What is cyber risk?
The concept of risk is something that is mentioned everyday by everyone, and it is even sometimes confused with the concepts of danger or threat. However, those concepts differ in several ways. Although it is understandable that common usage allows for variations and tolerates differing interpretations, it is surprising to observe that the norms and standards which attempt to explain how to manage risks have diverging definitions:
- ISO 31000/27005 - “Effect of uncertainty on objectives.”
- NIST: “The probability that a particular security threat will exploit a system vulnerability.”
- ISACA: “A part of overall business risk associated with the use, ownership, operation, involvement, influence and adoption of information and technology (I&T) within an enterprise.”
- EBIOS: definition of risk: “Possibility of a feared event occurring and that its effects affect the missions of the studied object. In the cyber context [...], a risk is described in the form of a risk scenario.”
- Collins dictionary: “the chance of injury, damage or loss”.
One can easily see the problem of having so many different definitions: how can you analyse something that has not been clearly defined?
What are the differences between risk and danger?
“Danger” refers to the inherent capacity of a piece of equipment or an action to cause damage. In cybersecurity, a virus, for instance, constitutes a danger, a threat "by nature" to a company's information systems.
For its part, risk embodies the result of the company's exposure to danger. Risk is always defined by factoring in the probability of occurrence and the level of severity of the potential consequences on valuable property. No risk without damage. Without something of value to bear the negative impact of a harmful event, there is no damage, so there is no risk. For instance, clicking on an unidentified link in an email exposes the information system to the danger of phishing emails. Clicking on this link and, as a consequence, spreading malware over the office network which prevents employees from working – that is a risk.
Digital risk, a specific notion
There are many definitions of risk.
The ISO/ IEC Guide 73 considers, for example, that risk is defined as a “combination of the probability of an event and its consequences”. These consequences can therefore be positive as well as negative, and refer to both damage and benefit.
A positive conception of risk is nevertheless not very useful when it comes to digital risk analysis. The latter effectively has a role of prevention and protection in regard to IT dangers. Digital risk analysis does not anticipate “beneficial” cyber risks, since there is no digital danger with potential desirable effects.
At C-Risk, we follow the definition of risk as stated by the taxonomy of the FAIR™ standard (Factor Analysis of Information Risk): “the probable frequency and magnitude of future loss”. Although initially developed in the context of information risk, this definition also obviously applies to operational risks. In cybersecurity, those risks involve information in a digital format or elements of an information system.
Some methods of analysis distinguish between intentional risks and accidental risks on the ground that intentional risks can be dealt with, upstream, by abiding by compliance procedures. We see this distinction as very theoretical and some company managers we work with simply do not recognise it. Fortunately, FAIR™ taxonomy and its definition of risk makes it irrelevant and we can then deal with probable future losses, be they accidental or malicious.
Indeed, cyber risks can be explained by failures in IT management, by human errors, or by hacking attempts. As recalled in our article on cyberattacks, these are defined as malicious computer attacks which can be split into 4 categories: cybercrime, image damage, espionage, and sabotage.
Cyber risk analysis: all companies are concerned
Heads of small and medium-sized businesses sometimes consider that digital risk primarily concerns big companies with large-scale digital operations.
This belief is partly due to the fact that the media often report cases of large-scale cyberattacks, such as those carried out against Yahoo, Renault, Sony, or even public hospitals. It is also true that cyberattacks in 2021 affected 61% of companies with more than 1,000 employees, against 51% in 2020 (Hiscox Cyber Readiness Report 2021).
As a matter of fact, hackers increasingly target small and medium-sized businesses, too, because they know these companies are less prepared. SMEs and VSEs are also more exposed to the risk of bankruptcy associated with cyberattacks. In 2021, one in six businesses had their survival threatened by a cyberattack.
Cyber risk factors
The risk associated with cybersecurity sometimes secretly lies in daily habits that we do not envision as dangerous:
- use of computers for financial transfers or company bank account operations, especially from laptops used on a public network;
- remote use of a computer system, e.g., for remote work;
- weak security policy regarding passwords;
- living in a building without secured access;
- application of a BYOD (Bring Your Own Device) policy;
- a poorly updated IT security policy.
Cyber risks are no longer just a matter of securing information systems. The digitalisation of work processes now entails global, cross-department responsibility for IT risk management. Companies now need to foster a holistic culture of IT risk, as it impacts all of an organisation’s activities.
Analysing risks and determining the structure's risk appetite therefore now involves many stakeholders:
- general management and board of directors;
- BU managers;
- stakeholders in the value chain.
This is why one may say that digital risk takes strategic, legal and economic dimensions at the same time.
