Asset analysis
2024
Conducting an impact analysis of assets is an integral part of risk management, serving as a means to minimise the impact of a cyberattack against the organisation.
February 16, 2024
This learning module is part of the building block:
The first step in the risk management process is context establishment. The aim of this step is to collect the necessary external and internal information for the risk management process. Moreover, it ensures that the scope of the risk assessment is in line with the context of the organisation.
Context establishment is the first step in the risk management process. The step includes setting the scope and boundaries of the process and defining the risk assessment objectives.
There are several aspects to consider when establishing the context for the risk assessment, e.g., the scope of the assessment, the relevant stakeholders, the methodology, etc. The tools presented summarise the main aspects of it, while the sections below describe each of the aspects in more detail with an example.
The overall process of context establishment is:
The context establishment is usually carried out as a workshop. It can be conducted as an independent workshop or as a part of the risk management workshop. It is recommended to involve a diverse range of participants in the process, including management and technical profiles. Set aside one hour to do the context establishment.
It is recommended to carry out the discussion on paper/whiteboard rather than on a computer, so that all participants have the opportunity to be involved.
Before starting the risk assessment, it is important to define the scope and goal of the work to be carried out. Start by clarifying the purpose of the assessment and what you want to achieve. You may be doing risk assessment for legal reasons, or you may aim at identifying possible vulnerabilities and threats to a product, assessing the operational reliability of a service, or creating a plan to manage and remedy risks. For this purpose, you can use the tools Basic requirements.
Basic requirements
Print-friendly version of the tool in large format.
Consider the following key points when scoping the assessment:
It is important to include the appropriate stakeholders in the process, as their input is essential in mapping assets and their threats, as well as assessing the risk.
Identify which stakeholders should be included in the process and how, whether they be internal stakeholders, e.g., employees, management, or external stakeholders, e.g., customers or investors. We recommend that the group of stakeholders performing the actual risk assessment includes both management and technical profiles. This will ease the following steps later in the process, during which both business and technical assets will be mapped and analysed.
There might not be a need for all stakeholders involved to be part of the entire process. It is advisable to consider this in the beginning and identify which part of the process each stakeholder should contribute to. Furthermore, define the stakeholders’ responsibilities based on their role and knowledge.
Find further inspiration in the IoT door lock example below.
Now, based on the 'Basic Requirements' tool you should have an overview of the system or product you want to assess for risk, why you are doing this, and who you need to involve in the next steps of the process.
Another important step in the initial phase of the risk assessment is to define the risk assessment methodology, i.e., define the assessment approach, risk acceptance level, the impact and likelihood of the risk, etc.
There are several approaches to assess the risk, such as asset-based approach that evaluates the assets of the organisation, or threat-based approach that evaluates the conditions that create risk. Each of the approaches has strengths and weaknesses, and choosing the approach will depend on what you need to achieve and the nature of your organisation. Make sure that the chosen approach is aligned with the other approaches for managing risk in the organisation.
Methodology
Print-friendly version of the tool in large format.
Note that often there are already some mitigations in place, which might affect the impact and likelihood. Decide how to take existing mitigations into account, e.g., by incorporating them during risk evaluation or risk treatment.
Find further inspiration in the IoT door lock example below.
Now you have an overview of the methodology of the risk assessment, which is a key element in context establishment before continuing the process.
Knowing your threat actors can help in identifying threats (and assess their likelihood) that are targeted towards your organisation in particular.
A threat actor can be an individual, a group or entity that carries out malicious activities with the intent of causing harm to an organisation’s IT security and its data. One of the most common types of threat actors, are cybercriminals. Their aim is to achieve financial gain by stealing or manipulating data and/or sensitive information (such as credit card data, personal information). They can achieve their goal through, for example, phishing attacks, ransomware, or malware. Another example is state-sponsored actors who actors who are backed by governments and conduct cyber espionage, sabotage, or other offensive activities to advance their nation's interests.
See illustration of Threat actors tool below.
