Assess The Cyber Security Risk
Cyber security risk is related to technology systems and services that affect individuals and/or organisations. These risks include traditional threats like information asset confidentiality, integrity, and availability, but broader impacts on system operations, availability, reputation, legal compliance, and finances must also be considered.
Risk = Chance
To understand and assess cyber security risks, threat modelling or attack trees can be helpful. Publicly available resources like the Common Vulnerability Enumeration List and the ATT&CK knowledge base by MITRE can help us to understand potential vulnerabilities and attack methods.
We can combine likelihood estimation with an impact assessment to determine the risk level. Clear communication of risks and their associated likelihood is crucial. A simple matrix can effectively rate and prioritise risks for decision-makers.
The next step is to prioritise them for risk management and propose appropriate actions. This may involve implementing technical or non-technical cyber security controls, avoiding risky activities, transferring financial risks through insurance, or accepting certain risks with preparedness for potential consequences.
During this step, eliminating duplicate risks, identifying links between risks, and understanding their interdependencies help.
Some Practical Advice
The above was the “wordy” description – here I have provided a couple of examples to get you going.
This table illustrates a prioritized list of risks:
PRIORITISED CYBER SECURITY RISKS
| Risk ID | Risk Description | Risk Level |
| R0001 | Risk of a ransomware attack, denying access to IT systems and impacting core services | High |
| R0002 | Risk of insider threat – copying and releasing sensitive information, causing financial and reputational damage | Medium |
Definitions (adapt and quantify for your organisation):
| High (Red) | Medium (Amber) | Low (Green) |
| % likelihood | % likelihood | % likelihood |
| Short term | Medium term | Long term |
| No access to IT systems | Reduced access to IT systems | Minimal impact on IT systems |
| Financial impact critical | Financial impact detrimental | Financial impact manageable |
Use the RAG system to identify the most predominant weighting for the risk and transfer to the Prioritised Cyber Security Risks Table.
Risk and the Whiteboard
As Clive has often said “the whiteboard is the best friend when it comes to working out your cyber security”, (well he should have said it!
This is true when it comes to risk and your assets. Throw them up on the whiteboard and think about them. That is where you have to start.
Diana Catton MBA – by-line and other articles
Our training – risk analysis, cyber security, incident response, disaster recovery…
Diana is a guest contributor to CyberAwake whilst Clive is on a Cyber Security and IT Audit.
