Cyber Security Risk Assessment in 10 Steps

At its core, a risk assessment is simply considering the likelihood of an event occurring and the negative impact upon occurrence.

Whether you know it or not, you assess risk every day. I do a risk assessment every time I reach my hand into the garbage disposal to get out a spoon. I realize that the negative impact of it turning on and grinding up my hand is substantial. Then I acknowledge that the likelihood of it spontaneously turning on is very low. Also, the likelihood of one of my children turning on the switch is also very low. I choose to accept that risk.

There, I just did a risk assessment! (pats self on back with fully intact hand)

Unfortunately, when talking about cyber security it does get a little bit more complicated than that, but the core concepts remain the same. I will describe the process in a moderate amount of detail and define the terms and concepts that are important to understand when conducting a risk assessment. Whether you read this process in whole, or reference specific sections, it will help you understand what you need to do.

If you need any help conducting a risk assessment or want to learn more about ISO 27001 requirements for risk assessments, Agler Security Consulting can provide virtual Chief Information Security Officer (vCISO) services to help you. If not, read on and use the explanations of these 10 steps to help you!

1. Determine the purpose

Why are you conducting the risk assessment?

Example reasons:

  • It is required for a compliance framework.
  • To understand risk exposure and prioritize risk management efforts.
  • To understand risk associated with a specific decision or project.

Note: A risk assessment should prompt action. Regardless of your reasons for conducting one, use it as a tool to help you more effectively apply security controls. You do not need to wait until the assessment is complete to start addressing its findings.

If the risk assessment is for a security compliance framework such as ISO 27001, review the applicable standard to determine specific requirements for the risk assessment.

2. Define the scope

The scope is the breadth and depth of your assessment. Questions to ask yourself when determining the scope:

Does this risk assessment need to be formal, or can it be informal?

A formal assessment follows a structured and repeatable process with the goal of producing consistent results. They take longer and require documentation. Informal assessments can take any form you want and are naturally part of our decision-making process already.

What assets will you assess?

If you are conducting a risk assessment as part of your project management process, you may only need to assess the assets that are affected by the project. Example: you have conducted a full risk assessment for your network in the past. Now you want to purchase a new file server to host sensitive data. You may only need to assess the risks to the new server and any other system that may be affected by the change. I call this a limited risk assessment.

If you have not conducted a risk assessment in the past, or if you are making major changes to your network or organization, conduct a full risk assessment of all your assets. You may categorize assets that have similar risks to simplify the process. Further, you may choose to include or exclude risks that are not specific to cyber security.

How many details should you consider?

This may be different for different assets, but determine how many threats and vulnerabilities you are going to assess for each asset. If you really wanted to, you could assess 100 different specific threats to every asset. However, it may be a better use of your time to choose the five to ten most realistic threats and then spend more time figuring out how to protect against them.

3. Set parameters

While scope determines the breadth and depth of your risk assessment, the parameters determine the consistent variables that will be used. Remember, a formal risk assessment seeks to produce consistent results.

Qualitative or Quantitative?

A qualitative risk assessment uses values like ‘low’, ‘moderate’, or ‘high’ to describe the likelihood that an event happens or the impact of that event.

Most people do a qualitative assessment or a semi-quantitative assessment. If you need to conduct a true quantitative assessment, read the next paragraph, if not, feel free to skip it.

A quantitative assessment uses numbers and data to quantify risk to assets. Example: you experience a power outage on average twice per year that shuts down your operations for four hours. Each time this occurs, it costs you $10,000. That is your Single Loss Expectancy (SLE). Your Annual Rate of Occurrence (ARO) is two because it happens twice per year. That makes your Annual Loss Expectancy (ALE) $20,000. That is the annual impact of the threat event. Now use this information to determine how much effort and money you are willing to put into protecting your operations from power outages. You can compare the ALE of different threat events to prioritize which to address first and determine how much time and money you are willing to spend to address them.

Semi-quantitative risk assessments use a mixture of these methods. You may have some data you want to use to quantify risks but not for everything. Further, you will likely be comparing threats with monetary impacts to threats that have other impacts such as reputational damage or employee safety. I give examples of semi-quantitative risk assessments in the section on assessing impact.

Whether your assessment is quantitative, qualitative, or a mixture, make sure a consistent method is used for each threat. The whole point is to be able to compare the risks and prioritize which ones should be mitigated now, which ones can wait, and which ones can be accepted.

What are your risk acceptance criteria?

Define the circumstances in which you will or may accept a risk.

