The module - in brief

This module introduces you to the risk assessment process, which is an effective tool to identify the security threats and vulnerabilities that your systems, networks, and data are exposed to, as well as the consequences of a potential cyberattack. 

The module is intended for a reader without prerequisite knowledge of risk assessment for data security.

Risk management of cyberattacks

A cyberattack is an intentional and malicious attempt to gain access to a company’s or an individ-ual’s systems. The hacker can have various motives such as information theft, financial gain, espi-onage, or sabotage. The threats to cybersecurity continue to grow and evolve in frequency, vec-tor, and complexity. However, by acquiring knowledge of the potential risks, companies can identi-fy the most significant threats and minimise the likelihood of these events occurring. Although the focus of this module is on risk management in the event of cyberattacks, the methods presented can also be applied to enhance the overall resilience of systems.

The purpose of risk assessment

Data security risk assessment is a process that involves identifying, analysing, and evaluating the risks associated with an organisation’s information systems and data. The objective of the assessment is to identify potential vulnerabilities and threats, and to develop a plan for managing and mitigating those risks to protect the organisation’s assets and data. This process is called risk management.

This module introduces you to a condensed version of risk assessment and aims to provide an overview of the entire process. A number of tools are presented but the module also refers to oth-er modules and tools. 

These steps are part of the risk management process:

1. Scoping
   Begin by identifying the system you want to assess, goals and objectives of the assessment, and who should be involved in the process.
2. Mapping of assets
   Identify all assets that are relevant to the system you intend to assess.
3. Identify vulnerabilities and threats  
   Identify potential threats by considering where it could go wrong. 
4. Prioritise risks
   Assess the potential consequences the threat will have on your system and assess the likeli-hood of it happening. Threat + likelihood = risk.
5. Plan mitigation
   Plan how you want to mitigate the risk.
6. Implement mitigation
   Implement your risk mitigation.

Before starting a risk management process, it is important to understand some key definitions that are used throughout the process.

Key definitions 

• Assets: An asset is any data, device or other component of an organisation’s systems that is val-uable – often because it contains sensitive data or can be used to access such information.
• Threats: A threat is any incident that could negatively affect an asset – for example if it’s lost, knocked offline or accessed by an unauthorised party.
• Vulnerability: A vulnerability is a flaw/weakness that can be exploited to destroy, damage, or compromise an asset.
• Risk management: Risk management describes the activity of figuring out how identified risks are to be addressed. It results in a mitigation plan.
• Risk mitigation plan: A risk mitigation plan describes, for each risk, how it is going to be ad-dressed.

Practical information

Allocate at least five hours for the identification, prioritisation, and mitigation of risks. It is recom-mended to involve a broad range of key personnel in the analysis. Typically, business understand-ing is essential for assessing consequences and identifying assets, while technical expertise is essential for assessing the likelihood of an incident occurring.

A risks assessment is usually conducted as a workshop. You will need a whiteboard/flipboard, markers, post-its, and pens.

It is recommended to conduct the assessment on paper/whiteboard rather than using a computer as this allows all attendees to actively participate.

Step by step guide

Before you start, you must define the scope of the risk assessment.

1. Scoping

1. Begin by identifying the goals and objectives of the risk assessment, such as identifying potential vulnerabilities and threats of a product, assessing the operational risk level of a set of services, or developing a plan for managing and mitigating risks.
2. Determine the specific components, products, and services to be covered by the risk as-sessment.
3. Identify relevant stakeholders who should be involved in the risk assessment, such as employees, executives, and external partners.

Do not conduct the assessment alone, even if you have limited resources. Seek feedback from others on your scope before inviting everybody to a workshop. If you are new to risk management, it may be a good idea to start with a narrow scope where you focus on a small and well-defined system until you have gained more experience. 

"Scope of risk management" by CyPro under license CC BY-SA 4.0 

2. Mapping of assets

Once the scope of the analysis has been defined, the next step is to map and structure the as-sets that are to be covered by the assessment. In general terms, assets are components that create value in the system and are important for the system to function. The mapping can be done in different ways but usually involves some kind of brainstorming workshop. The threat mod-elling module [link] describes how to conduct a workshop.

