Life is about taking risks. Business is about taking risks. Heck, anything you do involves taking risks. But you wouldn't jump right off a cliff into unknown waters, would you? You'd want to know: How deep is the water? Are there sharks? Is there anyone around you who could help if you needed it? Are you even ready to make the jump?
While yes, there are adrenaline-seekers among us who would gladly take the plunge, let's look at it from a non-thrill-seekers' perspective: you would only jump if you knew you had the skills to do it safely, consider all the circumstances, assess the terrain, enlist someone to help out if necessary; essentially, prepare yourself for everything that comes with taking a risk.
And putting our exaggerated example aside, running any modern business or enterprise is all about taking risks. Information technology has brought on a new dawning of conducting business (and even our everyday lives)—as well as a whole new set of risks.
You've certainly stumbled upon terms like risk assessment, risk analysis and risk management, and quite possibly heard them used interchangeably. While there is an overlap in the actual functionality of these terms and what they consider, there are a few differences worth pointing out, to help those involved in these processes avoid misunderstanding and wrong expectations. That's why today we'll examine these terms and what they mean from a strategic standpoint.
Let's begin by learning what "risk' actually is, in the context of cyber and information security.
- What constitutes a risk in cybersecurity?
- What is cyber risk assessment?
- How about risk management?
What constitutes a risk in cybersecurity?
Put simply, a risk is generally any situation that involves exposure to danger. When speaking in cybersecurity terms, we can translate this as a likelihood of damage both to finances and reputation, resulting from the failure of an organization's information technology systems upon suffering a cyber attack or data breach.
Think of cybersecurity risks as the intersection of threat, vulnerability and assets: the assets are what we're trying to protect, the threat is what we're protecting them from, and the vulnerability is a gap in that protection. This puts risk in the middle of the action, as it entails the damage or loss of an asset as the result of a threat exploiting a vulnerability.
Cybersecurity risks are inherent in the current threat landscape, and no one is immune to them. Nearly every business faces cyber risks, and they can come from different places. Among these risks are:
- Outsider threats such as different types of cybercrime, advanced persistent threats, network security threats, and the like
- Insider threats, which can range from cyber espionage to employees unwittingly clicking on a wrong link
- Third parties with sub-par cybersecurity posture working with the organization
There are plenty of ways in which cyber attackers can strike, and many ways in which you can unintentionally put your organization at risk. So what can we do about it? Assess, analyze and manage!
What is cyber risk assessment?
To explore these terms and their relationship to one another, let's take a hierarchical perspective: risk analysis is part of risk assessment, and risk assessment is part of risk management.
While it might be logical to start from the bottom (if we're still looking at it from a hierarchical viewpoint), it's more telling to start with risk assessment, and in going through its steps, arrive at its most crucial: risk analysis.
Risk assessment is exactly what it sounds like—identifying the risks, their likelihood of happening, and estimating their consequences.
All of this leads to better decision-making towards understanding and mitigating said security risks. Specifically in cybersecurity, risk assessment identifies and analyzes security risks posed from both external and internal threats that can be damaging to organizations' critical data and infrastructure. We can also look at risk assessment as a strategic cybersecurity process with, for example, vulnerability assessment and penetration testing being tactical and technical considerations.
Before we begin the risk assessment process, it should all start with auditing the infrastructure and assets the organization owns. We'll want to identify the type of data the organization collects, how the data is stored and the processes used to protect that data. Next, we should identify the critical assets, creating a risk profile for each identified asset by assessing each cybersecurity risk, mapping the critical assets, prioritizing them, and finally informing a mitigation process with security controls put in place for each risk.
From there, we can compartmentalize risk assessment into three components: risk identification, risk analysis and risk prioritization.
Unfortunately, being optimistic isn't ideal when it comes to cybersecurity. It's all about preparing for a cyber attack, determining how and why it can happen from every possible angle, and what the losses could be when it happens (putting the emphasis on "when", not "if").
This involves envisioning worst-case scenarios, future events during which something can go wrong, and all the possible sources of risk that could pose danger to your critical data and impact your organization and its ability to operate properly.
Are you going through Mergers & Acquisitions which opens up your attack surface to now include other companies? Is ransomware currently ravaging your industry? Does your organization lack the cybersecurity culture and awareness needed for employees to avoid falling for phishing attacks, which are now such a common occurrence? What network security threats could jeopardize your network?
Additionally, it's important to remember that risks change over time. With technology constantly evolving and the attack surface it opens up, you need to stay diligent and revisit the risk identification stage continuously.
Once we've identified all possible risks for an organization, we need to estimate the extent of impact if these worst-case scenarios do occur.
It's now time for risk analysis
Within the broader cyber risk assessment process, we have risk analysis. After we've identified everything that can go wrong, as well as all the cybersecurity risks threatening the operations and information systems of an organization, we need to measure the likelihood and extent of their impact.
Risk analysis is really taking the risk assessment process to the next level. We focus our attention on understanding the risks we've identified in the previous step, and determine the magnitude of damage they can cause.
