Risk
The core duty of cybersecurity is to identify, mitigate and manage cyberrisk to an organization’s digital assets. While
most people have an inherent
understanding of risk in their day-to-day lives, it is important to understand risk in the
context of cybersecurity, which means knowing how to determine, measure and reduce risk effectively.
Assessing risk is one of the most critical functions of a cybersecurity organization.
Effective policies, security
implementations, resource
allocation and incident response preparedness are all dependent on understanding the risk and threats an organization
faces. Using a risk-based
approach to cybersecurity allows more informed
decision-making to protect the organization
and to apply limited budgets and resources effectively. If controls
are not implemented based on awareness of actual risk, then valuable organizational assets will not be adequately protected while other assets will be wastefully overprotected.
Yet, too often, cybersecurity controls are implemented with little or no assessment of risk. ISACA’s recent worldwide survey of IT management, auditors and security managers consistently shows that over 80 percent of companies believe “information security risks are either not known or are only partially assessed” and that “IT risk illiteracy and lack
of awareness” are major challenges in managing risk.4 Therefore, understanding risk and risk assessments are
critical requirements for any security
practitioner.
Approaches to Cyber Security
Generally, there are three different approaches to implementing cybersecurity. Each approach
is described briefly below.
• Compliance-based—Also known as standards-based security, this approach
relies on regulations or standards to determine security implementations. Controls are implemented regardless of their applicability or necessity, which
often leads to a “checklist” attitude toward security.
• Risk-based—Risk-based security relies on identifying the unique risk a particular
organization
faces and designing
and implementing security controls to address that risk above and beyond the entity’s risk tolerance and business
needs.
• Ad hoc—An ad hoc approach simply implements
security with no particular rationale or criteria. Ad hoc
implementations may be driven by vendor marketing, or they may reflect insufficient subject matter expertise, knowledge or training when designing
and implementing safeguards.
In reality, most organizations with mature security programs use a combination of risk-based and compliance-based
approaches. In fact, most standards or regulations such as the Payment Card Industry Data Security
Standard (PCIDSS) or the US Health Insurance Portability
and Accountability Act (HIPAA) require risk assessments to drive
the
particular implementation of the required controls.
Key Terms and Definitions
There are many potential
definitions of risk—some general and others more technical. Additionally, it is important to
distinguish between a risk and a threat.
Although many people use the words threat and risk synonymously, they have two very different meanings.
As with any key concept,
there is some variation
in definition from one organization
to another. For the purposes of this guide, we will define terms as follows:
Risk—The combination of the probability of an event and its consequence (International Organization
for Standardization/International Electrotechnical Commission [ISO/IEC] 73). Risk is mitigated through the use of
controls or safeguards.
Threat—Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can
result in harm. ISO/IEC 13335 defines a threat broadly as a potential
cause of an unwanted incident. Some organizations
make a further distinction between a threat source and a threat event, classifying a threat source as the actual process or agent attempting
to cause harm, and a threat event as the result or outcome of a threat agent’s malicious activity.
Asset—Something of either tangible or intangible value that is worth protecting, including people, information,
infrastructure, finances and reputation
Vulnerability—A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events
Although much of cybersecurity is focused on the design, implementation and management of controls to mitigate
risk, it is critical
for security practitioners to understand that risk can never be completely eliminated. Beyond the general definition of risk provided above, there are other, more specific types of risk that apply to cybersecurity.
Residual risk—Even after safeguards are in place, there will always be residual risk, defined as the remaining risk
after management has implemented a risk response.
Inherent risk—The risk level or exposure without taking into account the actions that management has taken or might take (e.g., implementing controls)
Likelihood and Impact
When assessing a threat, cybersecurity professionals often analyze the threat’s likelihood and impact in order to rank and
prioritize it among other existing threats.
In some cases where clear, statistically sound data are available, likelihood
can be a matter of mathematical probability. This is true with situations such as weather
events or natural
disasters. However, sometimes accurate data are simply
not available, as is often the case when analyzing human threat agents in cybersecurity environments. There will also be factors that create situations where the likelihood
of certain threats is more or less prevalent for a given organization. For example,
a connection to the Internet will predispose a system to port scanning. Typically, qualitative rankings
such as “High, Medium, Low” or “Certain, Very Likely, Unlikely, Impossible” can be used to rank and prioritize threats stemming
from human activity. When using qualitative rankings, however, the most important step is to rigorously define the meaning of each category and use definitions
consistently throughout the assessment process.
For each identified threat, the impact or magnitude of harm expected to result should also be determined. The impact of a threat can take many forms, but it often has an operational consequence of some sort, whether financial, reputational
or legal. Impacts can be described either qualitatively or quantitatively, but as with likelihoods, qualitative rankings are
most often used in cybersecurity risk assessment. Likewise, each ranking
should be well-defined and consistently used. In cybersecurity, impacts
are also evaluated in terms of confidentiality, integrity and availability.
Approaches to Risk
There are a number of methodologies available to measure risk. Different industries
and professions have adopted
various tactics based upon the following criteria:
• Risk tolerance
• Size and scope of the environment
in question
• Amount of data available
It is particularly important to understand
an organization’s risk tolerance when considering how to measure risk. For example, a general approach
to measuring risk is typically sufficient for risk-tolerant organizations
such as academic
institutions or small businesses. However, more rigorous and in-depth risk assessment is required for entities with
a low tolerance
for risk. This is especially relevant for any heavily regulated entity, like a financial
institution or an
airline reservation system, where any down time would have a significant operational impact.
Third-Party Risk
Cybersecurity can be more difficult to control when third parties are involved, especially when different entities have
different security
cultures and risk tolerances. No organization
exists in a vacuum, and information must be shared with other individuals or organizations, often referred to as third parties. It is important to understand third-party risk,
such as information sharing and network access, as it relates to cybersecurity.
SOURCE: ISACA Cyber Security Book
