What makes a good risk assessment?

Wednesday, 30 October, 2024

A person looking through binoculars at you, with snowy mountains in the background

A risk assessment is widely regarded as the foundation for any cyber security programme. It features in government guidance, international standards, and wider good practice. That’s because – while there are some basic hygiene factors that everyone should implement – each organisation is different. Therefore what they need to do will differ and their sense of what is ‘enough’ security will be bespoke too.

A risk assessment is the process of identifying, analysing and evaluating the scenarios that may affect your organisation’s digital environment. These risk scenarios are events or circumstances that could negatively impact your business operations – and therefore your bottom or top lines.

Quantitative risk assessment is a great approach to understand the potential financial impact posed to your organisation. Results should be measured in pounds and pence because that’s a language we can all understand, from the IT team to the boardroom. Cyber risk quantification improves communication and makes security outcomes and investment decisions easier to articulate.

Assessing your risk is an important, proactive step towards safeguarding your assets and data, and it’s a vital activity for compliance with many regulatory requirements. There are tools to help you identify, measure, and track your cyber risk.

But what goes into making a really good risk assessment; one that is thorough, relevant and practical?

Preparation is key

Step one is to start with clear objectives and a well-defined scope:

  • What are you going to be assessing? The company as a whole or just a defined sector or project?
  • Do you have access to the information you require?
  • Will you have the capacity required to complete this task?
  • Do you have the tools necessary to undertake and document this assessment?

Once your scope has been established, it’s time to gather all your data together. This information is the foundation of your analysis – results are only ever as reliable as their inputs – so it has to be accurate and complete.

This data will include:

The details and value of the most important asset(s) in your organisation.

  • What are you defending? Where are your “crown jewels”?
  • What would the impact to business be if you lost access to these assets, or lost the assets permanently?
  • These may manifest as physical, on-premise IT systems, or cloud-based solutions.
  • They may also be intangible things like your reputation, sales pipeline, and so on.

Business data (this is important; use this as an opportunity to engage the business!)

  • Think about your organisation and what’s important to it.
  • Commercial organisations may want to consider revenue, sales pipeline, and other financial metrics.
  • Impact on people (staff, contractors, customers, members of the public) may be important: how many of what types?
  • Information on different costs (payroll costs, typical invoice values, IT supplier costs, raw materials) can be useful that are material to your organisation.
  • Details of any cyber insurance.
  • How would losing access to critical systems impact your business?
  • Approximations are OK! Accuracy is more important than precision.

Third party and supply chain information

  • Who is important to how your organisation operates?
  • What would happen if the service they provide was disrupted, or ceased permanently?

Historical incident data can be useful intelligence when it comes to understanding how often things do (or don’t!) happen.

  • Have you ever experienced a cyber security incident, or a near miss, before?
  • If so, how was this handled?
  • What were the impacts associated with them?

Threat intelligence and vulnerability scans.

  • Do some research on what cyber threats are currently affecting your sector or industry.
  • Your IT provider may offer the additional service, or perhaps you employ a separate security operations centre (SOC) provider, who can help.
  • Larger teams may have access to threat intelligence feeds or subscriptions.
  • Technical assurance data, like penetration test results and vulnerability scans can also be helpful to understand your digital footprint or ‘attack surface’.

The details of existing security controls in place on your systems

  • What existing countermeasures or protections do you have in place? (think anti-virus software, firewalls, backups, etc)
  • If your IT is outsourced, your supplier should be able to help out with this.

At this point it’s important to mention that, in some cases – such as with specific technologies or industries – taking advice from an appropriate subject matter expert can boost your risk assessment to the next level. At a minimum make sure that you’re not doing this in isolation. Security is a team sport. Involve people from other teams across and get their input.

So, now you have your scope defined and your raw data ready, it’s time to consider the cyber security risks affecting your business.

Risk identification

Common risks such as ransomware, insider threats and personal data breaches are relevant to most organisations. However, some are likely to be specific to your business or industry – perhaps you rely heavily on third-party suppliers, or develop intellectual property through new products, or your industry involves operational technology.

Next, it’s time to take a step back and explore the context of the risk through critical thinking.

To fully understand the potential impacts of the various threats and vulnerabilities facing your assets, it’s necessary to model the real-world situations in which they could occur, including:

  • Threat actor motivations (why are they attacking you?)
  • Attack vectors (how are they getting into your environment?)
  • Potential consequences (what would happen?)

We use the Open Information Security Risk Universe as a taxonomy of different sources, events, and consequences that can come together to form a risk scenario. It’s a handy way of checking if there are things you haven’t thought about, or as discussion prompts for your risk assessment workshop.

Creating scenarios puts risks into perspective, helping you and your team understand the threat in question and assign an appropriate mitigation to counter it.

Stay tuned for a deeper dive into risk scenarios and some tips on how to put them together.

Cydea can help you to quantify, understand, and communicate your cyber risk through our risk analysis projects and our risk platform which makes CRQ accessible to SMEs, mid-market firms, and large enterprises alike.

Photo by Kajetan Sumila