Corporate information security, part 3 — Cyber risk assessment
Once you have identified your company's critical information systems and cyber threats, the next question needs to be: what's the risk? Spying on your trade secrets or being targeted by CEO fraud are not equally likely, nor is their impact equally grave. How can you assess the risks?
How to assess cyber risks
It is generally advised to record cyber risks in a register together with your company’s other vulnerabilities and to keep the risk assessment updated on a regular basis, but how does one assess the probability and impact of cyber risks?
A rough but indicative assessment of the magnitude is: Risk = Probability x Severity. In a qualitative risk analysis like this, the problem is that there are often a variety of different risk scenarios. The probabilities of the scenarios can range from highly unlikely to 100%, and the effects from trivial to mega-catastrophe. If both the probability estimate and severity estimate miss, your equation will be worthless.
That's why you should assess the risks of each scenario individually as needed. You should also keep in mind that a qualitative risk assessment can never be final truth, but only a priorization tool for implementing safeguards.
You can achieve more accurate risk assessments with quantitative analysis, such as the Monte Carlo method and various probability distributions. It can also be useful to combine qualitative and quantitative risk analysis methods. For the sake of comparability, your company should employ the same method for cyber risk assessments as for the assessment of other risks.
Probability is a poor choice of words when it comes to cyber risk
Whether your risk assessment is based on a simple multiplication or a more refined model, one factor in the assessment of magnitude will be probability or a probability distribution. However, probability is a somewhat misleading term when it comes to cyber risks. Will one of our employees accidentally download ransomware at least once in the next three years? Will our website have a vulnerability more than three times a year? What are the chances of someone targeting us with a denial-of-service attack? The question is almost arbitrary.
Instead of time periods and probabilities, it could be more relevant to consider the matter in terms of ease of attack or threat realization. Would an attack require a high level of technical expertise and special tools or could any internet user do it? Will a threat be realized if someone simply clicks on the wrong link, or will several safeguards have to fail at the same time? Your system developers or information security specialists can help with assessing the knowledge and skills required for carrying out an attack.
You should also factor in the possible motivations for attacks or misuse. Is there a financial benefit to be obtained from your system? Perhaps it contains valuable information that could make it more attractive in the eyes of cybercriminals making it a preferred target. You should also not ignore the possibility of insider misuse, even if the subject can be awkward to discuss.
You could therefore use a probability scale like this:
- (Almost) certain: The attack can be carried out against an interface publicly available on the internet, with a device in a public space, or otherwise very easily. The attack would not require special skills, and a mistake is likely to cause an information security incident. The motivation to carry out the attack is high.
- High: The attack can be carried out against an interface that can be accessed remotely from outside the organization. There is a clear motivation for attack (e.g. financial gain), the probability of a mistake is quite high, or there are several possible methods of attack that are quite easy to implement.
- Medium: An attack would require a fair amount of motivation and skills, such as bypassing a reliable authentication method or insider misconduct. An average cybercriminal could repeat the attack with a tool created by a skilled attacker.
- Low: The attack surfaces are well protected: for example, access to the system is only allowed from specific locations or over a secure remote connection that has been tested for information security. An attack would require skills, high motivation, understanding of the target system or the simultaneous failure of several safeguards.
- Insignificant: No exploitable attack methods and no particular motivation for insider misconduct.
Up-to-date threat intelligence will also help you estimate the likelihood of an attacks Are groups of cybercriminals currently active, are certain product’s zero-day vulnerabilities being popped right now, or are phishing and malware attacks riding a particular trend, such as coronavirus vaccines or shopping sprees like Black Friday?
Of course, if your company has history data on past information security incidents or cases of misconduct, these can give an indication of both probability and impact.
Impact can be measured by the sensitivity of data, working hours or human lives
Impact assessments are often a little easier to measure:
- How detrimental would the actions be that a potential attacker could take in the system?
- How sensitive is the information that attackers or other third parties could access?
- Would the confidentiality or integrity of the data be compromised slightly, moderately or completely?
- How many information systems or customers would the incident affected?
- If the issue would be with availability, would it last for minutes, hours, days, or weeks?
- How much money would it take to repair the damage?
- How much time would the corrective measures take?
If an attacker could access the system with administrator privileges, destroy all data, or access sensitive data, the impact would be catastrophic. If the uncovered data would be of secondary value or the system would only experience short disruptions, the impact could be classified as minor, but these still could have long term implications.
Since even a small breach or incident can erode trust in the system, you may need to investigate how many systems or customers are affected by the problem. The cost of clearing up the incident should also be factored in along with lost valuable working hours when the systems are down.
You can use similar cases in the company’s past to help estimate costs but remember that all the indirect effects such as lost working hours, are unlikely to have been logged under project “123456 Data Breach Investigation”. Of course, you may not have any prior information security incidents if your company is new or fortunate. This nevertheless raises the less flattering possibility that your company lacks ways of reporting on information security incidents or tries to sweep them under the rug.
As the same price tag can be peanuts to one company and disaster to another, you should also consider the impact on your company’s reputation. Would the incident be merely awkward, or would the customer walk? Would the screaming headlines frighten away new customers and potential hires alike?
You could use a probability scale like this:
- Critical: The incident would let outsiders access the system with administrator privileges, give them access to highly sensitive information, or let them destroy data. The incident would affect all system users. The incident could entail significant direct or indirect costs and have severe implications for the company's reputation, for example causing you to lose several customers.
- Serious: The incident would allow access to sensitive information or enable a protracted denial of service and would affect administrators or the majority of users. The incident would have serious implications for the company's reputation.
- Medium: The incident would allow access to confidential material or enable a temporary denial of service. The incident would affect some users and the reputational damage would be minor.
- Low: Confidential information would not be compromised and any interruption in service would be short-lived. The incident would only affect individual users. The damage to your reputation would be minor or very short-lived.
- Insignificant: No damage; no impact on users, availability, or reputation.
You should nevertheless bear in mind that the impact assessment scale will be entirely different if an information security incident could result in injuries or health problems, such as with safety systems, cranes or elevators as the smallest injury is a serious matter.
Once you have determined the magnitude of the risks, you can prioritize the implementation of safeguards to mitigate or eliminate them. However, are your safeguards good enough? We will talk about this in the next part of our blog series.
This blog post is part of a series on corporate information security and awareness. The previous instalment explored ways of finding out what kinds of cyber threats your company could face. In the next part, we will explain how you can test the functionality of your chosen safeguards.