How to set up an effective cyber risk management strategy
Cybersecurity represents a major challenge for companies in 2022, requiring methodical and efficient management strategies. To that end, companies must develop risk management solutions. Although, today, cyber risk is a recurring topic, its definition can often vary depending on the school of thought you follow. From these conceptions arise different theories of what good risk management processes look like. What is the definition of risk in cybersecurity? How can you deal with the unpredictable?
How to define cybersecurity-related risks?
The concept of “risk” is used on a daily basis, yet it does not have one obvious definition, especially when it comes to businesses. However, when you try to come up with a definition, a notion of exposure to danger is usually implied. How can one clear the fog and make sense of it all?
Definition of risk, from the company perspective
The ISO 31000 standard gives the following definition of risk: “the effect of uncertainty on objectives”. The ISO / IEC Guide 73 standard further specifies this point, stating that risk is about the “combination of the probability of an event and of its consequences”.
This official and academic definition therefore implies that the consequences of a risk could be either positive or negative; beneficial or harmful to a company. Risk management therefore becomes threat management, but also opportunity management.
However, company functions rarely use the term ‘risk’ to refer to a positive opportunity. This definition of risk seems at odds with certain business principles. How can one claim that a risk related to employee safety can have positive consequences?
What is cyber risk?
As within other areas of a company, there are several definitions of risk in IT:
ISO: the possibility that a given threat exploits the vulnerabilities of an asset or group of assets and thereby causes harm to the organisation. It is measured by combining the probability of an event occurring with its consequences.
NIST SP800-30: Risk is a function of the probability that a given threat source will exert a particular potential vulnerability and the impact of that adverse event on the organisation.
Cyber risks of this nature can result from cyberattacks, that is to say from attacks carried out for malicious purposes on your information systems. As we laid out in our article on cyberattacks, these attacks can be split into 4 categories: cybercrime, image damage, espionage, and sabotage. However, in a large proportion of incidents, cyber risk originates from human error or technical failure. These two major families of risks affect businesses of all sizes.
At C-Risk, in order to reduce risk, we use the Factor Analysis of Information Risk (FAIR™) standard definition, which describes cyber risk as the probable frequency and extent of a future financial loss resulting from a cyber incident. A cyber disaster is any event that impacts the confidentiality, integrity, or even the availability of the information system or computer data (Confidentiality, Integrity, and Availability: the CIA triad).
What is a risk management procedure?
Risk management, when applied to businesses, refers to a procedure aimed at identifying, preventing, and dealing with risks likely to come up in the course of a company’s day-to-day operations.
What is the difference between risk management and risk analysis?
Risk management is a broader process than risk analysis, which is only one stage of the former.
How to set up an effective cyber risk management strategy
Because of the different theories, the stages of risk management vary, but we generally find: risk identification, risk analysis, risk evaluation, the development of a preventive action plan, and a final phase dedicated to monitoring progress