The Art of Cybersecurity Risk Assessment: A Five-Step Dance

In the digital age, every organization is a potential target for cyber attacks. The key to managing this risk is a cybersecurity risk assessment, a process that identifies the most vulnerable assets to the cyber threats an organization faces. This isn’t your run-of-the-mill risk assessment, though. We’re not talking about fires or floods here. We’re talking about cyber threats.

The Heart of a Cybersecurity Risk Assessment

A cybersecurity risk assessment is all about understanding your organization’s key business objectives and identifying the IT assets that are essential to achieving those objectives. It’s about identifying potential cyber attacks that could harm those assets, assessing the likelihood of those attacks, and understanding the potential impact. This gives stakeholders and security teams the information they need to make informed decisions about how and where to implement security controls to reduce the overall risk to a level the organization is comfortable with.

The Five-Step Dance of a Cybersecurity Risk Assessment

A cybersecurity risk assessment can be broken down into five main steps: scoping, risk identification, risk analysis, risk evaluation, and documentation.

Step 1: Setting the Stage – Determining the Scope of the Risk Assessment

The first step in a risk assessment is deciding what is in scope. This could be the entire organization, but more often, it’s a specific business unit, location, or aspect of the business, like payment processing or a web application. It’s crucial to have the full support of all stakeholders whose activities are within the scope of the assessment. Their input is essential for understanding which assets and processes are the most important, identifying risks, assessing impacts, and defining risk tolerance levels.

Step 2: Identifying the Players – Cybersecurity Risks

2.1 Identifying Assets

The next task is to identify and create an inventory of all physical and logical assets within the scope of the risk assessment. This includes not only the organization’s crown jewels, but also assets attackers would want to control, such as an Active Directory server or picture archive and communications systems, to use as a pivot point to expand an attack.

2.2 Identifying Threats

Threats are the tactics, techniques, and methods used by threat actors that have the potential to harm an organization’s assets. To help identify potential threats to each asset, use a threat library like the MITRE ATT&CK Knowledge Base and resources from the Cyber Threat Alliance. Additionally, consider using tools like the Webparanoid extension, which can provide valuable insights into potential threats and vulnerabilities.

2.3 Identifying What Could Go Wrong

This task involves specifying the consequences of an identified threat exploiting a vulnerability to attack an in-scope asset. For example, an attacker performs an SQL injection on an unpatched web server, resulting in customers’ private data being stolen, leading to regulatory fines and damage to reputation.

Step 3: Analyzing the Choreography – Risks and Potential Impact

Now it’s time to determine the likelihood of the risk scenarios documented in Step 2 actually happening, and the impact on the organization if they did. In a cybersecurity risk assessment, risk likelihood should be determined based on the discoverability, exploitability, and reproducibility of threats and vulnerabilities rather than historical occurrences.

Step 4: Prioritizing the Moves – Determining and Prioritizing Risks

Using a risk matrix, each risk scenario can be classified. If the risk of a SQL injection attack were considered “Likely” or “Highly Likely,” our example risk scenario would be classified as “Very High.” Any scenario that is above the agreed-upon tolerance level should be prioritized for treatment to bring it within the organization’s risk tolerance level.

Step 5: Documenting the Dance – Documenting All Risks

It’s important to document all identified risk scenarios in a risk register. This should be regularly reviewed and updated to ensure that management always has an up-to-date account of its cybersecurity risks.

A cybersecurity risk assessment is a large and ongoing undertaking, so time and resources need to be made available if it is going to improve the future security of the organization. It will need to be repeated as new cyber threats arise, and new systems or activities are introduced, but done well the first time around, it will provide a repeatable process and template for future assessments, while reducing the chances of a cyber attack adversely affecting business objectives.