Advanced User Guide to Cyber Risk Assessment Methodologies

Heading out on a hike without a map or a clear idea of where you’re going will likely end in an exhausting, stressful, roundabout experience. The same problem happens if a company embarks on a risk assessment without sufficient preparation. Even if you already conduct risk assessments regularly, new methodologies and best practices surface as experts analyze past attacks. Here’s an advanced guide on executing and implementing cyber risk assessments for those already familiar with cyber risk assessment methodology.

How to Define Risk Assessment Scope

Although it’s tempting to perform a risk assessment on every application, function, or process within a company, it’s simply not feasible. Determining an assessment boundary shows teams where to distribute resources and where different methodologies would be best suited.

To establish the operational boundary of a risk assessment, review the following questions:

1. What systems are critical to operations?
2. Are systems internal or external?
3. How sensitive is the information each system handles?

From these questions, companies glean the information necessary to plan an assessment schedule and potentially reduce the initial risk assessment plan’s boundary. In doing so, you will save time and money and minimize wasted effort.

 

Risk Categories

The term “risk” refers to more than how easily a hacker can infiltrate a system. Although stolen information is often the primary risk that comes to mind, there are five general risk categories organizations should be aware of before formulating a risk assessment plan or choosing a cyber risk assessment methodology.

 

Strategic

Strategic risk considers the whole picture and how decisions or implementation will affect your company’s overall goals. For example, if a company plans to branch out into a new sector, a strategic risk assessment may focus on what risks would impede, slow, or completely nullify those expansion plans.

 

Reputational

Every company values its reputation, but some rely on it more than others. Any risks with the potential to cast a negative light on a company fall into this category. For example, brands like Apple and Patagonia have strong followings for what their brands stand for — privacy and environmentally friendly, respectively. Any compromise that calls into question the veracity of such claims endangers sales and customer commitment.  

Operational

Losses resulting from failed processes, people, or systems endanger revenue and customer retention. Making customers wait for deliveries or forcing them to navigate poorly optimized systems presents a substantial operational risk. Consider how the USPS system struggled with the increase in traffic due to Covid-19. The USPS drowned during the holiday season with exponential demand, breeding customer discontent and underscoring how risk isn’t always malicious.  

 

Transactional

Every time a process or product delivery takes place or online order is processed, it poses a transactional risk, but specific business actions can increase that risk. For example, the legal website Lexology notes how acquisitions present an increase in transactional risks as companies overlook processes while trying to integrate the new company systems/processes with those existing. The healthcare industry, which experiences numerous acquisitions, increasingly finds itself a prime target because of prescription information, health records, and social security numbers. Additionally, consumers provide more and more of their health information via digital platforms and apps to track and contact their healthcare providers. 

 

Compliance

Compliance poses a more straightforward risk for companies to understand. Either a company follows the standards and regulations set for their industry, or they don’t. HIPAA, ISO, FedRAMP, and CMMC require or highly recommend risk assessments in varying linguistic terms. Another common occurrence is for the risk portion to be broken down by category within a standard, which means conducting a thorough risk assessment would be applicable and help fulfill various standard sections. Compromising compliance certification heightens the risk since each violation could result in monetary repercussions, a license revocation, or limits on operations.

 

 

Cyber Risk Assessment Methodologies

Using methodologies when conducting a risk assessment enables assessors to work with the correct experts during each phase of the evaluation, better determining thresholds, and establishing reliable scoring systems.

 

Hazard Analysis

Hazard analysis produces general risk rankings. In other words, you determine the hazard ranking for a product or process based on the likelihood and severity of the attack. Unlike security tool ranking, this method approaches risk from a more strategic level. Risk assessment teams use two primary methodologies when analyzing hazards:

Preliminary Hazard Analysis (PHA) – PHA does not require a detailed knowledge base of how the product or process in question operates. Involving SMEs throughout the process fills in any knowledge gaps that arise. Companies often conduct PHAs near the beginning of the development stage because any resulting findings will be cheaper to mitigate. A PHA does not serve as an in-depth risk assessment; instead, it offers insight into which areas may require greater attention.

Hazard Analysis and Critical Control Points (HACCP) – An HACCP builds on a PHI by closely analyzing critical control points. Critical control points either limit or monitor activities, access, or use. Conducting a HACCP requires a thorough understanding of the systems or processes involved. 

 

Basic Risk Ranking

Ranking risks, to some extent, occurs in almost all cyber risk methodologies. What varies is how in-depth the ratings are and how they are calculated. The most basic risk ranking does not involve numeric scores; instead, the process ranks risks based on what poses the most significant threats (hypothetically speaking) to a company’s goals or objects. In other words, it is a macro approach to risk ranking.  

Steps for Basic Risk Ranking

1. Examine your assets and brainstorm from the perspective of an attacker. What would interest a cybercriminal? What are the vulnerabilities of the identified assets?
2. Determine if internal or external threats pose the highest risk. 
3. Review attack vectors and verify services, software, and policies are revised consistently. Fourthly, consider the business impact of the identified threats.
4. Prioritize the risks and categorize them into immediate concerns (i.e., those that could severely impact your business) to latent concerts (i.e., those that would be inconvenient but not cause irreparable damage.

