying risk consists in identifying potential threats and vulnerabilities that could impact the organization’s information assets. In order to achieve this, here are some steps that we shall implement :
- First, you need to understand the context of the systems like their goals, their operational environment for which you wanna identify risks
- Identify all the cybersecurity assets (hardware, software, data, cryptographic keys, communication channels)
- Threat Identification : Identify potential sources of threats, such as cybercriminals, internal employees and technical failures.
- Vulnerability Assessment : Identify weaknesses or points of failure in the current security systems.
1.2 Risk analysis
Risk analysis is a critical component of cybersecurity risk management. It involves identifying, evaluating, and prioritizing risks to an organization’s information assets helping for informed decision-making about treating these risks. There are 3 techniques when it comes to risk analysis which are qualitative, quantitative and semi quantitative risk analysis.
1.2.1 Qualitative Risk Analysis
Qualitative risk analysis is a primary method used in risk management to evaluate and prioritize risks based on their potential impact and likelihood. Unlike quantitative risk analysis, which relies on numerical data and statistical data, qualitative risk analysis uses descriptive scales to assess risks like medium, high, low.
The Likelihood/Probability refers to chance of risk occurrence and qualitatively expressed as low, medium, or high based on past experience or expert judgment.
The Impact refers to the potential consequences like damage to project or business objectives if risk occurs and qualitatively rated as low, medium, or high.
1.2.2 Quantitative Risk Analysis
Quantitative risk analysis is a method that provides an numerical evaluation of risks. This approach is particularly useful for making financial, safety, and scheduling decisions because it quantifies the potential impact of risks in measurable terms.
Key Components of Quantitative Risk Analysis
- Single Loss Expectancy (SLE) : The expected monetary loss every time a risk event occurs.
- Formula: SLE = Asset Value (AV) * Exposure Factor (EF).
- Example: If a server worth 10,000€ is expected to lose 40% of its value due to a cyber attack, the SLE would be 4,000€.
- Exposure Factor (EF): The percentage of loss a specific threat would have on an asset.
- Example: An EF of 0.4 (or 40%) means that the asset would lose 40% of its value if the risk event occurs.
- Annualized Rate of Occurrence (ARO): The estimated frequency at which a specific risk event is expected to occur in a year.
- Example: If a risk event is expected to occur twice a year, the ARO is 2.
- Annualized Loss Expectancy (ALE): The expected annual financial loss due to a specific risk.
- Formula: ALE = SLE * ARO.
- Example: If the SLE is 4,000€ and the ARO is 2, the ALE would be 8,000€.
1.2.3 Semi Quantitative Risk Analysis
In a nutshell, semi-quantitative risk analysis combines both qualitative and quantitative methods to assess risks. It uses predefined scales to assign scores to the likelihood and impact of risks.
Let’s continue this section one important component in risk analysis which is Business Impact Analysis.
1.2.4 Business Impact Analysis
Business Impact Analysis (BIA) is a systematic process used to identify and evaluate the potential effects of interruptions to business operations due to various risks, such as cyber attacks, natural disasters, or equipment failures. The goal of a BIA is to provide the necessary data to develop strategies for risk mitigation and recovery planning. The key metrics in BIA are :
- Recovery Time Objective (RTO) : The maximum acceptable length of time that a business function can be disrupted without severe impact. for example, The RTO for restoring email services might be 4 hours.
- Recovery Point Objective (RPO) : The maximum acceptable amount of data loss measured in time. For example, The RPO for transaction data might be 1 hour.
- Mean Time To Repair (MTTR) : The average time it takes to fix a broken system or piece of equipment and get it back to working order. For example, if your computer system breaks down and it takes an average of 2 hours to repair it and make it functional again, the MTTR is 2 hours.
- Mean Time Between Failures (MTBF) : The average time that a system or piece of equipment operates without failing basically allowing to measure the reliability of a system. For instance, if a machine runs for 1000 hours before it breaks down, and this pattern repeats consistently, the MTBF is 1000 hours. This means, on average, the machine operates for 1000 hours before experiencing a failure.
2. Risk Treatement
Risk treatment is a critical process in cybersecurity risk management. You might have already wondered what to do next when you have identified some risks. Well, you need to perform risk treatement which involves deciding on the strategy to handle the risk.
2.1 Risk Transfer
This strategy involves the transfer of the risk to a third party like to an insurance company for example purchasing cybersecurity insurance to cover financial losses from data breaches. The focus point of this strategy is to assess and purchase appropriate insurance policies.
2.2 Risk Acceptance
As the name suggests, this strategy involves accepting the risk as it is without any control. This happens when the cost for putting in place some controls to mitigate the risk is higher than the potential loss caused by the risk. Also, this strategy is used when the impact of this risk is very low. An example of risk acceptance can be accepting the risk of minor data breaches that do not significantly impact operations or finances.
