Cyber Risk Assessment

As mentioned in the section on the overall cybersecurity risk management process, there are four essential steps in risk management:

The identification of cyber risks is worth a section of its own; in this section, we will concentrate on the assessment of risks.

In every methodology for the assessment of risk, there is a fundamental formula consisting of two components:

Risk = Impact * Likelihood

Certainly, the impact of an incident is important, but so is the likelihood of its occurrence. We are willing to drive cars every day despite the impact (literally) of an accident, because we know that the likelihood of an accident is thankfully low.

We’ll start with a discussion of impact. This involves the type of potential loss through a risk event, and a measure of the “size” of the event, whether in quantitative or in qualitative terms. Typically, the criteria for the risk impact assessment are: 

  • Economic: Here, the risk in terms of lower profit and higher costs is assessed. This criterion is applicable to all those risks having a quantifiable effect on the income statement of the organization, and they require the definition of specific thresholds based on a reference parameter (e.g. Costs, Revenues, Margin);
  • Market: Possible loss of market share as a consequence of risks related to inability to fulfill customer needs in terms of product/service quality; 
  • Reputational: Based on the occurrence of possible events that could damage the image of the organization; 
  • Competitive advantage: Measures the loss of competitive advantage in case of occurrence of risk events.

Clearly, some factors (such as reputational damage) are difficult to quantify – that is part of the challenge in elaborating a mature cyber security risk assessment methodology.

The actual risks generally depend on the market sector involved. Let us make these impact factors more concrete in a table based upon AON research.

 

Market Sector

Cyber Events and Potential Impact

Financial Institutions Market (e.g. Banks, Financial Services)

  • Increased governmental regulation (e.g. Banking Union / Eurosystem rules and supervision, GDPR in Europe)
  • Huge exposure to reputation & insider risk, business interruption, data / system restoration issues

Critical Infrastructure Operators Market (e.g. Energy, Transport, Digital infrastructure)

  • Increasing exposure to many cascading types of risk through cyber events (e.g. loss of life, severe economic and property damage)
  • Regulators and SDOs increasingly insisting on addressing cyber issues

Retail Market (e.g. Consumer Goods, Online Retailers)

  • Enormous exposure to reputational risk through well publicized breaches
  • Exposure to business interruption, contingent business intelligence

Healthcare Market (e.g. hospitals, health services)

  • Ever-increasing exposure to 3rd party liability, breach costs, reputational risk
  • Privacy issues are coming to the forefront, not only with GDPR but also increased awareness of patient data breach consequences.

Transport Logistics Market (e.g. Aviation, Aerospace, Logistics)

  • Significant exposure to business interruption, data / system restoration, and bodily injury / property damage

Manufacturing Market (e.g. chemicals, pharma, food and others)

  • Large and growing exposure to loss of IP (industrial espionage)
  • Exposure to business interruption and data restoration issues
  • Industry 4.0 has introduced a whole new set of urgent cyber security issues

_________________________________________________________________________________________

 

Even more challenging than determining the impact of cyber events is a precise estimate of their likelihood. Since cybersecurity is a relatively new field, there will not always be statistics available on cyber events that allow for quantitative estimates. Nevertheless, in all risk assessment methodologies, techniques have been developed to allow for reasonable qualitative risk assessments, based upon the experience and competencies of the investigators. Often, qualitative judgements of both impact and likelihood occurrence are combined to form a kind of risk graph, or risk assessment matrix.

 

 

Given that cybersecurity risk assessment is still a maturing discipline, it is important to choose those who perform risk assessment carefully. The more experienced the analysts are, the more precision is possible for the risk assessment, even when “only” done in qualitative terms. Part of the mission of cyberwatching.eu is to provide information on the alternatives and resources available.

For small to medium enterprises, self-assessment is an attractive alternative, because of the lower costs involved. However, those lower costs come with the risk of a less precise and informative assessment. Tools for self-assessment are beginning to arrive on the market, which alleviate some of the problems by incorporating the knowledge of assessment professionals and ensuring a certain level of assessment quality.

News

UNICORN’s Validation Contest now open for participation!

UNICORN project is looking for SMEs and start-ups to test and validate the UNICORN platform by developing their own software or use-cases. The selected participants will receive 10.000€ funding each (find here a template for the contract)

Events

17/01/2019
Reinforcing Cyber Security in the EU: Building Coordinated Security, Confidence and Capability in the Cyber Domain

With 315 million Europeans using the internet each day, the provision of critical services and the functioning of a modern economy are now entirely dependent upon the robustness and safety of cyberspace and its infrastructure. Cyber security attacks are a growing source of threat and concern, while also representing a growing economic opportunity for Europe, with the market predicted to be worth over $100 Billion by 2018 (European Commission). Moreover, cyber attacks in the EU are constantly growing in both their frequency (quintuplicate between 2013 and 2017) and sophistication.