To get into the practicality of risk analysis, we take each risk, analyze it and score it by using one of the two main schools of risk analysis: quantitative and qualitative.
Quantitative risk analysis is all about the specific monetary impact each risk poses, and ranks them according to the cost an organization would suffer if the risk materializes. Qualitative risk analysis is more subjective, depending on the organization's structure, industry and goals of risk assessment. In this type of risk analysis, the likelihood, impact, rate and severity of a risk occurring are used as a scoring mechanism.
When risk analysis is finished, and we have successfully scored the risks using the metrics stated above, we need to prioritize the risks and categorize them based on both their priority and how quickly we need to develop mitigation processes to respond to them.
Not all security risks are created equal. And prioritizing them might seem redundant; as we just scored them based on their different characteristics, isn't that prioritizing them? Well, yes and no. Scoring risks is the basis on which the decision-making for prevention and mitigation methods are employed. One security risk might have a huge monetary impact, but a low probability of occurring; while another risk can pose almost no real danger of disruption or monetary impact, but with the possibility of occurring very often.
To avoid dwelling on the wrong risks, and missing a potentially damaging one, it's important to prioritize risks with these rankings:
High priority - We see zero-day attacks mentioned a lot at this level, with cybercriminals exploiting a previously unknown vulnerability. Oh, and cue the word "unknown"—uncertainty often brings with it the highest level of risk. Detection, prevention and mitigation need to be the top priorities, developed and enforced as quickly as possible.
Medium priority - When talking about medium-priority risks, situations involving disgruntled former employees stealing an organization's data are often cited. While yes, this can happen, it isn't something that needs to be constantly monitored and reviewed. Following user termination best practices is always a good step toward ensuring that these types of insider threats don't occur.
Low priority - A common low-priority risk is thieves breaking into a physical space and stealing devices. Here, the probability of data loss is low—as most devices don't contain critical information nor have access to them. There is almost no urgency involved with these types of risks, so the steps to prevent and mitigate don't have to be reviewed and monitored as often as risks in the other, more pressing levels of priority.
How about risk management?
Now we come to the end of this little "risk journey". Encompassing everything we've learned up to this point, and going through all of the steps of risk assessment, we finally arrive at risk management.
Risk management has been an important part of every successful organization since the beginning of business as we know it. It allows business leaders to make better informed decisions on ways to prevent and mitigate security risks based on their probability and outcome. Cybersecurity risk management refers to the implementation of policies, procedures and practices in order to, you guessed it, manage security risk.
The entire process of risk management can be summed up as the process of identifying potential risks, analyzing their impact, and planning the course of action of how to respond to those risks if they lead to a negative outcome, and with constant monitoring, enforce security controls on each risk. It's also important to note that risk management is something that is important for every organization, no matter how small or large, regardless of industry.
To properly manage security risks, all organizations need to assess these risks, their likelihood and potential for disruption, and regulate their approach in dealing with them. To mitigate security risks, they need to work out what kind of security controls need to be applied, as all risks can't be fully eliminated nor, as we said earlier, are they created equally or with equal impact.
Risk management best practices
When adopting an appropriate risk management process, there are a few things organizations should consider:
Cybersecurity culture: For any organization wanting to improve their security posture, maintaining a culture of awareness around cybersecurity issues is crucial. Risk management is no different. Start with your people; after all, people are your most valuable asset. Communicate the intent of the risk management process clearly, open communication channels, ensure good training, involve your leadership and be diligent with continuous awareness training and testing.
Prioritize: This important step in risk assessment is also an important practice in risk management. Organizations have limited resources, and tending to each security risk equally just isn't realistic. Never forget risk prioritization, and continuously score and prioritize risks to avoid getting blind-sided with a medium-priority risk that, with time, becomes a high-priority risk.
Immediate response: Once you've been exposed to a security risk, acting quickly is crucial. Organizations need to develop processes to quickly identify risks, immediately catch any security breaches and incidents, and keep rapid mitigation plans in place for containing a security event or even worse, a breach, once it hits.
Threat intelligence: Often overlooked in risk management, threat intelligence provides organizations with information on the types of malicious actors who might be interested in their assets, draws attention to the latest vulnerabilities, helps determine the likelihood and probability of being the target of cyberattacks, and can be leveraged to keep the pace of threats as they evolve. All in all, threat intelligence helps decision makers make better informed decisions.
While risk analysis, risk assessment and risk management all have different functions, they still need each other to function holistically and provide the most value they can to the organizations they benefit.
One simply can't function without the other: in order to have a consistent and appropriate risk management program you need risk analysis and risk assessment to provide information. That is the ground zero from where all other steps take root.
Cyber risks continue to evolve and grow. And in order to keep their security posture, critical infrastructure and assets intact, organizations need to follow along. Cyber risk will always be there, and while you can never completely mitigate all risks, you can minimize them through continual analysis and assessment, and use that knowledge to implement the protection and defenses needed to lessen their probability and impact.