Risk analysis: what does it mean?
Risk analysis is part of a risk management process. Risk management can indeed be broken down into several steps, with risk analysis being one of the first. Its goals are to identify, describe, and estimate risks. According to ISO, it is the foundation for risk evaluation (categorisation) and decision-making within a risk treatment approach.
As seen above, according to both ISO 27005 and NIST, risk analysis also includes the following activities:
- enforcing the policy framework that applies to a company’s digital activities. The medical, nuclear, finance, and transportation sectors must abide by specific obligations in this area;
- identifying the company’s divisions, support functions, missions, and offers which generate value chains;
- liaising with IT divisions responsible for this value creation;
- mapping the ecosystem of the “extended enterprise”, i.e., the company and its overall production chain;
- checking to what extent existing measures can prevent the scenarios from happening.
Would you like to know more about risk analysis?
Why is it important to analyse risks?
Digital risk analysis is essential for understanding risks, measuring security, and determining mitigating actions that can be taken to further secure your organisation. It is part of a decision support process in many use cases, such as:
- More efficiently sizing and allocating your information security budget.
- Choosing the risk reduction solution with the best return on investment.
- Communicating the financial aspect of a risk to general management and the board of directors.
- Understanding the business implications of cyber risk exposure caused by third parties.
- Negotiating the optimal cyber insurance policy.
- Facilitating regulatory compliance of organisations.
However, risk analysis also involves a number of pitfalls you need to pinpoint in order to avoid them as much as you can.
Because it is necessarily transversal to the entire company and includes all stakeholders, digital risk analysis can prove to be time-consuming. It is therefore paramount that the objectives and rationale of the analysis are well understood and defined. This is why all stakeholders need to keep in mind the one decision or all of the decisions that they are trying to explain.
2/ Potentially biased
As shown before, risk analysis methods are numerous. They have one thing in common, though: they do not give recommendations on how you should measure risks. Practitioners mostly use nominal and ordinal risk scales. The working group will estimate, for example, the probability of the threat as “strong” or “weak”. It will also assign it an index of severity of “1 out of 3”, or “3 out of 3”, without basing this assessment on objective or mathematical criteria. Numerous scientific studies have shown that those approaches on which most of the risk matrices are still based "obscure rather than enlighten the communication" about the risks.
The quantitative risk analysis method FAIR™️ (Factor Analysis of Information Risk), tries to circumvent those cognitive biases that tend to affect working groups. At C-Risk, we do our best to compare quantitative values in order to offer a probabilistic and objective risk analysis.
How to analyse cybersecurity risks?
There are many risk analysis methods. Each company uses the approach that best fits its habits, strategic objectives and cybersecurity needs.
The critical necessity of managing risks related to third-parties
The management of risks associated with third parties has historically only been about supplies. With the digitisation of procedures, ensuring cybersecurity requires collaboration with all partners, upstream but also downstream. In July 2021, for example, the Swedish supermarket chain Coop found itself unable to serve its customers. The issue was that the subcontractor who managed the cash desks had been hacked.
The management of risks related to third parties has become critical to the "extended digital enterprise", whose IT partners with upstream supply and downstream distribution activities have become essential to most value chains. Managing those third-party risks means identifying software platforms and networks, treatment and exchange of data that exist between your company and its partners, suppliers, subcontractors, service providers, intermediaries, and grantees.
Third-party risk analysis is usually conducted in 4 steps:
1 / Identifying third parties and categorising them according to the nature of the potential risks;
2 / Determining the digital risk evaluation criteria;
3 / Defining who should conduct third party controls and how often;
4 / Evaluating the IT practices of third parties with regard to international and local regulation.
The customary FMEA methodology
In our article on FMEA, or Failure Mode and Effect Analysis, we discuss the advantages and disadvantages of such a methodology. This procedure, which was developed in the USA, is used to obtain an analysis of risk forecasts.
It revolves around the identification of “failure modes” which can affect the functioning of your business. Those failures are due to risks to which “criticality indices” should be attributed. This risk analysis as a whole then gives rise to the development of preventive and corrective measures.
Like HAZOP, FMEA has two specificities you should take into account:
- It is intended to be exhaustive and it will, as a consequence, take your working group a significant amount of time. It is not actually about pinning down potential critical situations, but rather about listing all possible failure modes.
- The selected criticality indices are only influenced by the members of the working group’s subjectivity. It is not a quantitative method of forecasting risk.
