Risk Analysis

Cyber Risk Analysis: everything you need to know

What definition for cyber risk? Which digital risk analysis methodology should you choose to efficiently protect your IT?

C-RiskC-Risk
Published on 24 January 2022 (Updated on 15 February 2022)

“Digital risk has become truly unavoidable, but there is still some way to go before we master it!”. These are the words of Brigitte Bouquot, former chairperson of AMRAE (Association for the management of risks and business insurance), in the ANSSI (French National Agency for the Security of Information Systems) guide on controlling digital risk; reminding us, if need be, that cybersecurity is one of the main challenges for companies in 2021. This guide also focuses on risk analysis and its specificities. What is the difference between risk analysis and danger assessment? Why do you absolutely need to analyse digital risk? How should you do it? Which method should you opt for?

What is cyber risk?


The concept of risk is something that is mentioned everyday by everyone, and it is even sometimes confused with the concepts of danger or threat. However, those concepts differ in several ways. If one can understand that the common usage allows variations and tolerates interpretations, it is surprising to observe that the norms and standards which attempt to explain how to manage risks have different definitions:

  • ISO 31000/27005 - “Effect of uncertainty on objectives.”
  • NIST: “The probability that a particular security threat will exploit a system vulnerability.”
  • ISACA: “A part of overall business risk associated with the use, ownership, operation, involvement, influence and adoption of information and technology (I&T) within an enterprise.”
  • EBIOS: definition of risk: “Possibility of a feared event occurring and that its effects affect the missions of the studied object. In the cyber context [...], a risk is described in the form of a risk scenario.”
  • Collins dictionary: “the chance of injury, damage or loss”.

One can easily see the problem of having so many different definitions: how can you analyse something that has not been clearly defined?

What are the differences between risk and danger?

“Danger” refers to the inherent capacity of a piece of equipment or an action to cause damage. In cybersecurity, a virus, for instance, constitutes a danger, a threat "by nature" to a company's information systems.

For its part, risk embodies the result of the company's exposure to danger. Risk is always defined by factoring in the probability of occurrence and the level of severity of the potential consequences on a valuable property. No risk without damage. Without something of value to bear the negative impact of a harmful event, there is no damage, so there is no risk. For instance, clicking on an unidentified link in an email exposes to the danger of phishing emails. Clicking on this link and having, as a consequence, malware spreading over the office network which prevents employees from working, that is a risk.

Digital risk, a specific notion

There are many definitions of risk.

The ISO/ IEC Guide 73 considers, for example, that risk is defined as a “combination of the probability of an event and its consequences”. These consequences can therefore be positive as well as negative and refer to both damage and benefit.

A positive conception of risk is nevertheless not very useful when it comes to digital risk analysis. The latter effectively has a role of prevention and protection in regard to IT dangers. Digital risk analysis does not anticipate “beneficial” cyber risks since there is no digital danger with potential desirable effects.

At C-Risk, we follow the definition of risk as stated by the taxonomy of the FAIR ™ standard - Factor Analysis of Information Risk: “the probable frequency and magnitude of future loss.” Although initially developed in the context of information risk, this definition also obviously applies to operational risks. In cybersecurity, those risks involve information in a digital format or elements of an information system.

Some methods of analysis make a distinction between intentional risks and accidental risks on the ground that intentional risks can be dealt with, upstream, by abiding by compliance procedures. We see this distinction as very theoretical and company managers we work with simply do not make it. Fortunately, FAIR taxonomy and its risk definition makes it irrelevant and we can then deal with probable future losses be they accidental or malicious.

Indeed, cyber risks can be explained by a failure in IT management, by human errors or by hacking attempts. As recalled in our article on cyber attacks, those are defined as malicious computer attacks which can be split into 4 categories: cybercrime, image damage, espionage and sabotage.

Cyber ​​risk analysis: all companies are concerned

Heads of small and medium-sized businesses sometimes consider that digital risk primarily concerns big companies with large-scale digital operations.

This belief is partly due to the fact that the media often report cases of large-scale cyberattacks, such as those carried out against Yahoo, Renault, Sony or public hospitals. It is also true that cyber attacks in 2021 affected 61% of companies with more than 1,000 employees, against 51% in 2020 (Hiscox Cyber Readiness Report 2021).

As a matter of fact, hackers target more and more small and medium-sized businesses too, because they know such companies are less prepared. SMEs and VSEs are also more exposed to the risk of bankruptcy associated with cyber attacks. In 2021, one in six businesses had their survival threatened by a cyber attack.

Cyber risk factors

The risk associated with cyber security sometimes secretly lies in daily habits that we do not envision as dangerous:

  • use of computers for financial transfers or company bank account operations, especially from laptops used on a public network;
  • remote use of a computer system, e.g., for remote work;
  • weak security policy regarding passwords;
  • living in a building without access security;
  • application of a BYOD (Bring Your Own Device) approach;
  • poorly updated IT security policy.

