The module - in brief

The first step in the risk management process is context establishment. The aim of this step is to collect the necessary external and internal information for the risk management process. Moreover, it ensures that the scope of the risk assessment is in line with the context of the organisation.

Context establishment

Context establishment is the first step in the risk management process. The step includes setting the scope and boundaries of the process and defining the risk assessment objectives.

There are several aspects to consider when establishing the context for the risk assessment, e.g., the scope of the assessment, the relevant stakeholders, the methodology, etc. The tools presented summarise the main aspects of it, while the sections below describe each of the aspects in more detail with an example.

The overall process of context establishment is:

1. 1. Basic requirements
      Start by determining the scope of the risk management process. Here you identify which product you want to assess and what is the purpose of the assessment. Moreover, identify who should be involved in the process, considering both internal and external stakeholders.
      
      
   2. Methodology
      Next, choose the approach for assessing the risk and define the consequence and likelihood of the risk. Based on these two values, discuss the overall risk level that is considered acceptable for the organisation.
      
      
   3. Threat actors
      Finally, determine your key threat actors and discuss what harm they can cause to your organisation/system.

Practical information

The context establishment is usually carried out as a workshop. It can be conducted as an independent workshop or as a part of the risk management workshop. It is recommended to involve a diverse range of participants in the process, including management and technical profiles. Set aside one hour to do the context establishment.

To conduct a workshop, you need a whiteboard/flipboard, markers, post-its and pens. You can print a copy of the context establishment tool as a working document to visualise your joint understanding of the context.

It is recommended to carry out the discussion on paper/whiteboard rather than on a computer, so that all participants have the opportunity to be involved.

Basic requirements

Before starting the risk assessment, it is important to define the scope of work. Start by clarifying the purpose of the assessment and what you want to achieve. You may aim at identifying possible vulnerabilities and threats to a product, assess the operational reliability of a service, or create a plan to manage and remedy risks. For this purpose, you can use the tools Basic requirements.

"Basic requirements 1-2" by CyPro under licence CC BY-SA 4.0

Basic requirements
Print-friendly version of the tool in large format.

Step-by-step guide

Consider the following key points when scoping the assessment:

• • Define the products and services to be covered by the assessment, as well as related components and users.
  • Identify the key business objectives of the organisation and determine how the assessment scope relates to them.
  • Identify the purpose of the assessment.
  • Identify legal requirements and regulatory compliance applicable to the scope. e.g., the General Data Protection Regulation in the EU (GDPR), NIS2, etc.
  • Identify the relevant stakeholders on board. 

It is important to include the appropriate stakeholders in the process, as their input is essential in mapping assets and their threats, as well as assessing the risk.  

Identify which stakeholders should be included in the process, whether they be internal stakeholders, e.g., employees, management, or external stakeholders, e.g., customers or investors. We recommend involving a diverse group, including management and technical profiles, which will ease the asset identification step later in the process, during which both business and technical assets will be mapped. 

There might not be a need for all involved stakeholders to be part of the entire process. It is advisable to consider this in the beginning and identify which part of the process each stakeholder should contribute to. Furthermore, define the stakeholders’ responsibilities based on their role and knowledge.

Find further inspiration in the IoT door lock example below.

Output

Now you have an overview of the system you want to assess for risk, why you are doing this, and who you need to involve in the next step of the process.

Methodology

Another important step in the initial phase of the risk assessment is to define the risk assessment methodology, i.e., define the assessment approach, risk acceptance level, the consequence and likelihood of the risk, etc. 

There are several approaches to assess the risk, such as asset-based approach that evaluates the assets of the organisation, or threat-based approach that evaluates the conditions that create risk. Each of the approaches has strengths and weaknesses, and choosing the approach will depend on what you need to achieve and the nature of your organisation. Make sure that the chosen approach is aligned with the other approaches for managing risk in the organisation.

