Cyber Risk Assessment

As mentioned in the section on the overall cybersecurity risk management process, there are four essential steps in risk management:

• Identify risks
• Assess risks
• Identify possible mitigation measures
• Decide what to do about the residual risk

The identification of cyber risks is worth a section of its own; in this section, we will concentrate on the assessment of risks.

In every methodology for the assessment of risk, there is a fundamental formula consisting of two components:

Risk = Impact * Likelihood

Certainly, the impact of an incident is important, but so is the likelihood of its occurrence. We are willing to drive cars every day despite the impact (literally) of an accident, because we know that the likelihood of an accident is thankfully low.

We’ll start with a discussion of impact. This involves the type of potential loss through a risk event, and a measure of the “size” of the event, whether in quantitative or in qualitative terms. Typically, the criteria for the risk impact assessment are: 

• Economic: Here, the risk in terms of lower profit and higher costs is assessed. This criterion is applicable to all those risks having a quantifiable effect on the income statement of the organization, and they require the definition of specific thresholds based on a reference parameter (e.g. Costs, Revenues, Margin);
• Market: Possible loss of market share as a consequence of risks related to inability to fulfill customer needs in terms of product/service quality; 
• Reputational: Based on the occurrence of possible events that could damage the image of the organization; 
• Competitive advantage: Measures the loss of competitive advantage in case of occurrence of risk events.

Clearly, some factors (such as reputational damage) are difficult to quantify – that is part of the challenge in elaborating a mature cyber security risk assessment methodology.

The actual risks generally depend on the market sector involved. Let us make these impact factors more concrete in a table based upon AON research.

_________________________________________________________________________________________

Even more challenging than determining the impact of cyber events is a precise estimate of their likelihood. Since cybersecurity is a relatively new field, there will not always be statistics available on cyber events that allow for quantitative estimates. Nevertheless, in all risk assessment methodologies, techniques have been developed to allow for reasonable qualitative risk assessments, based upon the experience and competencies of the investigators. Often, qualitative judgements of both impact and likelihood occurrence are combined to form a kind of risk graph, or risk assessment matrix.

Given that cybersecurity risk assessment is still a maturing discipline, it is important to choose those who perform risk assessment carefully. The more experienced the analysts are, the more precision is possible for the risk assessment, even when “only” done in qualitative terms. Part of the mission of cyberwatching.eu is to provide information on the alternatives and resources available.

For small to medium enterprises, self-assessment is an attractive alternative, because of the lower costs involved. However, those lower costs come with the risk of a less precise and informative assessment. Tools for self-assessment are beginning to arrive on the market, which alleviate some of the problems by incorporating the knowledge of assessment professionals and ensuring a certain level of assessment quality.