In our previous post about what makes a good risk assessment we discussed that risk refers to the possibility of a threat exploiting a vulnerability to cause harm to your organisation’s assets, systems or operations.
A risk register is a documented tool used to systematically identify, assess and manage risks, and is certainly a big step towards safeguarding your technology and data.
But is it really the best way to manage your risk?
Risk registers are often theoretical and abstract; using a bottom-up approach. They focus on long lists of individual negative events, identifying risks at a granular level and describing them in technical terms.
So, while your risk register might contain a high degree of detail, it is probably next to useless for communicating your risk profile to a broader audience, such as the key decision-makers on your board.
It’s true that a certain degree of technical knowledge is important when it comes to identifying vulnerabilities in your systems and the effectiveness of potential controls, but it is vital to balance this with clarity and usability.
Risk scenarios add context
In contrast to the risk register method, each risk scenario is a contextual description of a potential event that could lead to an adverse outcome. In every scenario, a source causes an event, resulting in a consequence.
Risk Scenario = Source + Event + Consequence
Importantly, the majority of cyber challenges an organisation will face can be summed up in eight to 12 high-level, comprehensive scenarios, avoiding the overwhelming complexity of the risk register approach.
Scenarios outline the circumstances, threats and vulnerabilities involved, helping us understand how security events can occur and providing a basis for quantifying and mitigating their impact.
This top-down style of assessment provides a holistic view of risk across your organisation. One key difference between a risk scenario and a risk register entry is the terminology used. Where a risk register might get bogged down in jargon, risk scenarios are written in non-technical language so they are easy for all stakeholders to engage with, including non-technical audiences such as your executive leadership and board, leading to more informed decision making.
Because each scenario is a form of narrative, they are automatically grounded in the context of your business environment. After all, each business is a unique ecosystem, facing a specific set of challenges.
This is the beauty of risk scenarios: they are relatable, they bring risks – and their potential financial impacts to your business – to life.
This method enables leaders to rank risks based on their overall significance to the business, rather than getting tangled up in technical details.
When transitioning from a risk register into scenarios, similar risks can be aggregated into broader categories, with technical detail translated into business language.
At Cydea, we prioritise risk scenarios based on potential impact and frequency, focusing on those that could have the greatest financial consequences for the organisation.
Writing good risk scenarios
So, how do you write a good risk scenario?
Your risk scenario journey begins with understanding the strategic objectives and goals of your organisation, and the “crown jewels” you are protecting.
Next, you need to identify key risks that could have a material impact on your organisation’s ability to achieve its objectives, or that threaten the security of your crown jewels. These may be financial, operational, regulatory or reputational risks.
It’s important to also consider any external factors that could influence the risk landscape, such as regulatory changes, technological advancements, known vulnerabilities and geopolitical change.
Each scenario involves:
- A source
- Creating an event
- Causing certain consequences
For example, a typical risk scenario could look like this:
- Source:
- Cyber criminals – Attack carried out by individual hackers or organised criminal groups.
- Event:
- Ransomware – Once introduced, the ransomware encrypts files, making them inaccessible. A ransom note is then delivered or displayed including a payment demand in return for a decryption key.
- Consequences:
- Operational disruption – Loss of productivity due to loss of access to data and as systems taken off line for remediation.
- Financial loss – Direct costs include ransom payment (if paid), recovery costs, fines for data breaches.
Creating a set of risk scenarios will help your whole organisation quickly understand the potential impacts of cyber risk. However, most importantly of all, a well-written scenario puts everyone on the same page as to why they should act – or provide you with the resources to act – to mitigate it.
Cydea can help you to quantify, understand, and communicate your cyber risk through our risk analysis projects and our risk platform which makes CRQ accessible to SMEs, mid-market firms, and large enterprises alike.
Photo by Kaitlyn Baker
