Cyber Risk Assessment

As mentioned in the section on the overall cybersecurity risk management process, there are four essential steps in risk management:

The identification of cyber risks is worth a section of its own; in this section, we will concentrate on the assessment of risks.

In every methodology for the assessment of risk, there is a fundamental formula consisting of two components:

Risk = Impact * Likelihood

Certainly, the impact of an incident is important, but so is the likelihood of its occurrence. We are willing to drive cars every day despite the impact (literally) of an accident, because we know that the likelihood of an accident is thankfully low.

We’ll start with a discussion of impact. This involves the type of potential loss through a risk event, and a measure of the “size” of the event, whether in quantitative or in qualitative terms. Typically, the criteria for the risk impact assessment are: 

  • Economic: Here, the risk in terms of lower profit and higher costs is assessed. This criterion is applicable to all those risks having a quantifiable effect on the income statement of the organization, and they require the definition of specific thresholds based on a reference parameter (e.g. Costs, Revenues, Margin);
  • Market: Possible loss of market share as a consequence of risks related to inability to fulfill customer needs in terms of product/service quality; 
  • Reputational: Based on the occurrence of possible events that could damage the image of the organization; 
  • Competitive advantage: Measures the loss of competitive advantage in case of occurrence of risk events.

Clearly, some factors (such as reputational damage) are difficult to quantify – that is part of the challenge in elaborating a mature cyber security risk assessment methodology.

The actual risks generally depend on the market sector involved. Let us make these impact factors more concrete in a table based upon AON research.

 

Market Sector

Cyber Events and Potential Impact

Financial Institutions Market (e.g. Banks, Financial Services)

  • Increased governmental regulation (e.g. Banking Union / Eurosystem rules and supervision, GDPR in Europe)
  • Huge exposure to reputation & insider risk, business interruption, data / system restoration issues

Critical Infrastructure Operators Market (e.g. Energy, Transport, Digital infrastructure)

  • Increasing exposure to many cascading types of risk through cyber events (e.g. loss of life, severe economic and property damage)
  • Regulators and SDOs increasingly insisting on addressing cyber issues

Retail Market (e.g. Consumer Goods, Online Retailers)

  • Enormous exposure to reputational risk through well publicized breaches
  • Exposure to business interruption, contingent business intelligence

Healthcare Market (e.g. hospitals, health services)

  • Ever-increasing exposure to 3rd party liability, breach costs, reputational risk
  • Privacy issues are coming to the forefront, not only with GDPR but also increased awareness of patient data breach consequences.

Transport Logistics Market (e.g. Aviation, Aerospace, Logistics)

  • Significant exposure to business interruption, data / system restoration, and bodily injury / property damage

Manufacturing Market (e.g. chemicals, pharma, food and others)

  • Large and growing exposure to loss of IP (industrial espionage)
  • Exposure to business interruption and data restoration issues
  • Industry 4.0 has introduced a whole new set of urgent cyber security issues

_________________________________________________________________________________________

 

Even more challenging than determining the impact of cyber events is a precise estimate of their likelihood. Since cybersecurity is a relatively new field, there will not always be statistics available on cyber events that allow for quantitative estimates. Nevertheless, in all risk assessment methodologies, techniques have been developed to allow for reasonable qualitative risk assessments, based upon the experience and competencies of the investigators. Often, qualitative judgements of both impact and likelihood occurrence are combined to form a kind of risk graph, or risk assessment matrix.

 

 

Given that cybersecurity risk assessment is still a maturing discipline, it is important to choose those who perform risk assessment carefully. The more experienced the analysts are, the more precision is possible for the risk assessment, even when “only” done in qualitative terms. Part of the mission of cyberwatching.eu is to provide information on the alternatives and resources available.

For small to medium enterprises, self-assessment is an attractive alternative, because of the lower costs involved. However, those lower costs come with the risk of a less precise and informative assessment. Tools for self-assessment are beginning to arrive on the market, which alleviate some of the problems by incorporating the knowledge of assessment professionals and ensuring a certain level of assessment quality.

News

SMESEC project Open Call for SMEs and SME associations
SMESEC has released an open call for SMEs and SME associations in order to validate SMESEC framework and at the same time improve their systems’ security.
 
SMESEC is inviting SMEs to participate in the validation of the SMESEC framework. By participating you not only have influence on the evaluation of the SMESEC framework, but also improve your own company security and get up to €20.000 of funds!

Future Events

CYBERUK 2019
24/04/2019 to 25/04/2019
Image:

CYBERUK is the UK government’s flagship cyber security event. Hosted by the National Cyber Security Centre (NCSC), it features world-class speakers, solutions and opportunities for interaction between the public and private sectors. You will be briefed on the evolving cyber threat and how we must respond as individuals and as a community to keep Britain safe in cyberspace.

CYBERUK 2019
24/04/2019 to 25/04/2019
Image:

Where: Scottish Event Campus (SEC), Glasgow
When: 24-25 April 2019
 
CYBERUK is the UK government’s flagship cyber security event. Hosted by the National Cyber Security Centre (NCSC), it features world-class speakers, solutions and opportunities for interaction between the public and private sectors. You will be briefed on the evolving cyber threat and how we must respond as individuals and as a community to keep Britain safe in cyberspace.