Examples:

  • Risks assessed as low may be accepted.
  • Risks assessed as moderate may be accepted with approval from the Director of IT.
  • Risks assessed as high may be accepted with approval of the CEO.
  • Risks that require substantial resources to mitigate may be accepted.

4. Identify and list assets

If you follow good asset management practices, then this one is easy. If not, this can be a whole effort in itself.

Two common categories of assets in cyber security are systems and data. You can break it down from there however you choose. For the purposes of a risk assessment, assets can be grouped together that have common risks. Here are some examples to get you started.

System Examples: User Workstations, Firewall, Switches, Domain Controller, Web Application Server, Database Server, Backup Server, Industrial Control System.

Data Examples: Customer Data, Proprietary Data, Employee PII

If you are having a hard time
identifying all of your assets, ask yourself the following questions:

What is connected to our network?

What do our critical business processes depend on?

5. Identify and list threats

Now that you have a list of the assets you need to protect, brainstorm the threats to these assets. Threats aren’t just cyber attacks and cyber attacks don’t all look the same. The National Institute for Standards and Technology (NIST) Special Publication 800-30r1 is a great resource for ideas. It categorizes threats into four categories: adversarial, accidental, structural, and environmental.

Adversarial: What you usually think of when you think of a cyber threat. Anything from nation states stealing data to organized crime to script kiddies. Don’t forget the insider threat either.

Accidental: Not all threats are on purpose. Accidents do happen. Procedures are followed incorrectly or not followed at all. Coffee can be spilled on an IT equipment rack. Accounts can be provisioned incorrectly.

Structural: IT equipment failures, software failures, and air conditioning failures.

Environmental: Natural disasters, local power outages, internet outages, and more.

Use these categories to help you think of relevant threat events to your assets.

Here are some ideas to get you started.

  • Equipment overheat
  • Power outage
  • Power spike
  • HDD failure
  • Fire
  • Ransomware
  • Data exfiltration
  • Unauthorized data disclosure
  • Data interception
  • Malware introduction (through USB, phishing email, watering hole attack, software supply chain compromise)
  • Exploit vulnerabilities in software
  • Exploit misconfiguration of settings
  • Account privilege escalation
  • Denial of service
  • Wireless denial of service
  • Exploit wireless service to gain unauthorized access
  • Use compromised credentials for remote access through VPN
  • Use compromised credentials for remote access through Remote Desktop
  • Create unauthorized account
  • Grant unauthorized access during account creation

This list is not comprehensive. There are many more threat events that are possible and these can be broken down into more specific events depending on the scope of your assessment. This list is just intended to help you brainstorm. Other resources for this are NIST SP 800-30r1, MITRE ATT&CK, and any of the annual threat reports published by various organizations such as the Microsoft, Verizon, CrowdStrike, and more. If you do an internet search for “annual cyber threat report”, you will find several from various organizations and many will give information on which threats are the most relevant now.

6. Identify and list vulnerabilities

Now consider vulnerabilities (weaknesses in a system) that could be exploited to result in the threat event. For the example of data exfiltration from your file server some vulnerabilities could be

1) data at rest is not encrypted,

2) insufficient access controls on the server folders or files,

3) incorrect provisioning of security groups,

4) no data-loss-prevention monitoring solution on the server.

 

Again, you can get as specific as you need to. The more specific the threat events you are considering, the more specific the vulnerabilities will need to be.

There is another consideration to make at this stage in the process. Whether to consider actual vulnerabilities or potential/hypothetical vulnerabilities.

For example, if you have already encrypted data at rest on your file server, that is not an actual vulnerability. However, it may still be helpful because it allows you to identify the security requirement for encryption and weigh it against other security requirements.

I call this a baseline risk assessment. That is because you are creating a baseline of threat events and vulnerabilities to help you prioritize security actions whether they have already been implemented or not. When conducting a risk assessment for ISO 27001 compliance, you use the assessment to select a baseline of security controls so a baseline assessment is appropriate.

If you already have a baseline of security controls and are conducting a risk assessment to determine what to do next, they you should only consider actual vulnerabilities. This will require a vulnerability assessment of one or more types to identify all vulnerabilities.

7. Assess Likelihood

Here you are answering the question ‘how likely is it that the threat will successfully exploit the vulnerability resulting in an adverse impact?’

This is not an easy question to answer. If you have access to some good threat intelligence feeds, you may be able to better quantify the likelihood. If not, you can get good information from the annual threat reports mentioned earlier to see what some of the more common and likely threats are. For threats and vulnerabilities you cannot get data for, you can seek help from an experienced cyber security professional.

