The module in brief

This module introduces you to the risk management process, which is an effective tool to identify the security threats and vulnerabilities that your systems, networks, and data are exposed to, as well as the consequences of a potential cyberattack.

The module is intended for a reader without prerequisite knowledge of risk assessment for data security.

Risk management

A cyberattack is an intentional and malicious attempt to gain access to a company’s or an individual’s systems. The hacker can have various motives such as information theft, financial gain, espionage, or sabotage. Due to the dynamic nature of the hacker, the threats to cybersecurity continue to grow and evolve in frequency, vector, and complexity. However, by utilising the process of risk management, i.e., acquiring knowledge of the potential risks, companies can identify the most significant threats and minimise the likelihood and impact of these events occurring. Although the focus of this module is on risk management in the event of cyberattacks, the methods presented can also be applied to enhance the overall resilience of systems.

The purpose of risk management

Risk management is a process that involves identifying, analysing, and evaluating the risks associated with an organisation’s information systems and data. The objective of the assessment is to identify potential vulnerabilities and threats, and to develop a plan for managing and mitigating those risks to protect the organisation’s assets.  

This module introduces a condensed version of risk management and aims to provide an overview of the entire process. The module refers to other modules and tools where each step is further elaborated. 

These steps are part of the risk management process: 

1. Context establishment
   Begin by identifying the system you want to assess, goals and objectives of the assessment, and who should be involved in the process.
2. System modelling
   Model the system you want to assess, identify the components of the system and their interactions. Identify where a trust relationship between the components exists.
3. Asset identification
   Identify all assets that are relevant to the system under assessment.
   • 3a. Asset analysis
     Analyse the impact that an incident affecting an asset has on the whole system.
4. Threat identification
   Identify potential threats by considering where it (e.g., cyberattack) could occur.
   • 4.a Threat analysis
     Assess the potential impact the threat will have on your system (i.e., which assets are impacted) and assess the likelihood of it happening.
5. Risk analysis
   Given the identified assets and threats, compute the combined risk based on the impact and likelihood.
6. Risk evaluation 
   Decide if the identified risk should be treated or accepted.
7. Risk treatment  
   Implement suitable risk mitigations for the risks needing treatment. 

Before starting a risk management process, it is important to understand some key definitions that are used throughout the process. 

"Risk management" by CyPro available under licensen CC BY-NC-ND.

Key definitions

• Assets: An asset is any data, device or other component of an organisation’s systems that is valuable – often because it contains sensitive data or can be used to access such information. 
  
  
• Threats: A threat is any potential incident that could negatively affect an asset – for example, if it is lost, disconnected, knocked offline or accessed by an unauthorised party.
  
  
• Threat actor:  A threat actor is an individual, group, or entity that carries out actions that can exploit vulnerabilities and cause harm to an asset. Threat actors may include cybercriminals, malicious insiders, nation-state actors, or opportunistic hackers. Their motivation can range from financial gain and espionage to disruption or sabotage.
  
  
• Risk management: Risk management describes the activities to direct and control an organisation with regard to risk.

Practical information

In general, it is recommended to involve a broad range of key personnel in the analysis. Typically, business understanding is essential for assessing impacts and identifying assets, while technical expertise is essential for assessing the likelihood of an incident occurring.

A risks assessment is usually conducted as a series of workshops. You will need a whiteboard/flipboard, markers, post-its, and pens. The duration of the workshops will vary depending on the complexity of the system being assessed. We suggest initially allocating 1 hour for each workshop; however, some results may require further investigation following the workshop.

It is recommended to conduct the first steps of the assessment (system modelling, asset and threat identification) on paper/whiteboard rather than using a computer as this allows all attendees to actively participate. The later analysis steps can be done digitally. 

