Cyber Risk Analysis: everything you need to know

The guide also focuses on risk analysis and its specificities: What is the difference between risk analysis and danger assessment? Why do you absolutely need to analyze digital risk? How should you do it? Which method should you opt for?

What is cyber risk?

The concept of risk is something that is mentioned everyday by everyone, and it is even sometimes confused with the concepts of danger or threat. However, those concepts differ in several ways. Although it is understandable that common usage allows for variations and tolerates differing interpretations, it is surprising to observe that the norms and standards which attempt to explain how to manage risks have diverging definitions:

• ISO 31000/27005 - “Effect of uncertainty on objectives.”
• NIST: “The probability that a particular security threat will exploit a system vulnerability.”
• ISACA: “A part of overall business risk associated with the use, ownership, operation, involvement, influence and adoption of information and technology (I&T) within an enterprise.”
• EBIOS: definition of risk: “Possibility of a feared event occurring and that its effects affect the missions of the studied object. In the cyber context [...], a risk is described in the form of a risk scenario.”
• Collins dictionary: “the chance of injury, damage or loss”.

One can easily see the problem of having so many different definitions: how can you analyze something that has not been clearly defined?

‍

What are the differences between risk and danger?

“Danger” refers to the inherent capacity of a piece of equipment or an action to cause damage. In cybersecurity, a virus, for instance, constitutes a danger, a threat "by nature" to a company's information systems.

For its part, risk embodies the result of the company's exposure to danger. Risk is always defined by factoring in the probability of occurrence and the level of severity of the potential consequences on valuable property. No risk without damage. Without something of value to bear the negative impact of a harmful event, there is no damage, so there is no risk. For instance, clicking on an unidentified link in an email exposes the information system to the danger of phishing emails. Clicking on this link and, as a consequence, spreading malware over the office network which prevents employees from working – that is a risk.

‍

Digital risk, a specific notion

There are many definitions of risk.

The ISO/ IEC Guide 73 considers, for example, that risk is defined as a “combination of the probability of an event and its consequences”. These consequences can therefore be positive as well as negative, and refer to both damage and benefit.

A positive conception of risk is nevertheless not very useful when it comes to digital risk analysis. The latter effectively has a role of prevention and protection in regard to IT dangers. Digital risk analysis does not anticipate “beneficial” cyber risks, since there is no digital danger with potential desirable effects.

‍

At C-Risk, we follow the definition of risk as stated by the taxonomy of the FAIR™ standard (Factor Analysis of Information Risk): “the probable frequency and magnitude of future loss”. Although initially developed in the context of information risk, this definition also obviously applies to operational risks. In cybersecurity, those risks involve information in a digital format or elements of an information system.

Some methods of analysis distinguish between intentional risks and accidental risks on the ground that intentional risks can be dealt with, upstream, by abiding by compliance procedures. We see this distinction as very theoretical and some company managers we work with simply do not recognize it. Fortunately, FAIR™ taxonomy and its definition of risk makes it irrelevant and we can then deal with probable future losses, be they accidental or malicious.

Indeed, cyber risks can be explained by failures in IT management, by human errors, or by hacking attempts. As recalled in our article on cyberattacks, these are defined as malicious computer attacks which can be split into 4 categories: cybercrime, image damage, espionage, and sabotage.

Cyber ​​risk analysis: all companies are concerned

Heads of small and medium-sized businesses sometimes consider that digital risk primarily concerns big companies with large-scale digital operations.

This belief is partly due to the fact that the media often report cases of large-scale cyberattacks, such as those carried out against Yahoo, Renault, Sony, or even public hospitals. It is also true that cyberattacks in 2021 affected 61% of companies with more than 1,000 employees, against 51% in 2020 (Hiscox Cyber Readiness Report 2021).

As a matter of fact, hackers increasingly target small and medium-sized businesses, too, because they know these companies are less prepared. SMEs and VSEs are also more exposed to the risk of bankruptcy associated with cyberattacks. In 2021, one in six businesses had their survival threatened by a cyberattack.

Cyber risk factors

The risk associated with cybersecurity sometimes secretly lies in daily habits that we do not envision as dangerous:

• use of computers for financial transfers or company bank account operations, especially from laptops used on a public network;
• remote use of a computer system, e.g., for remote work;
• weak security policy regarding passwords;
• living in a building without secured access;
• application of a BYOD (Bring Your Own Device) policy;
• a poorly updated IT security policy.

‍

Cyber ​​risks are no longer just a matter of securing information systems. The digitalization of work processes now entails global, cross-department responsibility for IT risk management. Companies now need to foster a holistic culture of IT risk, as it impacts all of an organization’s activities.

‍

Analyzing risks and determining the structure's risk appetite therefore now involves many stakeholders:

• general management and board of directors;
• BU managers;
• stakeholders in the value chain.

This is why one may say that digital risk takes strategic, legal and economic dimensions at the same time.

‍

Risk analysis: what does it mean?

Risk analysis is part of a risk management process. Risk management can indeed be broken down into several steps, with risk analysis being one of the first. Its goals are to identify, describe, and estimate risks. According to ISO, it is the foundation for risk evaluation (categorization) and decision-making within a risk treatment approach.

‍

As seen above, according to both ISO 27005 and NIST, risk analysis also includes the following activities:

• enforcing the policy framework that applies to a company’s digital activities. The medical, nuclear, finance, and transportation sectors must abide by specific obligations in this area;
• identifying the company’s divisions, support functions, missions, and offers which generate value chains;
• liaising with IT divisions responsible for this value creation;
• mapping the ecosystem of the “extended enterprise”, i.e., the company and its overall production chain;
• checking to what extent existing measures can prevent the scenarios from happening.

‍

‍