Be as consistent as possible when assessing the likelihood. Use the parameters you defined to categorize them such as ‘low’, ‘moderate’, or ‘high.’ Also compare threats as you complete this step to think about which are more likely than others. As long as they are consistent relative to each other, the results will be useful.

8. Assess IMpact

Now consider the negative impact of a threat event exploiting a vulnerability. This is something your organization has to determine for itself. Some considerations to make when thinking about the impact of an event.

Is there a monetary cost due to loss of intellectual property or damage to systems?

Will this event effect operational processes? (Can also be translated into a monetary cost)

Will this event affect our reputation/brand?

Does this event pose a risk to safety?

Here are some example Impact Assessment criteria. These will be different for every organization so use these to prompt your own definitions of what you consider a low, medium, or high impact. These definitions are considered risk assessment parameters and should be completed prior to this step. The explanation is included here for convenience of the reader to understand assessing impact.

Low Impact: A breach of confidentiality, integrity, or availability may result in minor financial cost. Minor is defined as a total replacement, repair cost including time required, or other costs in the range of $0 – $9,999.

Medium or Moderate Impact: A breach of confidentiality, integrity, or availability may result in major financial cost. Major is defined as a total replacement, repair cost including time required, or other cost in the range of $10,000 – $99,999.

High Impact: A breach of confidentiality, integrity, or availability may result in catastrophic financial cost. Catastrophic is defined as a total replacement, repair cost including time required, or other cost greater than $100,000.

Additionally, NIST SP 800-60r1 provides safety impact criteria examples.

Low Safety Impact: A breach of confidentiality, integrity, or availability may result in minor harm to individuals.

Medium Safety Impact: A breach of confidentiality, integrity, or availability may result in significant harm to individuals that does not involve loss of life or serious life-threatening injuries.

High Safety Impact: A breach of confidentiality, integrity, or availability may result in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries.

Note: If your organization uses networked industrial machinery or other equipment that could pose a safety risk in the event of a cyber attack, seek legal and safety consultation for how to incorporate those risks into your assessment.

9. Determine risk

Determining risk should be easy once the likelihood and impact have been assessed. Risk should be determined consistently for all threat events.

If ‘low, med, high’ categories were chosen for both likelihood and impact, you can use a risk matrix such as the one shown here. Alternatively, you can use a numerical system such as 1=”low”, 2=”med”, etc and then use either multiplication or addition to determine overall risk. How this step is completed is not overly important. Just make sure it is consistent and repeatable.

9 1/2. Adjust parameters

This is a useful step, but if done incorrectly, it can compromise the integrity of the risk assessment.

When all of the final risks have been determined, if they seem off enough that the risk assessment is not particularly useful, the parameters can be adjusted.

For example, it is not helpful if two thirds of the risks are considered high. Also, if somehow website defacement is considered a high risk, but ransomware is only considered a medium risk, you may want to adjust how they are measured. Give the results a good sanity check to see if anything needs to be tweaked.

Be Careful! If there are particular security controls that you want to implement (or want to avoid), don’t adjust these results to favor what you already want. The whole point of the risk assessment is to get a better understanding of your risks and (as objectively as possible) prioritize how to manage those risks.

10. Prioritize for action

Now that the risks to each asset have been determined, they should be prioritized. This does not necessarily mean that all of the high risks should be managed first and the low risks should be ignored for now. There may be low and medium risks that can be managed easily and are considered the “low hanging fruit” or the quick wins to give your team some momentum. Similarly, there may be some high risks that are too difficult to mitigate at the present moment and require further assessment and planning.

If you are pursuing compliance with ISO 27001, this part leads into creating a risk treatment plan. Even if you are not, it is a good idea to make a plan to manage the risks you assessed in a prioritized manner.

Conclusion

Risk assessments are a useful tool for all organizations to use to help prioritize protective actions. They may not provide perfect results all of the time, but you should strive to set the parameters so that the results are as consistent and objective as possible.

You may have different requirements for your risk assessment if it needs to be more in depth, less in depth, or comply with other specific requirements. Either way, use these 10 steps to help you plan for your next risk assessment and adjust as necessary.

If you need help conducting a risk assessment, or planning for one, Agler Security Consulting can help!

SCHEDULE A FREE COSULTATION TO LEARN MORE!

Learn more about our services!

If you found this article helpful, please share!

Share on facebook
Share on twitter
Share on linkedin
Share on email

Follow Agler Security Consulting on LinkedIn!

1 thought on “Cyber Security Risk Assessment in 10 Steps”

  1. Pingback: Why You Need an Incident Response Plan (and what to put in it) – Agler Security Consulting

Comments are closed.

Scroll to Top
Scroll to Top