Step-by-step guide

1. Context establishment 
   The first step in the risk management process is context establishment. During this step we establish the overall scope and objectives of the assessment and identify the relevant stakeholders. We define the risk assessment approach and discuss the overall acceptance level. This step is described in detail in the context establishment module.
2. System modelling
   After the context of assessment is defined, the next step is to draw the system under the assessment. We identify the components of the system and their interaction and discuss the data flow across the components. Existing architectural and data flow diagrams can be used. However, to ensure that all participants of the assessment have an understanding of the system, it is advisable to create a relatively abstract drawing from scratch. This step is described in detail in the system modelling module. 
3. Asset identification 
   After drawing the system diagram, the next step is to map and structure the assets that are to be covered by the assessment. In general terms, assets are anything that create value in the system and are important for the system to function. The mapping can be done in different ways but usually involves some kind of brainstorming workshop. This step is described in detail in the asset identification module. 
   • 3a. Asset analysis 
     After mapping the assets, we assess how important the individual assets are. In this step we analyse the impact of the assets on the system in case of an incident. This step is described in detail in the asset analysis module. 
4. Threat identification 
   In this step we focus on identifying the threats and vulnerabilities that pose a risk to those assets. Threats can be identified in many ways – from brainstorming to threat catalogues. This step is described in detail in the threat identification module.
   • 4a. Threat analysis 
     After identifying the threats, we assess how likely it is that an attacker can exploit the threat (likelihood), what the violation type is and what assets are impacted if the threat is to be exploited. This step is described in detail in the threat analysis module.  
5. Risk analysis
   The preceding activities often result in a quite lengthy list of potential threats that can be addressed. Due to limited resources and budget, it is hardly feasible to mitigate all threats and vulnerabilities. By combining the information gained in the asset analysis and threat analysis, a combined risk can be calculated. The overall risk score takes into account both the potential impact of an incident and the likelihood that it would occur. This (and the following) step is described in more detail in the risk analysis and mitigation module. 
6. Risk evaluation
   After calculating the risk scores, the next step is to evaluate which risks need to be addressed (the critical risks), how to do it and which risks to accept. This ensures that all the threats are properly addressed and will be followed up on. A simple evaluation is to simply address all risks with a score higher than the acceptable risk level and accept all other risks. In some cases, exceptions to this rule are needed. This topic is further discussed in the risk analysis and mitigation module. 
7. Risk treatment 
   Once the critical risks have been identified, suitable risk mitigation actions should be determined for each threat and the next and final step is to ensure they are implemented. This can be achieved in various ways, depending on the company's specific context and practices. The risk analysis and mitigation module describes how suitable mitigations can be determined and the Development process module describes how  the agile process can be managed, while the module maturity dialogue describes how to anchor those actions across the organisation. In any case, it is essential to assign someone to be responsible for each mitigating measure to ensure successful implementation. 

Outcome

The output of a thorough risk management process is that it helps you identify specific risks and controls to focus on at any given time. This knowledge is essential for making informed decisions and investments to protect your company.The assessment is therefore a useful tool that helps you in your efforts to enhance information security, prevent data breaches, and allocate sufficient resources. Last but not least, it enables you to protect your customers’ sensitive data, thus earning customer trust. 

Expert advice

Risk management is not a one-time exercise but an ongoing process. Your systems constantly change, and so will your information security risks. Conducting regular risk assessments enables you to monitor the changing risk landscape over time and focus your efforts accordingly. Risk management should therefore ensure risk assessments are conducted on a regular basis (e.g., annually or quarterly) and when major changes occur within the organisation (e.g., new technology implementation, re-structuring of key business processes, acquisition, merger, etc.). 
 
Once you have implemented a risk management process and become familiar with the process, you can expand the scope and conduct it on other products and services. Moreover, you can delve deeper into threat assessment and investigate the threat modelling process. 

Next step

The first step in the risk management process is context establishment. It is described in more detail in the module Context establishment. Once you have identified and prioritised risks, it is equally important to ensure that the necessary mitigative measures are implemented. The module the development process describes how to manage the agile process. The modules maturity dialogue describes how to anchor the initiatives across the company. Start with maturity dialogue.

The contents described above have been developed in the project:

’CyPro – Cybersecure manufacturing in Denmark’ by Aarhus University, Alexandra Institut, DAMRC, UGLA Insights and FORCE Technology funded by The Danish Industry Foundation. Material from the project is published under licence CC BY-SA 4.0CyPro