Cyber ​​risks are no longer just a matter of securing information systems. The digitisation of work processes now entails globalising and transversalising the risk management of IT activities. Companies now need to foster a holistic culture of IT risk, as it affects all activities of the organisation.

Analysing risks and determining the structure's risk appetite therefore now involves many stakeholders:

  • general management and board of directors;
  • BU managers;
  • stakeholders in the value chain.

This is why one may say that digital risk takes strategic, legal and economic dimensions at the same time.

Risk analysis: what does it mean?

Risk analysis is part of a risk management process. Risk management can indeed be broken down into several steps, with risk analysis being one of the first. Its goals are to identify, describe and estimate risks. According to ISO, it is the foundation for risk evaluation (categorisation) and decision-making within a risk treatment approach.

Risk Management ISO 27005Risk analysis based on NIST framework

As seen above, according to both ISO 27005 and NIST, risk analysis also includes the following activities:

  • enforcing the policy framework that applies to the digital activities of the company. The medical, nuclear, finance or transportation sectors must abide by specific obligations in this area;
  • identifying the company’s divisions, support functions, missions and offers which generate value chains;
  • liaising with the IT divisions responsible for this value creation;
  • mapping the ecosystem of the “extended enterprise”, i.e. the company and its overall production chain;
  • Checking to what extent existing measures can prevent those scenarios from happening.

Why is it important to analyse risks?

Digital risk analysis is essential to understand risks, measure security and determine the mitigating actions to be taken to further secure your organisation. It is part of a decision support process in many use cases such as:

  • More efficiently sizing and allocating your information security budget.
  • Choosing the risk reduction solution with the best return on investment.
  • Communicating the financial aspect of a risk to general management and the board of directors.
  • Understanding the business implications behind the cyber risk exposure caused by third parties.
  • Negotiating the optimal cyber insurance policy.
  • Facilitating regulatory compliance of organisations.

However, risk analysis also involves a number of pitfalls you need to pinpoint in order to avoid them as much as you can.

1/ Time-consuming

Because it is necessarily transversal to the entire company and includes all stakeholders, digital risk analysis can prove to be time-consuming. It is therefore paramount that the objectives and rationale of the analysis are well understood and defined. This is why all the stakeholders need to keep in mind the one decision or all of the decisions that they are trying to explain.

2/ Potentially biased

As shown before, risk analysis methods are numerous.They have one thing in common though: they do not give recommendations on how you should measure risks. Practitioners mostly use nominal and ordinal risk scales. The working group will estimate, for example, the probability of the threat as “strong” or “weak”. It will also assign it an index of severity of “1 out of 3”, or “3 out of 3”, without basing this assessment on objective or mathematical criteria. Numerous scientific studies have shown that those approaches on which are yet based most of the risk matrices "obscure rather than enlighten the communication" on the risks.

The quantitative risk analysis method FAIR™️ (Factor Analysis of Information Risk), tries to circumvent those cognitive biases working groups tend to be affected by. At C-Risk, we do our best to compare quantitative values in order ​​to offer a probabilistic and objective risk analysis.

How to analyse cybersecurity risks?

There are many risk analysis methods. Each company uses the approach that best fits its habits, strategic objectives and cybersecurity needs.

The critical necessity of managing risks related to third-parties

The management of risks associated with third parties has historically only been about supplies. With the digitisation of procedures, ensuring cybersecurity requires collaboration with all partners, upstream but also downstream. In July 2021, for example, the Swedish supermarket chain Coop found itself unable to serve its customers. The issue was that the subcontractor who managed the cash desks had been hacked.

The management of risks related to third parties has become critical to the "extended digital enterprise" whose IT partners with upstream supply and downstream distribution activities have become essential to most value chains. Managing those third-party risks means identifying software platforms and networks, treatment and exchange of data that exist between your company and its partners. suppliers, subcontractors, service providers, intermediaries and grantees.

Third-party risk analysis is usually conducted in 4 steps:

1 / Identifying third parties and categorising them according to the nature of the potential risks;

2 / Determining the digital risk evaluation criteria;

3 / Defining who should conduct third party controls and how often;

4 / Evaluating the IT practices of third parties with regard to international and local regulation.

The customary FMEA methodology

In our article on FMEA, or Failure Mode and Effect Analysis, we present the advantages and disadvantages of such a methodology. This procedure, which was developed in the U.S.A, is used to obtain an analysis of risk forecasts.

It revolves around the identification of “failure modes” which can affect the functioning of your business. Those failures are due to risks to which “criticality indices” should be attributed. This risk analysis as a whole then gives rise to the development of preventive and corrective measures.