3. Identify vulnerabilities and threats

Once you have identified what creates value in the system (the assets), the next step is to focus on the threats and vulnerabilities that pose a risk to those assets. Threats can be identified in many ways – from brainstorming to treat catalogues. Threat catalogues are a simple way to get started, although it can be challenging to find a suitable threat catalogue that matches your work-ing context. Often the threats described are either too generic, too detailed, or not sufficiently in line with your scope. 

As there is no one perfect solution for everyone involved in conducting risk assessments, it is of-ten necessary to adapt the threat catalogue.

As an alternative, you can conduct a structured brainstorming workshop. Similar to the asset map-ping process, the Threat modelling module [link] provides guidelines on how to identify vulnerabilities and threats by conducting a workshop.

4. Prioritise risks

The preceding activity often results in a quite lengthy list of potential threats that need to be ad-dressed. Due to limited resources and budget, it is hardly feasible to mitigate all vulnerabilities. Therefore, it is often necessary to prioritise by focusing on a few selected threats first.

In general, there are two ways to prioritise threats: 1) prioritisation based on the risk matrix or 2) prioritisation based on rating. In both cases, we need to assess the risk for each threat, where we consider the harm that an attack on the system can cause (consequence) combined with the like-lihood of the incident actually occurring (probability).

4.1 Prioritisation based on the risk matrix

When prioritising threats using a risk matrix, it is a structured and qualitative approach that ensures more objective results. However, it can be a rather time-consuming process better suited for organ-isations with a higher level of maturity.

The goal of this method is to prioritise threats based on explicit risk factors such as likelihood and consequence. At this stage, the criticality and relevance of the threats are determined.

Follow these steps to prioritise the identified threats: 

1. Assess the likelihood for each threat, i.e., how likely it is that a hacker can exploit the vul-nerability. Consider the complexity of exploiting the vulnerability that would lead to the threat, and who might have an interest in doing so.
   Rate the likelihood on a scale from Very unlikely, Unlikely, Likely to Very likely.
2. Assess the potential impact of each threat, i.e. what would be the consequence for the system or the business if the vulnerability were exploited. In the field of cybersecurity, the impact is often assessed based on three parameters: Confidentiality, Integrity, and Availability. Consider what could happen in the worst-case and best-case scenarios if the affect-ed asset is no longer accessible if unauthorised individuals could read or modify it.
   Rate the consequence on a scale from Very low, Low, High to Very high. You can also write a numeric value next to each category indicating for example potential loss of reve-nue. Those with a technical background could for instance write a value for potential downtime or time to rebuild.
3. Based on likelihood and consequence, you can now estimate the overall risk score using the matrix below. If you have already built-in security controls in the system that can reduce the overall risk, they should be taken into account in the matrix. 

"Risk Matrix" by CyPro under license CC BY-SA 4.0 

The risk matrix shows the values for different combinations of consequence and likelihood, helping you prioritise which threats to address first. The higher the number, the higher the risk, and there-fore it should be prioritized first. You do not necessarily have to calculate the overall risk score as ‘neatly’ as shown in the example. A consequence rated as ‘Very high’, and a likelihood rated as ‘Very unlikely’ can have a devastating impact on a company. So be aware of existential threats and do not rely on the numbers only. 

4.2 Prioritisation by voting

Since it can be quite resource-intensive to prepare a proper risk matrix, the threats can be roughly sorted using a voting method. This is an intuitive approach to prioritising threats and is generally suitable for organisations with limited background knowledge of threat modelling and risk management.

The goal is to prioritise threats based on a holistic, intuitive assessment of likelihood and consequence. At this stage, the criticality and relevance of the threats are determined.

If the system already has built-in security controls that may help reduce the overall risk, they should be taken into account when assigning votes. 

Before voting, each participant in the workshop is assigned a certain number of votes. The num-ber depends on the total number of threats to be prioritised. The voting can be either confidential or open. Both approaches have their advantages and disadvantages.

