Goals for building blocks for cyber security
2023
februar 16, 2024
The first step in the risk management process is context establishment. The aim of this step is to collect the necessary external and internal information for the risk management process. Moreover, it ensures that the scope of the risk assessment is in line with the context of the organisation.
Context establishment is the first step in the risk management process. The step includes setting the scope and boundaries of the process and defining the risk assessment objectives.
There are several aspects to consider when establishing the context for the risk assessment, e.g., the scope of the assessment, the relevant stakeholders, the methodology, etc. The tools presented summarise the main aspects of it, while the sections below describe each of the aspects in more detail with an example.
The overall process of context establishment is:
The context establishment is usually carried out as a workshop. It can be conducted as an independent workshop or as a part of the risk management workshop. It is recommended to involve a diverse range of participants in the process, including management and technical profiles. Set aside one hour to do the context establishment.
To conduct a workshop, you need a whiteboard/flipboard, markers, post-its and pens. You can print a copy of the context establishment tool as a working document to visualise your joint understanding of the context.
It is recommended to carry out the discussion on paper/whiteboard rather than on a computer, so that all participants have the opportunity to be involved.
Before starting the risk assessment, it is important to define the scope of work. Start by clarifying the purpose of the assessment and what you want to achieve. You may aim at identifying possible vulnerabilities and threats to a product, assess the operational reliability of a service, or create a plan to manage and remedy risks. For this purpose, you can use the tools Basic requirements.
Basic requirements
Print-friendly version of the tool in large format.
Consider the following key points when scoping the assessment:
It is important to include the appropriate stakeholders in the process, as their input is essential in mapping assets and their threats, as well as assessing the risk.
Identify which stakeholders should be included in the process, whether they be internal stakeholders, e.g., employees, management, or external stakeholders, e.g., customers or investors. We recommend involving a diverse group, including management and technical profiles, which will ease the asset identification step later in the process, during which both business and technical assets will be mapped.
There might not be a need for all involved stakeholders to be part of the entire process. It is advisable to consider this in the beginning and identify which part of the process each stakeholder should contribute to. Furthermore, define the stakeholders’ responsibilities based on their role and knowledge.
Find further inspiration in the IoT door lock example below.
Now you have an overview of the system you want to assess for risk, why you are doing this, and who you need to involve in the next step of the process.
Another important step in the initial phase of the risk assessment is to define the risk assessment methodology, i.e., define the assessment approach, risk acceptance level, the consequence and likelihood of the risk, etc.
There are several approaches to assess the risk, such as asset-based approach that evaluates the assets of the organisation, or threat-based approach that evaluates the conditions that create risk. Each of the approaches has strengths and weaknesses, and choosing the approach will depend on what you need to achieve and the nature of your organisation. Make sure that the chosen approach is aligned with the other approaches for managing risk in the organisation.
Methodology
Print-friendly version of the tool in large format.
Note that often there are already some mitigations in place, which might affect the consequence and likelihood. Decide how to take existing mitigations into account, e.g., by incorporating them during risk evaluation or risk treatment.
Find further inspiration in the IoT door lock example below.
Now you have an overview of the methodology of the risk assessment, which is a key element in context establishment before continuing the process.
Knowing your threat actors can help in identifying threats that are targeted towards your organisation in particular.
A threat actor can be an individual, a group or entity that carries out malicious activities with the intent of causing harm to an organisation’s IT security and its data. One of the most common types of threat actors are cybercriminals. Their aim is to achieve financial gain by stealing data and/or sensitive information (such as credit card data, personal information). They can achieve their goal through for example phishing attacks, ransomware, or malware. Another example is state-sponsored actors who are backed by governments and conduct cyber espionage, sabotage, or other offensive activities to advance their nation's interests.
See illustration of Threat actors tool below.
Threat actors
Print-friendly version of the tool in large format.
Find further inspiration in the IoT door lock example below.
We will use an IoT door lock system as a running example throughout risk management.
The example consists of an interconnected network of hardware, software, and communications systems, including the IoT door lock hardware with a communication module, a hub, a mobile application for remote access and a cloud infrastructure for data storage and processing.
One of the crucial steps in the risk management process is the context establishment. It provides an understanding and internal alignment of the scope, environment, and objectives of the process, which allows you to effectively carry out the subsequent steps.
You now have an internal alignment and a scope reference for proceeding with the next steps in the risk management process.
Risk assessment is a repeatable process and not just a one-time event. It is advisable to conduct it at least once every year or every other year. You should also consider conducting a risk assessment in connection with major changes or before introducing new processes, features, or activities. Moreover, define the lifecycle for managing risks, in particular for the risks that are not taken care of immediately.
Context establishment is the first step in the risk management process. The next step is to look into the system under analysis and map the assets that are important for the system/business. It is described in more detail in the mapping of assets.
The contents described above have been developed in the project:
’CyPro – Cybersecure manufacturing in Denmark’ by Aarhus University, Alexandra Institut, DAMRC, UGLA Insights and FORCE Technology funded by The Danish Industry Foundation. Material from the project is published under licence CC BY-SA 4.0