Like HAZOP, FMEA has two specificities you should take into account:

  • It is intended to be exhaustive and it will, as a consequence, take your working group a significant amount of time. It is not actually about pinning down potential critical situations, but rather about listing all the possible failure modes.
  • The selected criticality indices are only influenced by the subjectivity of the members of the working group. It is not a quantitative method of forecasting risk.

The taxonomy and the method of the FAIR standard, for a quantitative risk analysis

To avoid the cognitive biases inherent to most norms and standards which do not prescribe a method for measuring risks, C-Risk follows the FAIR standard for risk analysis. It is a method of quantitative analysis as well as a taxonomy of the variables which make up a risk.

  • The FAIR taxonomy breaks down the question "How much risk does this scenario amount to?"
  • A scenario = an asset + a threat + an impact
  • The FAIR paradigm defines the variables, their interconnections and their type (value, percentage, amount). Then you are able to calculate the amount of risk for each scenario over a given period.

Then you can estimate the potential loss your company would suffer in the future should a data or IT incident occur. Having an idea of that quantified loss will help you to make decisions regarding risk treatment.

This risk analysis method is pragmatic by design: you can indeed delve more or less into the taxonomy in order to quantify and prioritise the risks of your company. It turns out to be less time-consuming than other methods because it seeks to identify the most probable risks rather than establishing an exhaustive inventory of anything that might happen. Finally, it is a more tenable methodology as you resort to estimates of data ranges and probabilistic calculations, so you can account for the uncertainty of future events.

The ISO 27005 approach

This is, without a doubt, the most widely used approach in Europe. It is very closely inspired by the ISO31000 method of risk management of all kinds and it specifically deals with IT risk analysis.

According to ISO (both 31000 and 27005 by the way), analysis is the second of the three steps of risk assessment.

The first is about identifying risks: determining which scenarios could result in a loss and understanding how, where and why. ISO indicates this inventory must include the risks even though their source is under the control of your organisation.

During the analysis step you will be able to measure the level of risk by estimating the likelihood or probability of occurrence of an event and the extent of its consequences. ISO states that you can perform either quantitative or qualitative risk measurements.

In the third step you will use draw conclusions from your risk analysis in order to make decisions about risk treatment.

The National Institute of Standards and Technology methodology

The NIST conceptualised a risk analysis guide called Guide for Conducting Risk Assessments. This guide is based on the Nist cybersecurity framework which is largely inspired by nominal and ordinal risk analysis methods such as the usual colour risk maps. These methods can however suffer, as explained before, from cognitive biases.

Risk analysis in business

A walkthrough in 5 steps for a proper cybersecurity risk analysis

Whatever your favourite risk management method may be, risk analysis should roughly follow the same process.

The first 3 steps of risk analysis

1 / Identifying risks requires you to understand your business environment as a whole. Your first objective should be to define what are your company’s critical assets and activities. What qualifies these business assets and processes as “critical” is their affecting the strategic objectives of the company, its day-to-day operations, finances, legal compliance or data protection. Within the FAIR framework, you need to prioritise the activities which create most value.

2 / During the second step you will determine the main risk scenarios: those are the ones where you can describe an event affecting a critical asset and where the consequences are measurable.

Here, the method you will use, be it a qualitative or a quantitative approach will have a very high impact on the relevance and the objectivity of the estimates of the next step, and ultimately on the relevance and objectivity of the results of the analysis.

3 / The risk estimation will be conducted according to your risk management method. When based on nominal scales, it often suffers from the limitations documented in ISO27005, section 8.3. You may also want to opt for a mathematical approach involving statistical and probabilistic estimates such as those provided by FAIR.

Cyber ​​risk evaluation: a methodological bias

4 / Finally, risk evaluation is not always included in risk analysis. Here again, practices vary depending on your method. In any case, you will need to select risk comparison criteria. These may be subjective severity criteria, such as investor concern, or quantitative criteria, such as potential financial loss.

To determine the cost of a cyberattack, the financial evaluation takes into account:

  • the company's contractual commitments to affected stakeholders;
  • the applicable regulations and the penalties incurred for non-compliance with this legal framework;
  • how long was the information system shut down before the operations could resume;
  • operation loss and production loss;
  • loss due to the deletion or corruption of confidential data or data that is critical to the proper functioning of the company.

Risk evaluation is the step that guides decision-making on risk treatment.

FAQ

Risk analysis is a step of the risk management process. It only provides for the identification, estimation and evaluation of risks, and not their treatment. It is essential to decision making.

There are several methods of risk analysis. Some companies favour the methods recommended by official entities, such as EBIOS for ANSSI. Others prefer to opt for more mathematical methods, with real predictive capacities. The right method for you is the one that allows you to make risk management decisions, keep track of them and justify them internally and externally.

Nowadays, companies of all sizes should do it. It is advised to launch a risk analysis as soon as the team dedicated to this task has been formed, then, it should be at least conducted again on a yearly basis.