The taxonomy and the method of the FAIR™ standard, for quantitative risk analysis
To avoid the cognitive biases inherent to most norms and standards which do not prescribe a method for measuring risks, C-Risk follows the FAIR™ standard for risk analysis. It is a method of quantitative analysis as well as a taxonomy of the variables which make up a risk.
- The FAIR™ taxonomy breaks down the question "how much risk does this scenario represent?"
- A scenario = an asset + a threat + an impact
- The FAIR™ paradigm defines the variables, their interconnections, and their type (value, percentage, amount). You are then able to calculate the amount of risk for each scenario over a given period.
Next, you can estimate the potential loss your company would suffer in the future should a data or IT incident occur. Having an idea of that quantified loss will help you to make decisions regarding risk treatment.
This risk analysis method is pragmatic by design: you can indeed delve more or less into the taxonomy in order to quantify and prioritise your company’s risks. It proves less time-consuming than other methods because it seeks to identify the most probable risks rather than establishing an exhaustive inventory of anything that might happen. Finally, it is a more tenable methodology as you resort to estimates of data ranges and probabilistic calculations, so you can account for the uncertainty of future events.
The ISO 27005 approach
This is, without a doubt, the most widely used approach in Europe. It is very closely inspired by the ISO31000 method of risk management of all kinds, and it specifically deals with IT risk analysis.
According to ISO (both 31000 and 27005, by the way), analysis is the second of the three steps of risk assessment.
The first is about identifying risks: determining which scenarios could result in a loss, and understanding how, where, and why. ISO indicates this inventory must include the risks, even if their source is under your organisation’s control.
During the analysis stage, you will be able to measure the level of risk by estimating the likelihood or probability of occurrence of an event and the extent of its consequences. ISO states that you can perform either quantitative or qualitative risk measurements.
In the third step, you will draw conclusions from your risk analysis in order to make decisions about risk treatment.
The National Institute of Standards and Technology methodology
The NIST conceptualised a risk analysis guide called Guide for Conducting Risk Assessments. This guide is based on the Nist cybersecurity framework which is largely inspired by nominal and ordinal risk analysis methods such as the usual colour risk maps. These methods can however suffer, as explained before, from cognitive biases.
A walkthrough in 5 steps for a proper cybersecurity risk analysis
Whatever your favourite risk management method may be, risk analysis should always follow roughly the same process.
The first 3 steps of risk analysis
1 / Identifying risks requires you to understand your business environment as a whole. Your first objective should be to define what your company’s critical assets and activities are. What qualifies these business assets and processes as “critical” is that they affect the company’s strategic objectives, or day-to-day operations, its finances, legal compliance, or data protection. Within the FAIR™ framework, you need to prioritise the activities which create the most value.
2 / Throughout the second step, you will determine the main risk scenarios: those are the ones where you can describe an event that may impact a critical asset and where the consequences are measurable.
Here, the method you will use – be it a qualitative or a quantitative approach – will have a very high impact on the relevance and the objectivity of the estimates of the next step, and ultimately on the relevance and objectivity of the results of the analysis.
3 / The risk estimation will be conducted according to your risk management method. When based on nominal scales, it often suffers from the limitations documented in ISO27005, section 8.3. You may also want to opt for a mathematical approach involving statistical and probabilistic estimates, such as those provided by FAIR™.
Cyber risk evaluation: a methodological bias
4 / Finally, risk evaluation is not always included in risk analysis. Here again, practices vary depending on your method. In any case, you will need to select risk comparison criteria. These may be subjective severity criteria (such as investor concern) or quantitative criteria (such as potential financial loss).
To determine the cost of a cyberattack, the financial evaluation takes into account:
- the company's contractual commitments to affected stakeholders;
- the applicable regulations and the penalties incurred for non-compliance with this legal framework;
- how long the information system was shut down before operations could resume;
- operation loss and production loss;
- loss due to the deletion or corruption of confidential data or data that is critical to the proper functioning of the company.
Risk evaluation is the step that guides decision-making on risk treatment.
FAQ : RIsk Analysis
What is the difference between risk analysis and risk management?
Risk analysis is a step of the risk management process. It only provides for the identification, estimation and evaluation of risks, and not their treatment. It is essential to decision making.
How should you choose your risk analysis method?
There are several methods of risk analysis. Some companies favour the methods recommended by official entities. Others prefer to opt for more mathematical methods, with real predictive capabilities. The right method for you is the one that allows you to make risk management decisions, keep track of them, and justify them internally and externally.
When should you perform a cyber risk analysis?
Nowadays, companies of all sizes should do it. It is advised to launch a risk analysis as soon as the team dedicated to this task has been formed, then, it should be at least conducted again on a yearly basis.
We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.