As I have been writing about lately, we are experiencing a new level of cyber-attack sophistication and effectiveness. 2020 has seen not only very effective ransomware attacks, but also equally effective supply chain and DNS vulnerability attacks. Regulators and security personnel were shocked and somewhat at a loss on how to combat these threats other than by strengthening information security program and controls requirements. They are pressing down hard, and financial institutions such as wealth management firms are at the spear tip of their efforts. To understand the cyber-risk that faces them, financial institutions need conduct risk assessments. Risk assessments can be limited in scope or can include the entire organization, but they all include many common steps and determinations. I still adhere to the processes outlined in NIST 800-30 2002. These include threat analysis, vulnerability assessment, probability of occurrence analysis, impact determination and controls analysis. Combining these factors allows you to assign a risk exposure rating. The formula is: risk = (threat x vulnerability x probability of occurrence x impact)/controls in place. But how do you actually apply this formula to the results of the various steps of the risk assessment? One way, of course, is to just calculate it by feel. What I mean by that is looking at the threats, vulnerabilities, probabilities of occurrence and likelihood of impact information you have come up with, and balancing that against the controls that are already in place at the organization. Then, either unilaterally or in discussion among the group, you determine if the residual risk you are facing is high, medium or low. This is really the way most organizations determine their risk levels. NIST has a few tools to help you with determining some of these steps. For probability of occurrence (likelihood determination), they advise considering three governing factors:
They also have a likelihood table to help you decide:
For impact, they have produced another table that helps you rate the magnitude of impact:
Then, for the actual risk determination step, they have produced a risk level matrix and risk scale:
The risk scale for this matrix is: High (>50 to 100); Medium (>10to 50); Low (1 to 10). The risk level scale table is:
Although NIST 800-30 2002 has been retired, I still find their risk assessment methodology useful. The tables and matrix shown above help me in making my risk determinations without resorting entirely to feelings. Perhaps they will be useful to you as well when you are faced with the thorny problem of assigning cyber-risk levels. They will at least give you some justification for making the decisions that you do. The following is from Unraveled: An Evidence-Based Approach to Understanding and Preventing Crime Amazon (Paperback) Amazon (Kindle) Apple Barnes & Noble Google What are the most commonly mixed up security terms? Threat, vulnerability, and risk. While it might be unreasonable to expect those outside the security industry to understand the differences, more often than not, many in the business use these terms incorrectly or interchangeably. Maybe some definitions (from Strategic Security Management) might help…. Asset – People, property, and information. People may include employees and customers along with other invited persons such as contractors or guests. Property assets consist of both tangible and intangible items that can be assigned a value. Intangible assets include reputation and proprietary information. Information may include databases, software code, critical company records, and many other intangible items. An asset is what we’re trying to protect. Threat – Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. A threat is what we’re trying to protect against. Vulnerability – Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. A vulnerability is a weakness or gap in our protection efforts. Risk – The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability. Risk is the intersection of assets, threats, and vulnerabilities. Why is it important to understand the difference between these terms? If you don’t understand the difference, you’ll never understand the true risk to assets. You see, when conducting a risk assessment, the formula used to determine risk is…. A + T + V = R That is, Asset + Threat + Vulnerability = Risk. Risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets. Thus, threats (actual, conceptual, or inherent) may exist, but if there are no vulnerabilities then there is little/no risk. Similarly, you can have a vulnerability, but if you have no threat, then you have little/no risk. Accurately assessing threats and identifying vulnerabilities is critical to understanding the risk to assets. Understanding the difference between threats, vulnerabilities, and risk is the first step. Read more from Unraveled: An Evidence-Based Approach to Understanding and Preventing Crime Amazon (Hardcover): https://www.amazon.com/dp/B09M544HHV |