 

Attack Trees

Attack trees help identify the probability of potential attacks by analyzing who, how, why, and when of theoretical attacks. A tree diagram places the primary target as the root, with the branches and leaves being the potential paths an attacker could follow to achieve that goal. Since each tree only has one root, assessment teams typically create multiple trees if using this methodology. SANS Institute suggests five steps to building a comprehensive attack tree:

1. Identify all potential attackers, such as competitors, disgruntled employees, script kiddies, etc.
2. Determine the plausible goals of each threat actor from step one and create a root for each goal.
3. Theorize ways that the root goal could be achieved. This is the step to be creative and consider all possibilities. In this process, you should identify sub-goals or stops on the way to the root goal.
4. Next, repeat step three but for the sub-goals.
5. Lastly, review all trees and consider the probability of each. Things to consider would be the difficulty of sub-goals, the time necessary, and the skill required for each potential attack.

Pipeline Model

The pipeline model looks at the processes necessary to complete a transaction; thus, this methodology is ideal for assessing transactional risk.  For example, a typical pipeline would review active processes, communication processes, stable data processes, inquiry processes, and access control processes.

Active – The software necessary to complete the transaction 

Communication – Data transit over the network

Stable data – How is information added to the pipeline and stabilized

Inquiry – How data is extracted from the pipeline

Access Control – Controlling individuals’ access to the pipeline

 

OCTAVE

Developed by the Software Engineering Institute (SEI) at Carnegie Mellon University for the DoD, the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

The method focuses on operational risks and less so on technology. The three-phase, eight-process method establishes the current state of security via in-depth conversations with employees from different departments and helps better direct future security strategies.

Phase 1: Identify relevant asset information, identify security measures currently protecting those assets, analyze threats to assets.

Phase 2: Evaluate information system infrastructure.

Phase 3: Formulate a risk mitigation plan based on findings from phases one and two.

The above methodologies represent only a few of the multitude at the disposal of companies. While it’s easy to pick one and call it a day to conduct an effective risk assessment, companies should utilize a methodology from each perspective: strategic, operational, and tactical. Other cyber risk assessment methodologies to further research include simulation/wargaming, asset auditing, and cost-benefit analysis. 

 

Planning for a Risk Assessment

A company has three options for how to conduct a risk assessment. Firstly, a company can choose an internal risk assessment, where only internal staff and resources are used. Secondly, a company could hire a consultant(s) to assist an internal team in conducting a risk assessment. Thirdly, a company may choose to use an external team to oversee and carry out the entire risk assessment process. Each option offers some benefits and also has several drawbacks. 

If a company chooses to use only internal employees, they may save money, but it will require more time on the part of employees to conduct the assessment and their regular duties. Using an internal team also requires more awareness of perspective to avoid subjectivity and oversights. Bringing on a consultant provides a fresh perspective and can help companies avoid unintentional bias. Hiring an external team to initiate, conduct, and provide recommendations may seem like the best option, but keep in mind it requires unambiguous communication and cooperation between internal SMEs and the assessors. Suppose employees fail to provide adequate information to the assessors unfamiliar with your company’s infrastructure and processes. In that case, the risk assessment may drag on for longer than planned or provide minimal insight into potential risks.

 

Commonly Asked Risk Assessment Questions

How long does a risk assessment take? – Risk assessments range from one to four weeks. They may extend beyond that timeline if a company fails to provide information quickly, fails to cooperate with assessors, or if the number of tests conducted is significantly higher than usual. The four-week timeline only includes the actual assessment portion of the process, and it may require more time to aggregate results and formulate improvement suggestions.

Is a risk assessment required? – Most compliance standards and certifications require a risk assessment or recommend conducting one before an audit.

How much will a risk assessment cost? – The cost of a risk assessment depends on the size and complexity of the infrastructure. In general, a small to medium risk assessment ranges from $1,000 to $50,000.

What are some common mistakes when conducting risk assessments? – Don’t rush and keep a flexible schedule. Risk assessments may extend beyond initial timelines as the process commences. Also, do not use only high-level methodologies. Using a variety of methods is critical to conducting a meaningful analysis that provides valuable insights. Conducting an assessment simply for attestation purposes does a company little good.

 

Key Takeaways:

• Before considering the various methodologies available, determine whether you plan to use an internal team, a consulting team, or an entirely external team.
• Take into consideration your company’s size, budget, and operational environment before choosing a methodology.
• When categorizing risk, remember — system, cause, impact.
• Use a variety of methodologies.
• Remember to be objective and analyze critically and creatively. 

 

Need Help?

Knowing the different cyber risk assessment methodologies allows companies to select and implement various qualitative and quantitative methods. This strategy results in a holistic risk assessment that can be modified to fit both large and small business structures. If you need help selecting a cyber risk assessment methodology or need advice throughout your risk assessment process, contact RSI Security for a risk assessment consultation today.