Home » Cyber Risk Assessment

Cyber Risk Assessment

As mentioned in the section on the overall cybersecurity risk management process, there are four essential steps in risk management:

The identification of cyber risks is worth a section of its own; in this section, we will concentrate on the assessment of risks.

In every methodology for the assessment of risk, there is a fundamental formula consisting of two components:

Risk = Impact * Likelihood

Certainly, the impact of an incident is important, but so is the likelihood of its occurrence. We are willing to drive cars every day despite the impact (literally) of an accident, because we know that the likelihood of an accident is thankfully low.

We’ll start with a discussion of impact. This involves the type of potential loss through a risk event, and a measure of the “size” of the event, whether in quantitative or in qualitative terms. Typically, the criteria for the risk impact assessment are: 

  • Economic: Here, the risk in terms of lower profit and higher costs is assessed. This criterion is applicable to all those risks having a quantifiable effect on the income statement of the organization, and they require the definition of specific thresholds based on a reference parameter (e.g. Costs, Revenues, Margin);
  • Market: Possible loss of market share as a consequence of risks related to inability to fulfill customer needs in terms of product/service quality; 
  • Reputational: Based on the occurrence of possible events that could damage the image of the organization; 
  • Competitive advantage: Measures the loss of competitive advantage in case of occurrence of risk events.

Clearly, some factors (such as reputational damage) are difficult to quantify – that is part of the challenge in elaborating a mature cyber security risk assessment methodology.

The actual risks generally depend on the market sector involved. Let us make these impact factors more concrete in a table based upon AON research.

 

Market Sector

Cyber Events and Potential Impact

Financial Institutions Market (e.g. Banks, Financial Services)

  • Increased governmental regulation (e.g. Banking Union / Eurosystem rules and supervision, GDPR in Europe)
  • Huge exposure to reputation & insider risk, business interruption, data / system restoration issues

Critical Infrastructure Operators Market (e.g. Energy, Transport, Digital infrastructure)

  • Increasing exposure to many cascading types of risk through cyber events (e.g. loss of life, severe economic and property damage)
  • Regulators and SDOs increasingly insisting on addressing cyber issues

Retail Market (e.g. Consumer Goods, Online Retailers)

  • Enormous exposure to reputational risk through well publicized breaches
  • Exposure to business interruption, contingent business intelligence

Healthcare Market (e.g. hospitals, health services)

  • Ever-increasing exposure to 3rd party liability, breach costs, reputational risk
  • Privacy issues are coming to the forefront, not only with GDPR but also increased awareness of patient data breach consequences.

Transport Logistics Market (e.g. Aviation, Aerospace, Logistics)

  • Significant exposure to business interruption, data / system restoration, and bodily injury / property damage

Manufacturing Market (e.g. chemicals, pharma, food and others)

  • Large and growing exposure to loss of IP (industrial espionage)
  • Exposure to business interruption and data restoration issues
  • Industry 4.0 has introduced a whole new set of urgent cyber security issues

_________________________________________________________________________________________

 

Even more challenging than determining the impact of cyber events is a precise estimate of their likelihood. Since cybersecurity is a relatively new field, there will not always be statistics available on cyber events that allow for quantitative estimates. Nevertheless, in all risk assessment methodologies, techniques have been developed to allow for reasonable qualitative risk assessments, based upon the experience and competencies of the investigators. Often, qualitative judgements of both impact and likelihood occurrence are combined to form a kind of risk graph, or risk assessment matrix.

 

 

Given that cybersecurity risk assessment is still a maturing discipline, it is important to choose those who perform risk assessment carefully. The more experienced the analysts are, the more precision is possible for the risk assessment, even when “only” done in qualitative terms. Part of the mission of cyberwatching.eu is to provide information on the alternatives and resources available.

For small to medium enterprises, self-assessment is an attractive alternative, because of the lower costs involved. However, those lower costs come with the risk of a less precise and informative assessment. Tools for self-assessment are beginning to arrive on the market, which alleviate some of the problems by incorporating the knowledge of assessment professionals and ensuring a certain level of assessment quality.

News

On the event of the adoption of the draft regulation laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union, the AI4HealthSec project kicked off a process to provide its opinion.