Evaluating and managing risk is the cornerstone of a security leader’s role. To manage risk effectively, you need to know how to analyze a cyber risk assessment report. A risk assessment is a thorough look at everything that can impact your security and the likelihood of that event happening.
Securing your critical data and systems isn’t just a one-off event. Unfortunately, hackers are continuously finding innovative ways to infiltrate your systems, phish your employees, and disrupt your workflows for financial gain. Therefore, you need to know where the vulnerabilities are in your system, so you can beat cybercriminals to the punch.
An effective cyber risk report will have 5 key elements that you need to understand to make an informed decision. In this article, we will show you which areas of the report you need to focus on and how to understand what the outputs mean.
1.Introduction / Executive Summary
Every cyber risk assessment report will begin with an executive summary. This introduction will include the purpose of the report, the scope of the assessment, and the mission statement that the assessment aims to solve.
The purpose of cyber risk assessments is to identify, estimate, and prioritize risk to organizational operations, assets, and individuals resulting from the use of information systems.
The scope of assessment provides boundaries in which the assessment will be conducted. The scope will include the necessary stakeholders/participants. It will also include the preferred techniques to scan for vulnerabilities. These techniques may include; risk assessment questionnaires, assessment and vulnerability scanning tools, review of documentation and policies, and site visits.
The mission statement is a concise description of the assessments’ goal and how it will provide insight to resolve your organization’s risk pain points. In short, a mission statement is a short declaration of a successful outcome to the risk assessment process.
The executive summary essentially provides you with the vision and intended outcomes of the report. It should be a quick read and set the scene for the sections to follow.
2.Risk Assessment Approach
The most important aspect of an effective report is a common understanding of risk. If you want to get an accurate picture of the risk within your environment, you need to have a clear meaning of what risk is. Therefore, to effectively read a report, you need to understand the assessment approach and risk classification methodology.
At RSI Security we use the combination of threat impact and the likelihood of that event happening to determine the risk level. These two elements combined, provide a threat matrix where you can easily plot and prioritize vulnerabilities effectively.
On a scale of 0 to 10, one can easily plot the highest priority risks. Below 1 is a low risk, between 1 and 5 is a medium risk and anything between 5 and 10 is classified as a high risk. As shown below, using a simple matrix of threat likelihood and business impact, you can classify threats effectively.
|Threat Likelihood||Low (1)||Medium (5)||High (10)|
|High (1)||Low risk
(1 * 1 = 1)
(5 * 1 = 5)
(10 * 1 = 10)
|Medium (0.5)||Low risk
(1 * 0.5 = 0.5)
(5 * 0.5 = 2.5)
(10 * 0.5 = 5)
|Low (0.1)||Low risk
(1 * 0.1 = 0.1)
(5 * 0.1 = 0.5)
(10 * 0.1 = 1)
Make sure the report has a clearly defined risk classification methodology and that it aligns with your organization’s risk appetite.
The next section of the report that you need to thoroughly understand is the threat statement, which explains the types of threats applicable to your environment.
The cyber risk assessment report will classify the threats by the source and action potential. The threat source indicates how your IT environment could be harmed and by what (i.e. natural, human, or environmental). The threat action indicates the method used to carry out the attack (i.e. hacking, system intrusion, phishing…).
Combining your threat source and action gives you the threat vector, which is the path the cybercriminals have taken to gain access to your environment. A threat can infiltrate your environment through 1 of 6 main routes (also known as points of entry) namely; network, users, email, web applications, remote access portals, and mobile devices.
An effective cyber risk report will stipulate which threat vectors are most applicable to your environment.
These threat vectors provide insight into the “acts of nature” vulnerabilities within your organization. Environmental threats are not necessarily IT threats but can affect facilities, systems, personnel, and operations.
For instance, a force of nature, like an earthquake, rain, wind, ice, etc, could threaten your IT landscape. Additionally, any hazardous material, like fire, structural instability, chemical, and nuclear spills, etc. These vectors are usually region-specific.
With human sources, there are two key types: an insider threat or an external hacker.
