by George Mutune
Cybersecurity Risk Assessment is critical because cyber risks are part and parcel of any technology-oriented business. Factors such as lax cybersecurity policies and technological solutions that have vulnerabilities expose an organization to security risks.
Failing to manage such risks provides cybercriminals with opportunities for launching massive attacks. But fortunately, a cybersecurity risk assessment allows a business to detect existing threats. A cybersecurity risk assessment also facilitates risk analysis and evaluation to identify vulnerabilities with higher damage potential. As a result, a company can identify suitable controls for addressing the risks.
Cybersecurity risk assessments have many other benefits, all aimed at bolstering organizational security. Cybersecurity risk assessments are critical for any company to harden its security stance. Most importantly, they are the method for a company to identify the most suitable security controls needed to achieve an optimum cybersecurity approach.
This is the question every business must answer to conduct an effective cybersecurity risk assessment exercise. Typically, companies delegate the responsibility to in-house IT staff. In this scenario, the team must possess adequate knowledge regarding the company’s operations. The staff must also have a deep understanding of the underlying IT infrastructure and network topologies.
That aside, a risk assessment team should include high-level executives with a clear understanding of the information flows within the organization. The executives must understand proprietary company data. This data affects the processes for conducting risk assessments. Including top executives and departmental heads in risk assessments increases visibility. High visibility is a critical element of valid cybersecurity risk assessments.
Alternatively, a business may lack the requisite in-house personnel required to do a risk assessment. These companies may outsource risk assessments to third-party companies. This often applies to small and medium-sized businesses. Outsourcing risk assessments should follow due process as it provides outsiders access to internal security controls, customer and employee data, and all IT infrastructures. There are plenty of individual consultants and companies capable of performing risk assessments competently. A business should consider the following guidelines before outsourcing:
Now that we understand the importance of cybersecurity risk assessment and the people responsible for performing them, it is crucial to understand the process itself. Before commencing on a cybersecurity risk assessment, an organization should first audit the IT infrastructure and data it is securing. A data audit, for example, identifies the data a business handles and its value. The following questions can guide a data audit:
Once the data audit and IT assets audit are complete, a business must define the parameters that will guide the risk assessments. The following guidelines can assist in determining appropriate parameters:
The parameters ensure that a cybersecurity risk assessment meets all the objectives. More importantly, they guide the process to ascertain in the evaluation of all critical assets. These can include information systems and data storage facilities.
The process cannot be complete without performing the risk assessment itself. National Institute of Standards and Technology (NIST) recommends a risk assessment model consisting of six main steps. They are as indicated below.
There are two primary sources of security threats to an organization’s data and IT assets. Adversaries can cause the threats, or they can be as a result of non-adversarial causes such as security negligence or weak cybersecurity programs. Either way, they provide malicious cybercriminals with avenues for exploiting them. Examples of adversarial threats are:
An assessment of all the identified threats must be completed. After all, that is why we conduct risk assessments. For adversarial threats, the assessments should cover the intentions and capabilities of potential cyber attackers, including their potential targets. Each threat should be assigned a quantitative value such as very high, high, medium, etc. to be used during risk calculation.
Risk or threat events comprise of the actual attacks an attacker can execute against the organization. The threat sources with the potential of perpetrating cyber-attacks on the organization characterize the risk events. The description of each event must apply to the company’s cybersecurity posture. Otherwise, the wrong risk event description may cause inadequate risk assessments due to misinformation. The following table illustrates two examples of risk events and their descriptions, as recommended in NIST risk management publications.
The previous two steps are hypothetical, and they include a list of all potential security occurrences. In this step, the risk assessment processes measure the threats against the organization’s actual IT infrastructure and security implementations. This determines the severity levels of a particular vulnerability. Vulnerability severity refers to the process of assessing it in relation to the importance level of mitigating it. As such, the assessor must determine the vulnerabilities that coincide with the identified threats and at the same time, consider the available security controls for mitigating the event.
Now, the risk assessor must determine the probability of subsequent cyberattacks occurring. This stage not only measures the probability, but it also determines the potential success rate should they occur. A risk assessment employs factors such as the attackers’ capabilities, their intentions, and their past targets. Typically, a company assesses risk likelihood through considering a set of vulnerabilities and the influencing conditions. For instance, for non-adversarial risk events, a business can consider the anticipated duration and severity as described in the event. The likelihoods are assigned qualitative values. Factor influencing the methods assessors use to determine likelihood include:
Factors that influence the risk impacts are the location where a risk event occurs and whether a business manages to contain the event from spreading. Impact assessment involves determining potential targets or assets of the threat sources. These should include information resources that can be impacted by the threat sources and consist of applications, data repositories, and information systems. The impacts assessments should cover different categories like digital and physical assets to ensure a holistic cybersecurity risk assessment.
To identify the cybersecurity risks to the organization, an assessor must obtain the confluence of the event’s likelihood occurrence and potential impacts. The likelihood values and potential impacts are factored against each other, and the results reflect the organizational risks.
Since a cybersecurity risk assessment identifies existing risks, what then? How should an organization manage them to ensure it is secure from cyber-attacks? This calls for the adoption of a risk management framework.
A risk management framework (RMF) provides a series of steps for managing risks to organizational IT systems. According to the NIST SP 800-37 publication, a risk management framework should have six steps.
An organization should assign new IT systems with security roles based on the business objectives and mission. The organization’s risk management strategy should guide the creation of the security role.
A business must identify and select suitable security controls to mitigate cybersecurity risks. The organization’s leadership should approve the controls. Other controls specific to a particular system or risk can be used to supplement existing ones. The minimum IT assurance requirements, as indicated during the risk assessment exercise, determine the controls to be used.
This step involves enacting the controls identified in the previous step. Once a business completes this stage, it should demonstrate that it has implemented the minimum requirements needed for mitigating the identified risks. It should also demonstrate a clear understanding of using the controls to enhance security.
An unbiased assessor must assess the controls to determine their effectiveness in mitigating risks and providing long-term security. An organization can be called upon to improve on weak controls.
The organization must authorize the controls to incorporate as part of its cybersecurity strategy. The authorization package should include risk assessment results and the use of the implemented controls to mitigate them.
A business should continuously monitor the security controls so that they are updated whenever there are new technological changes.
I am a cyber security professional with a passion for delivering proactive strategies for day to day operational challenges. I am excited to be working with leading cyber security teams and professionals on projects that involve machine learning & AI solutions to solve the cyberspace menace and cut through inefficiency that plague today’s business environments.
18 Jan, 2021  0  Comments
Top 10 Cyber Crime Prevention Tips
Cyber Crime is rampant! Viruses are everywhere! So how can you protect yourself from being a victim of ransomware, malware, and... ...Read More
16 Jan, 2021  0  Comments
Every business is susceptible to fraud. That’s largely because there are so many different kinds of fraud.
Cybercriminals adapt their methods almost as quickly as cyber-security... ...Read More
16 Jan, 2021  1  Comments
1. Inremote areas of the world, Internet-based self-learning is supplementing conventional forms of education.
“The Internet enables lectures and lessons to be conducted via video... ...Read More
05 Jan, 2021  0  Comments
by George Mutune
Cybersecurity Risk Assessment is critical because cyber risks are part and parcel of any technology-oriented business. Factors such as... ...Read More
Sign up to receive our free newsletters!
We do not spam. We value your privacy!
© 2020 Just40days.com. All Rights Reserved. Developed by HariOm Technologies