Creating Reliable Risk Assessments: How to Measure Cyber Risk
Part 2 of 4
Risk assessment is the first step to managing and hardening your cybersecurity. The FFIEC strongly recommends completing their Cybersecurity Assessment Tool. For most financial institutions, cybersecurity is an essential part of any risk management program.
A well-executed risk assessment digs into real-world risks and the specific controls an institution uses to mitigate their impact, allowing the board and management to make better, more insightful decisions. From big picture ideas to specific areas of concern, a good risk assessment looks at the good and bad in every situation to provide a thorough understanding of threats and opportunities.
But how exactly do you properly assess a cyber risk? Let’s find out by assessing one potential cyber risk: the risk that hackers aim a cybersecurity attack at the institution’s systems.
Inherent vs. Residual Risk
Inherent risk scores represent the level of risk an institution would face if there weren’t controls to mitigate it. For example, think of the risk of a cyberattack if the institution didn’t have any defenses in place. Residual risk is the risk that remains after controls are taken into account. In the case of a cyber breach, it’s the risk that remains after considering deterrence measures.
To assess inherent risk, determine how big of an impact of an event would have and how likely the event is to occur.
Inherent risk = Impact of an event * Probability
To calculate residual risk consider the inherent risk as well as the effectiveness of the controls. That includes how large of an impact a control has in mitigating a problem as well as how effective it is.
Residual risk = Inherent risk * Control effectiveness
Control effectiveness = Control impact * % ineffective
Making the Assessment
Different institutions use different scales when making these measurements. In conducting this exercise, we’ll use a 5-point scale using these terms to measure risk and potential impact:
Control effectiveness will be measured on a three-point scale for impact:
- Very important
- Not important
Probability and effectiveness will be measured on a five-point scale:
With these in mind, let’s begin to assess risk.
Risk: Hackers aim a cybersecurity attack at the institution’s systems.
Event Impact: Catastrophic. The consequences of unauthorized access into the institution’s systems are incredibly severe. Private customer data could be stolen or changed. Funds could be stolen. The institution could be locked out of its system. It could be a nightmare.
Probability: Certain. Cyber criminals are constantly looking for new victims and testing systems for vulnerabilities to exploit. It’s a certainty that there are intruders trying to get into the network on a regular basis.
Inherent Risk Rating: Catastrophic. Not only is it likely that cyber criminals are trying to access the system, but if they got in it would cause tremendous damage.
Now let’s look at the controls the institution has in place to mitigate these risks. After all, going offline isn’t a viable option in the modern business world. There are a variety of network security protocols and controls designed to prevent and/or detect unauthorized access and cybersecurity incidents. They include:
- Anti-virus software on desktops, servers, and host, with patches obtained from secure sites.
- Anti-malware software installed on critical servers and on end-point devices, with signatures updated nightly.
- Defense in-depth program, including intrusion detection/intrusion prevention systems.
- Semi-annual threat and vulnerability testing and attack and penetration tests.
- Centralized monitoring via security incident and event management (SIEM).
- Perimeter firewall systems.
Let’s assess the first control by impact and effectiveness.
Control: Anti-virus software on desktops, servers, and host, with patches obtained from secure sites.
Impact: Very important. Anti-virus software should be quite effective in protecting systems, but there is always the possibility that there’s an attack from a new virus that hasn’t been discovered yet. Also, every machine must be patched for this to be effective. One machine could leave the whole network exposed.
Effectiveness: Possible. New viruses are being developed all the time and there are many states actively working to access systems, yet assessments how shown this control to regularly work
Residual risk: Significant. Even though there are a great many of well-thought out controls to limit the possibility of a cyberattack, risk still remains due to the evolving nature of cybersecurity threats.
Conduct this assessment with each of the controls. Then assess the total value of the controls to determine how high or low the residual risk. Remember, not every control is equal. Give greater weight to those with a high impact and less to those with a low impact.
Be sure to be candid when assessing controls. If the assessment reveals that a control isn’t particularly effective, it might not be a problem if other strong controls are in place. It could be an opportunity to strengthen a weak control or decide that it’s not worth the resources. New controls can be developed.
Remember that a risk assessment score is not an indictment of the IT department. IT should be praised for everything it does to protect the institution. Without its efforts, it’s almost guaranteed that the institution would have been hacked by now. Instead, a risk assessment indicating high risk lets the board and management know that it needs to continue to invest heavily in cybersecurity. If the assessment indicated low cyber risk, the board and management might feel free to reallocate resources to another area of the institution, and in a world of rapidly advancing cyber threats, that’s a mistake.
To learn more about risk assessments, including how to ensure they are reliable, timely and consistent, check out our whitepaper on creating reliable risk assessments.