Threat actors
Print-friendly version of the tool in large format.
Find further inspiration in the IoT door lock example below.
We will use an IoT door lock system as a running example throughout risk management.
We start by scoping the assessment and filling in the tool “Basic Requirements”.
First, we identify the system and application to be evaluated. For the system, we include the IoT door lock hardware, its wireless communication module, and the Zigbee-enabled hub, along with the cloud infrastructure used for data storage and processing. For the application, we focus on the mobile app, which facilitates remote access and monitoring of the IoT door lock. Additionally, we incorporate integration points such as building management systems and cloud APIs into the scope to provide a comprehensive view of the system’s ecosystem.
In the "Why Do We Do Risk Management?" section in the worksheet, we begin by addressing legal compliance requirements, including GDPR for handling personal data, the Radio Equipment Directive for wireless networks, and anticipated adherence to the coming Cyber Resilience Act. Business continuity and incident response plans are emphasized to ensure the system's resilience and readiness for rapid recovery in the event of incidents. Security requirements are outlined, focusing on encryption protocols, user authentication, and contractual obligations with suppliers and customers. We also document the existing security controls, including measures like access restrictions, and prior risk mitigation efforts.
Finally, under "Other Considerations" in the worksheet, we integrate operational reliability, alignment with business objectives, stakeholder perspectives, and the need for a holistic risk management strategy. This ensures that all aspects of the IoT door lock system are thoroughly addressed, creating a robust foundation for the assessment.
We establish a clear and structured methodology for assessing risks associated with the IoT door lock system. First, we define impact levels, where “very high” refers to the 5% turnover loss due to unauthorized entry leading to legal/regulatory claims, product recalls, or reputational damage, and “very low” refers to no measurable turnover loss due to minor system glitches that do not impact security.
Then, we determine likelihood levels, ranging from “very likely” where we consider the attacks that have already occurred in the company, to “very unlikely” where we consider the more theoretical attacks that has never been reported in real-world IoT deployments. To ensure accuracy, we consider historical data and vulnerabilities in similar systems.
For risk management, we identify responsibilities based on management levels. The Board oversees risks with a score of 9 or above, while the CEO handles higher risks with scores of up to 8. We assign a risk owner to ensure regulatory compliance, conduct regular assessments, and plan activities for identified risks. These activities include regular reviews of security protocols, implementing measures like encryption, and developing and testing incident response plans. By following this methodology, we ensure a comprehensive and proactive approach to addressing risks and safeguarding the system.
We identify potential threat actors and their concerns to better understand the risks associated with the IoT door lock system.
We first consider Nation States, which exploit system vulnerabilities for espionage or to gain strategic advantages, particularly in high-value targets. Next, Cyber Criminals pose a significant threat as they target IoT door locks for unauthorized access, theft, or ransomware attacks, endangering user data and security.
We also include Competitors, who engage in corporate espionage to steal intellectual property or disrupt the services provided by the IoT system. Lastly, we address Activists, who highlight security vulnerabilities as part of their protests against the reliance on IoT devices for security.
By mapping these threat actors and their motivations, we gain valuable insights into potential risks and implement targeted measures to mitigate them effectively.
Now you have an understanding and internal alignment of the scope, environment, and objectives of the process, as well as an overview of the potential threat actors, that should be considered when assessing risk.
A risk assessment offers a snapshot view of the risks at the current. As things change, it is advisable to conduct a risk assessment at least once every year or every other year. You should also consider conducting a risk assessment in connection with major changes or before introducing new processes, features, or activities.
Context establishment is the first step in the risk management process. The next step is to model the system under assessment. It is described in more detail in the system modelling.
The contents described above have been developed in the project:
’CyPro – Cybersecure manufacturing in Denmark’ by Aarhus University, Alexandra Institut, DAMRC, UGLA Insights and FORCE Technology funded by The Danish Industry Foundation. Material from the project is published under licence CC BY-SA 4.0
Get your certificate for this completed building block. Request the certificate and we will send you the personal certificate.