Insider threats can come in many forms. It can be an insider who accidentally falls prey to a system compromise, electronic eavesdropping, or social engineering scam. The insider threat might be intentional, and abuse the system for personal or financial gain. Examples include sharing sensitive information with competitors, invasion of privacy of other employees, exploration of unauthorized systems, and using computing resources to disrupt operations.
An external attack is any action taken by an outside party aiming to harm the organization, its personnel, systems, or data. These attacks are usually conducted in a structured format and ultimately for the personal or financial gain of the attacker. Examples of external threats include system compromise, data harvesting, company defacement, password guessing, denial of service, and phishing. Once attackers gain access to your environment, they often use malicious code to take automated actions to harm your organization. Viruses, worms, and artificial intelligence control systems can create havoc in your environment if undetected.
The cyber risk report should provide you with a clear description of your threat vectors and landscape. The output is to know what areas of your organization are most vulnerable and need prioritized remediation.
The next section of the report should detail a clear view of the vulnerabilities in your organization’s security controls. By understanding the various threat vectors, the risk assessment can begin plotting the various vulnerabilities that you might experience in your environment.
The below table is an example of report output. Each asset within your organization will have several vulnerabilities associated with them. With each vulnerability, you will see the likelihood of the security breach occurring and the impact it could have. Based on the risk assessment approach, the report will provide a risk priority for each vulnerability, effectively guiding you on which areas within your organization require the most attention.
|Asset||Vulnerability Description||Likelihood||Impact||Risk Priority|
|Network||Review of network security layers and its effectiveness in identifying suspicious traffic on both internal and external networks.||1||10||High-risk priority|
|Users||Security awareness level of employees within the organization against phishing and social media attacks.||1||5||Medium risk priority|
|Email security effectiveness of detecting and quarantining suspicious-looking emails and DMARC protection of brand reputation.||0.5||5||Medium risk priority|
|Web Applications||Third-party security protocols of company information on outsourced SaaS platforms.||0.1||1||Low-risk priority|
|Access Portals||2-way authentication protocols and ease of outsider access to internal networks and platforms.||1||5||Medium risk priority|
|Mobile Devices||Organizations security policy for BYOD (Bring Your Own Device) and protection level of company information on personal devices.||0.5||1||Low-risk priority|
The above table indicates which of your organizational assets are most at risk, i.e. network. By accurately reviewing all your vulnerabilities within your organization based on likelihood and impact, you can effectively allocate the required risk priority.
5.Risk Assessment Results
The final section of a cyber risk report is the assessment results. This section details the findings of the investigation and the required actions needed to close the gaps. This will likely be the most interesting piece, as it provides clear guidelines and action steps to improve your organization’s security posture.
The results will usually be broken down into a table that details what tests were done, the impact of the threat, and the recommended remediation. For instance, below is an example of a result table:
|Description of observation||Threat source||Existing controls||Likelihood||Impact||Risk rating||Recommended remediation|
|User passwords are weak and can easily be guessed or cracked||Hackers / keyloggers / brute force||Company-wide password policy of a minimum of 5 characters||1||5||Medium||Increase the number of characters required to 10 and include a combination of special characters and numbers|
|Several suspicious emails containing phishing links and soliciting action were found in the email environment||Hackers / Phishing / Social engineering||Firewall and basic spam filtering||1||10||High||Upgrade current email security to include DMARC brand protection and SPF / DKIM secure messaging protocols.|
|A large number of port scans were seen accessing several devices at once. A sign of impersonation or compromised account||Hackers / Compromised account||SIEM coupled with networking monitoring and vulnerability scanning||0.1||10||Low||Improve SIEM process for prioritizing suspicious network traffic and leverage a known database to determine malicious behavior quickly|
The assessment results are ultimately what you want to see, as this guides your decision-making regarding the areas of your organization that need improvement. This table can reinforce your business case for added investment and resources to improve your security posture.
The right cyber risk assessment report will give you a comprehensive view of the prioritized risk within your organization and required remediation to close any glaring gaps. The report should be accessible to all teams involved in the security process.
At RSI Security, we focus on scanning your entire network and web environment. Our report highlights any vulnerabilities within your servers that host your website, hardware, and sensitive data or your web technology. Reach out to us if you want a detailed cyber risk assessment done on your environment.