"Methodology" by CyPro under licence CC BY-SA 4.0

Methodology
Print-friendly version of the tool in large format.

Step-by-step guide

• • Start by defining the meaning of both consequence and likelihood. If needed, you can add some notes referring to the chosen approach below your definition and meaning.
  • Next, define the risk acceptance level that shows the overall risk level that is considered acceptable for a given period. Risk acceptance level is used as a reference point to evaluate the outcome of the risk analysis, i.e., to determine whether a risk is acceptable or not. Moreover, it is used to determine the activities to be carried out during the risk treatment and to check whether the proposed risk treatment is sufficient or if further activities are needed.
  • The risk acceptance level is evaluated based on the consequence and likelihood of a threat. Consequence shows the impact to the organisation in case the threat happens, while likelihood shows the probability that the threat occurs. It is important to determine the levels of consequence and likelihood and discuss what each level means in the context of your organisation and business objectives.
  • Finally, you can determine the management activities of the risk owner.

Note that often there are already some mitigations in place, which might affect the consequence and likelihood. Decide how to take existing mitigations into account, e.g., by incorporating them during risk evaluation or risk treatment. 

Find further inspiration in the IoT door lock example below.

Output

Now you have an overview of the methodology of the risk assessment, which is a key element in context establishment before continuing the process.

Threat actor

Knowing your threat actors can help in identifying threats that are targeted towards your organisation in particular. 

A threat actor can be an individual, a group or entity that carries out malicious activities with the intent of causing harm to an organisation’s IT security and its data. One of the most common types of threat actors are cybercriminals. Their aim is to achieve financial gain by stealing data and/or sensitive information (such as credit card data, personal information). They can achieve their goal through for example phishing attacks, ransomware, or malware. Another example is state-sponsored actors who are backed by governments and conduct cyber espionage, sabotage, or other offensive activities to advance their nation's interests.

See illustration of Threat actors tool below.

"Threat actors" by CyPro under licence CC BY-SA 4.0

Threat actors 
Print-friendly version of the tool in large format.

Step-by-step guide

• • List the key actors you see as posing as a threat to the given application/system, and point out the concerns associated with each of them.

Find further inspiration in the IoT door lock example below.

IoT door lock example

We will use an IoT door lock system as a running example throughout risk management.

Illustration: Key enabling technologies for IoT door lock solution

The example consists of an interconnected network of hardware, software, and communications systems, including the IoT door lock hardware with a communication module, a hub, a mobile application for remote access and a cloud infrastructure for data storage and processing.

"Example of IoT door lock Basic requirements 1/2" by CyPro under licence CC BY-SA 4.0

"Example of IoT door lock Basic requirements 2/2" by CyPro under licence CC BY-SA 4.0

"Example of IoT door lock Methodology" by CyPro under licence CC BY-SA 4.0

"Example of IoT door lock Threat actors" by CyPro under licence CC BY-SA 4.0

Output

One of the crucial steps in the risk management process is the context establishment. It provides an understanding and internal alignment of the scope, environment, and objectives of the process, which allows you to effectively carry out the subsequent steps.
You now have an internal alignment and a scope reference for proceeding with the next steps in the risk management process. 

Expert advice

Risk assessment is a repeatable process and not just a one-time event. It is advisable to conduct it at least once every year or every other year. You should also consider conducting a risk assessment in connection with major changes or before introducing new processes, features, or activities. Moreover, define the lifecycle for managing risks, in particular for the risks that are not taken care of immediately.

Next step

Context establishment is the first step in the risk management process. The next step is to look into the system under analysis and map the assets that are important for the system/business. It is described in more detail in the mapping of assets. 

The contents described above have been developed in the project:

’CyPro – Cybersecure manufacturing in Denmark’ by Aarhus University, Alexandra Institut, DAMRC, UGLA Insights and FORCE Technology funded by The Danish Industry Foundation. Material from the project is published under licence CC BY-SA 4.0

CyPro