2.3 Risk Avoidance
This risk strategy involves eliminating the risk by choosing not to engage in activities that may introduce the risk that is too high to accept or transfer. For instance, an organization might decide not to develop a new online service because the risks associated with securing user data are too high.
2.4 Risk Mitigation
This risk strategy involves reducing the impact or likelihood of a risk through various controls and safeguards. This is for instance implementing multi-factor authentication (MFA) to mitigate the risk of unauthorized access.
Before ending this section, I would like to introduce some key concepts to you which are : Risk Tolerance and Risk Appetite. Indeed, by understanding and defining risk tolerance and risk appetite, we can make informed decisions about which risks to accept, avoid, or mitigate, aligning their risk management strategies with their overall goals and objectives.
Risk Tolerance :
An organization’s or individual’s willingness to deal with uncertainty in pursuit of their goals.The maximum amount of risk they are willing to accept. It represents the level of risk an entity is prepared to accept without implementing countermeasures and reflecting a pragmatic approach to handling potential threats while pursuing objectives.
Risk Appetite :
An organization’s willingness to pursue or retain risk. Determines the types and amount of risk an organization is willing to accept to achieve its strategic goals.
Types of Risk Appetite :
- Expansionary :
- Willing to take higher risks for potential high rewards.
- Common in startups or companies aiming for rapid growth.
- Conservative :
- Prefers to take minimal risks to safeguard assets and ensure stability.
- Typical for established businesses focused on maintaining market position.
- Neutral :
- Balanced approach, considering both potential risks and rewards.
- Often seen in companies that aim for steady growth without extreme risk-taking.
3. Risk Assessment frequency
Risk assessment frequency is the frequency or periodicity with which risk assessments are performed. It is very important to mention here that this risk assessment frequency depends on various factors like the organization’s size, industry, regulatory requirements, and risk profile. Here I would like to present the frequencies we have in general :
3.1 Continuous Risk Assessments
Implementing continuous monitoring tools can provide real-time data that feed into dynamic risk assessments, allowing for immediate response to emerging threats.
3.2 One-Time Risk Assessments
A one-time risk assessment is a comprehensive evaluation conducted at a specific point in time to identify, analyze, and mitigate risks associated with information systems, data, and operations. Unlike regular assessments, one-time risk assessments are typically triggered by specific events or needs within an organization.
3.3 Recurring Risk Assessments
Recurring risk assessment consists in conducting the risk assessment at regular intervals for instance annually or quarterly or monthly.
3.4 Ad-Hoc Risk Assessments
Ad-hoc risk assessments are unscheduled, spontaneous evaluations conducted in response to emerging threats, incidents, or changes within an organization. Unlike regular, periodic assessments, ad-hoc assessments are initiated by specific triggers that necessitate an immediate review of the organization’s security posture.
4. Risk Monitoring and Reporting
4.1 Risk Monitoring
Risk monitoring involves the continuous oversight of identified risks, and the effectiveness of implemented controls. This ongoing process helps organizations stay vigilant against emerging threats and adjust their security measures as needed. It helps therefore organizations determine Residual Risk and Control Risk.
Residual Risk is the risk that remains after all risk management efforts and controls have been applied. It acknowledges that no control or combination of controls can eliminate all risk completely. Residual risk is what organizations must accept or transfer after implementing mitigation measures. For example, If a company implements a firewall to protect against cyber attacks, the residual risk is the possibility that an attack might still bypass the firewall through unknown vulnerabilities or sophisticated methods.
Control Risk refers to the possibility that the security measures or controls in place will fail to detect or prevent a risk. It reflects the effectiveness of the controls in place and highlights the potential for gaps or weaknesses within the control mechanisms. for example, if an organization relies on manual processes to update antivirus software, the control risk is that these updates may be missed or delayed, leading to potential vulnerabilities.
4.2 Risk Reporting
Risk reporting involves communicating the status of risks and the effectiveness of risk management efforts to stakeholders. Effective reporting ensures transparency, accountability, and informed decision-making within the organization.
CONCLUSION
Thank you for following along with this tutorial on Cybersecurity Risk Management. We’ve covered the basics of identifying and mitigating risks that can arise from vulnerabilities in your systems. It’s crucial to understand that by managing these risks, you can prevent significant operational and financial damage.
Stay tuned for the next article, where we will dive into the specific risk management practices for the automotive industry, focusing on Threat Analysis and Risk Assessment (TARA) as outlined in ISO/SAE 21434 and UNECE WP.29 (R155). If you’re excited about learning more, don’t forget to subscribe to my newsletter for updates.
For those preparing for the CompTIA Security+ exam, remember that understanding risk management is crucial for success. This tutorial covers essential exam objectives and will help you grasp the necessary concepts.
Feel free to leave a comment below with your thoughts or any questions you might have. And if you found this tutorial helpful, please share it with others who might benefit from it.
Happy learning, my dear networkseclearners!