Participants cannot give votes to the same threat more than once. The overall risk score for a threat is calculated by summing up the votes it has received.

5. Plan mitigation

Once you have prioritised the risks, the next step is to discuss mitigating measures and how to manage the risks. Since risk mitigation can be an ongoing process, it is very important that management sets a clear goal for achieving sufficient security and an acceptable risk level. When implementing mitigating measures, there are generally four strategies. For each risk, discuss and decide which strategy to pursue – and why.

"Risk strategies" by CyPro under license CC BY-SA 4.0 

As a starting point, risk modification is a good strategy. Find out which security controls you are already using and whether you can utilise them to reduce the risk to a level that is acceptable to the team and the organisation. Generally, preventive measures reduce the likelihood of an inci-dent, while detective measures can reduce the consequences. Avoiding risk is difficult as not do-ing anything is not a solution, but you can assess that the risk does not justify the potential gain. Risk sharing can be an option, especially in hosting scenarios, where companies often select a cloud provider to be responsible for operations.

Since many risks cannot be completely eliminated, it is common to end up with some kind of risk acceptance when the potential gain exceeds the risk by a certain margin. 

Also, remember to consider any derived risks (from the mitigation) in your risk acceptance criteria.

Residual risk is a term that refers to risks that remain after attempting to mitigate or address other risks. It's a bit like crossing a busy road: You look both ways before crossing and hold your par-ents' hands. Even with these precautions, there is still a small risk of a car passing by and hitting you. That's what is meant by residual risk.

6. Implement mitigation

Once the critical risks have been identified and suitable risk mitigation actions have been deter-mined for each threat, the next and final step is to ensure implementation. This can be achieved in various ways, depending on the company's specific context and practices. The Development process module describes how the agile process can be managed, while the modules on Building blocks for cybersecurity describes how to anchor those actions across the organisation. In any case, it is essential to assign someone to be responsible for each mitigating measure to ensure successful implementation.

Reflection questions 

• How easy is it for attackers to carry out an attack that threatens the information security of your company? 
• How likely are your team and local experts to detect and mitigate the threats?
• How critical are the systems that are most likely to be affected? 
• How valuable and critical is the data that may be lost? 
• What would be the financial or reputational impact of an attack?

Outcome

The output of a thorough risk assessment is that it helps you identify specific risks and controls to focus on at any given time. This knowledge is essential for making informed decisions and investments to protect your company. 

The assessment is therefore a useful tool that helps you in your efforts to enhance information security, prevent data breaches, and allocate sufficient resources. Last but not least, it enables you to protect your customers’ sensitive data, thus earning customer trust.

Expert advice

Risk assessment is not a one-time exercise but an ongoing process. Your systems constantly change, and so will your information security risks. Conducting regular risk assessments enables you to monitor the changing risk landscape over time and focus your efforts accordingly. Risk asaessments should therefore be conducted on a regular basis (e.g. annually or quarterly) and when major changes occur within the organisation (e.g. new technology implementation, re-structuring of key business processes, acquisition, merger, etc.). 

Once you have conducted a risk assessment and become familiar with the process, you can ex-pand the scope and conduct it on other products and services. Moreover, you can delve deeper into threat assessment and investigate the threat modelling process.

Next step

The processes of identifying both assets and vulnerabilities and threats are described in the module Threat modelling where some of the techniques that can facilitate the process are elaborated. 

Once you have identified and prioritised risks, it is equally important to ensure that the necessary mitigative measures are implemented. The module Development process describes how to manage the agile process. The modules Building blocks for cybersecurity describes how to anchor the initiatives across the company. Start with Building block for cybersecurity.

The contents described above have been developed in the project:

’CyPro – Cybersecure manufacturing in Denmark’ by Aarhus University, Alexandra Institut, DAMRC, UGLA Insights and FORCE Technology funded by The Danish Industry Foundation. Material from the project is published under licence CC BY-SA 4.0

CyPro