Getting Started with Cyber Risk Management

9 min readDec 28, 2021

Gartner defines IT risk as “the potential for an unplanned, negative business outcome involving the failure or misuse of IT”. Negative business outcome can be any financial or reputational loss due to the resulting disruption.

IT Risk is basically any threat to your business data, critical systems and business processes, associated with the use, ownership, operation, involvement, influence and adoption of IT within an organisation. Cyber Risk not only encompasses IT risk, but virtually any external technology-based risks. Cyber risk spans a range of business-critical areas, including but not limited to:

Security — Compromised business data confidentiality or integrity due to unauthorized access or use
Availability — Inability or limited access your IT systems needed for business operations
Compliance — Failure to follow laws and regulations (e.g., data protection)

In this blog, I discuss a simple approach for quantifying risk, which can be adapted to suite the needs of your organization. An important aspect of risk management is applying it consistency. Whatever quantification and management approach you choose, you should publish it (internally), use it unformly across your organization, and continuously improve it.

Sections include:

Purpose

The purpose of risk management is to help stakeholders make informed business decisions. It provides a framework for evaluating and quantifying risk, and prioritizing the treatment thereof.

Quantifying Risk

The first step in risk management is identifying and quantifying potential risks, based on the probability of an incident and the resulting impact. The quantification provides a measure for evaluating and making informed risk-based decisions. Risk is defined as the probability of a loss event occurring in a given unit of time (Likelihood) multiplied by the expected magnitude of loss resulting from that loss event (Impact).

Probability is effectively how often a loss event occurs within a given time-frame (e.g., yearly). Impact is the probable magnitude of the loss. This includes primary losses such as financial as well as secondary losses which may be reputational or indirect financial losses.

The challenge is how to consistently and effectively estimate probability and impact.

Methodology

At its core, Risk is calculated as probability X impact. Probability is simply the likelihood that a threat (resulting in an incident) will occur. In this basic approach, a 1..5 scale is used for each:

Impact is measured across multiple dimensions (primary and secondary), including financial, reputational, operational, time, and data disclosure. The risk is calculated as probability X impact, resulting in a 5x5 matrix as seen to the left.

The colored shading indicates the risk level: low, medium, high, and critical. The treatment (course of action) should be based on the respective risk level.

Estimating Probability

Estimating probability has a degree of ‘gut’ feel, but should be based on experience within your organization and business sector, as well as:

Motivations and capabilities of the attacker
Exposure to possible attackers
Accidental sources: geographical, weather, etc.
Human errors and equipment malfunction
Individual and aggregated vulnerabilities
Effectiveness of existing controls
Visibility of existing systems (would you be able to quickly detect if zero-day ransomware is running?).
And so on…

The table below uses a scale of 1..5 to estimate probability (0 means that it cannot occur):

The above table can be adjusted to suit your own organization’s profile. Note that the FAIR Threat Event Frequency is only one of the factors that feeds into estimating the overall probability.

Estimating Impact

The magnitude of impact must be estimated across the applicable primary and secondary dimensions. A similar 1..5 scoring is used here:

Where multiple dimensions are considered, the highest score is typically chosen (i.e., if the financial loss is major (4), and the other dimensions are lower, then a score of 4 would usually be chosen).

Each organization should choose and publish a scoring system suitable to the size and function of their organization. For example, a $200,000 loss to a small company might be major, while such a loss may only be moderate for a large enterprise.

Risk Treatment

Once a risk score is calculated for a given threat and asset, the next step is determining how to treat the risk. The table below summarizes the 5 basic options:

An untreated risk is simply identified. Subsequently, a combination of treatments may be used to reduce the risk to an acceptable level (referred to as ‘residual risk’). Or the risk may simply be accepted as-is.

The course of action is typically (but not always) determined by the severity of the risk as well as the organization’s own risk appetite. The table below provides common courses of action, based on risk level:

The acceptance of a risk or residual risk after treament is done by the business and NOT the IT organization (unless the risk does not affect anything outside of IT). For example, a ransomware attack of critical servers would result in an IT outage affecting the business. Therefore, the business must be the party to accept any risk, with the most severe risk acceptances done by C-level executives.

Risk reduction can include a wide variety of actions, ranging from Cyber tooling to Cyber Insurance.

Risk Acceptance

Operating or providing a product or service with known vulnerabilities is always a risk-based business decision. The role of Enterprise Security (and product security) is primarily to help identify risks, drive risk reduction, and make (strong) recommendations about a product or service’s security profile and readiness for use. Ultimately (unless there is a regulatory concern), the risk acceptance decision rests with the respective business executive (such as the CIO or the Chief Product Officer). The higher the risk, the higher seniority of executive signoff required.

