Understanding Cybersecurity Risk Management
Date: 16 September 2020
The ultimate goal of any cybersecurity endeavour or cybersecurity training programme is to thwart an attack and emphasize on the need for training people and systems to recognise infiltration in time. A massive part of this endeavour is to properly evaluate organisational risk and implement a strategy to manage risk in the most optimal way possible.
In this blog, we cover:
1. Five major pillars that are needed for managing cybersecurity Risk
2. Risk acceptance criteria & criteria for performing information security risk assessments
3. Risk Identification
4. How to approach and treat risk in Risk Management
Many companies have made meaningful improvements in protecting their data. They have implemented better firewalls, procedures and regular cyber incident response training to reduce the likelihood of an attack. While these steps are essential, implementing a cyber-resilience programme focusses on how the enterprise can continue doing business during and in the wake of an attack.
All of us know it is not realistic to protect all our assets equally, despite having access to state-of-the-art solutions. Even in the best of scenarios, we usually have some real-life constraints (like time and cost), so we end up focussing our efforts on the most critical assets, both in terms of systems and data, without losing an overall perspective of the entire business.
The ISO 27001 defines five major pillars that are needed for managing Cybersecurity Risk and seven steps that must be followed in carrying out a Risk Assessment:
- Risk identification
- Vulnerability reduction
- Threat reduction
- Consequence mitigation
- Enable cybersecurity outcome
ISO 27001 requires the organisation (in Clause 6.1.2) to define the risk acceptance criteria and the criteria for performing information security risk assessments as follows:
- Identify risks associated with the loss of confidentiality, availability and integrity of information within the scope of the ISMS (6.1.2.c.1);
- Identify the risk owners (6.1.2.c.2);
- Assess the consequences that may result if an identified risk materialises (6.1.2.d.1);
- Assess the likelihood of that risk occurring (6.1.2.d.2);
- Determine the levels of risk (6.1.2.d.3);
- Compare the results of the analysis against the risk criteria (6.1.2.e.1);
- Prioritise the risks for treatment (6.1.2.e.2).
Organisations should consider implementing new cyber-defense solutions, extending beyond IT security and focussing on detecting social engineering & phishing, supply chain management, IoT security, as well as maintaining the “root of trust” of mission-critical elements within the network.
Risk is a potential event, expected or unanticipated, that may adversely affect the institution’s earnings, capital, or reputation. Risk is considered in terms of categories, one of which is operational risk.
Risk Management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. Organisations use risk assessment, the first step in the risk management methodology, to determine the extent of the potential threat, vulnerabilities and the risk associated with the IT system.
Operational risk is the risk of failure or loss resulting from inadequate or failed processes, people, or systems. Internal and external events can affect operational risk. Internal events include human error, misconduct and insider attacks. External events affecting IT and the institution’s ability to meet its operating objectives include natural disasters, cyber-attacks, changes in market conditions, new competitors, new technologies, litigation and new laws or regulations. These events pose risks and opportunities and the institution should factor them into the risk identification process. Operational risk summarises the risks a company undertakes when it attempts to operate within a given field or industry. Operational risk is the risk not inherent in financial, systematic or market-wide risk. It is the risk remaining after determining financing and systematic risk and includes risks resulting from breakdowns in internal procedures, people and systems.
Operational risk can be summarised as human risk - it is the risk of business operations failing due to human error. It changes from case to case and is an important consideration to make when looking at potential investment decisions.
Accepting risk occurs when a business acknowledges that the potential loss from a risk is not great enough to warrant spending money to avoid it. Also known as "risk retention," it is an aspect of risk management commonly found in the business or investment fields. It posits that small risks (ones that that do not have the ability to be catastrophic or otherwise too expensive) are worth accepting with the acknowledgement that any problems will be dealt with, if and when they arise. Such a trade-off is a valuable tool in the process of prioritisation and budgetting.
How to treat risks
In addition to accepting risk, there are a few ways to approach and treat risk in risk management. They include:
- Avoidance: This entails changing plans to eliminate a risk. This strategy is good for risks that could potentially have a significant impact on a business or project.
- Transfer: Applicable to projects with multiple parties. Not frequently used. Often includes insurance. Also known as "risk sharing."
- Mitigation: Limiting the impact of a risk so that if a problem occurs it will be easier to fix. This is the most common. Also known as "optimising risk" or "reduction."
- Exploitation: Some risks are good, such as if a product is so popular there are not enough staff to keep up with sales. In such a case, the risk can be exploited by adding more sales staff.
To be effective, an information security programme should have documented processes to identify threats and vulnerabilities continuously. Risk identification should produce groupings of threats, including significant cybersecurity threats. A taxonomy [i] for categorising threats, sources, and vulnerabilities can help support the risk identification process. Management should perform these risk identification activities to determine the institution’s information security risk profile, including cybersecurity risk.
A passionate information security professional who has made cybersecurity a priority in her career. With 15+ years of experience as a cybersecurity specialist and a deep understanding of intelligence processes, Oana is focussed on shifting the focus away from rules and policies to values and ethics & doing the right thing even if no one is looking.