The CISO, Chief Data Officer (CDO), or Chief Product Security Officer (CPSO) may, at their discretion, require additional product risk signoff under certain circumstances (i.e., signoff by the legal team or even the CEO).

Risk Register

It is important to track and regularly review risks with senior management (i.e., monthly). The Risk Register provides a basic framework to achieve this.

You can construct a risk register using a SharePoint list (which, for this purpose, works surprisingly well, including associated forms), with a Spreadsheet (NOT great), or using a third party tool. A typical risk register includes the following fields:

The set of fields in the register can be adjusted to suit your business needs. For example, a product risk register would include the product name and affected version(s).

Example: Ransomware

Consider a ransomware attack risk. Let’s assume the probability of a successful attack is only moderate (3) for the organization but that the impact could be devastating (5) (i.e., a sustained business outage). This results in a risk score of 15 calculated as Probability=3 and Impact=5.

In estimating the risk, it would be irresponsible to assume that IT systems are fullproof from attack, or to underestimate the reach of an attack. Business-based ransomware rarely targets just a single asset. Rather, the attacker usually establishes a strong foothold within the organization before launching the ransomware attack so that the impact is severe and creates an urgency and impetus to pay the ransom. Of course, this implies that there are other risks such as system compromise leading up to this risk.

Mitigations for this risk may include increased security measures, segregated backups, cyber insurance, and so on. The cost of such mitigations (as a business decision) is justified by the resulting reduction in risk. Effective mitigations such as segregated secure backups could lower the impact score down to 3 or 2 (depending how long it takes to restore systems). The probability score might be lowered through detection improvements.

Frameworks

There are a number of risk management frameworks which provide excellence guidance and techniques for identifying, quantifying, and treating risk. The FAIR and NIST frameworks are relatively easy to work with, though the documentation can occasionally be pedantic due to the framework by committee effect.

FAIR

FAIR (Factor Analysis of Information Risk) is a practical framework for understanding, measuring, and analyzing cybersecurity and operational risk, and ultimately, enabling well-informed decision making. The FAIR Institute is a non-profit organization dedicated to advancing the discipline of measuring and managing information risk.

The FAIR framework builds upon the basic risk model by breaking down the probability and impact calculations into constituent parts under Loss Event Frequency (LEF) (probability) and Loss Magnitude (LM) (impact). The figure below illustrates the FAIR risk ontology:

Ken Nguyen provides a brief overview in Introduction to FAIR. The book Measuring and Managing Information Risk: A FAIR Approach can be purchased on Amazon for under $40 USD.

NIST RMF

The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations.

The NIST RMF 7 steps process includes:

Prepare — Essential activities to prepare the organization to manage security and privacy risks.
Categorize — Categorize the system and information processed, stored, and transmitted based on an impact analysis.
Select — Select the set of NIST SP 800–53 controls to protect the system based on risk assessment(s).
Implement — Implement the controls and document how controls are deployed.
Assess — Assess to determine if the controls are in place, operating as intended, and producing the desired results.
Authorize — Senior official makes a risk-based decision to authorize the system (to operate).
Monitor — Continuously monitor control implementation and risks to the system.

The figure below provides an excellent visual for the extended NIST Risk Management Framework:

NIST Risk Management Framework (credit unknown)

For further information, see:

ISF IRAM2

The Information Security Forum’s IRAM2 is a unique methodology for assessing and treating information risk. It includes guidance for risk practitioners to implement the six-phase process, consisting of Scoping, Business Impact Assessment, Threat Profiling, Vulnerability Assessment, Risk Evaluation, and Risk Treatment.

The model is straightforward and includes associated tools. You must be a member of the ISF to access the IRAM2 model.

ISO 31000:2018

ISO 31000, Risk Management — Guidelines, provides principles, a framework, and a process for managing risk. Although ISO 31000 cannot be used for certification purposes, it does provide guidance for internal or external audit programmes. The standard suite includes: (1) ISO 31000:2018 Risk Management Guidelines; (2) IEC 31010:2019 Risk Assessment Techniques; and (3) ISO GUIDE 73:2009 Risk Management Vocabulary.

The framework outlines a 5+1 step process (the +1 being reviewing, monitoring, and improvement):

The ISO series documents must be individually purchased.

Third Party Tools

Manually identifying and tracking risk is tedious at best. A surprising number of companies, however, track Cyber Risk using spreadsheets and SharePoint lists. This can work well for small businesses, but does not scale. In practice, there are thousands of potential threats, which vary for each IT asset. To get a true picture of the threat landscape, automation is required.

A small selection of IT Risk Management (ITRM) vendors may be found at: https://cloudadvisor.medium.com/third-party-risk-management-tools-168044b5078e

Additional Resources

Additional resources you may find useful: