“Digital risk has become truly unavoidable, but there is still some way to go before we master it!” These are the words of Brigitte Bouquot – former chairperson of AMRAE (Association for the Management of Risks and Business Insurance) – in the ANSSI (French National Agency for the Security of Information Systems) guide on controlling digital risk, reminding us, if we needed reminding, that cybersecurity is one of the main challenges for companies in 2022.
The guide also focuses on risk analysis and its specificities: What is the difference between risk analysis and danger assessment? Why do you absolutely need to analyse digital risk? How should you do it? Which method should you opt for?
The concept of risk is something that is mentioned everyday by everyone, and it is even sometimes confused with the concepts of danger or threat. However, those concepts differ in several ways. Although it is understandable that common usage allows for variations and tolerates differing interpretations, it is surprising to observe that the norms and standards which attempt to explain how to manage risks have diverging definitions:
One can easily see the problem of having so many different definitions: how can you analyse something that has not been clearly defined?
“Danger” refers to the inherent capacity of a piece of equipment or an action to cause damage. In cybersecurity, a virus, for instance, constitutes a danger, a threat "by nature" to a company's information systems.
For its part, risk embodies the result of the company's exposure to danger. Risk is always defined by factoring in the probability of occurrence and the level of severity of the potential consequences on valuable property. No risk without damage. Without something of value to bear the negative impact of a harmful event, there is no damage, so there is no risk. For instance, clicking on an unidentified link in an email exposes the information system to the danger of phishing emails. Clicking on this link and, as a consequence, spreading malware over the office network which prevents employees from working – that is a risk.
There are many definitions of risk.
The ISO/ IEC Guide 73 considers, for example, that risk is defined as a “combination of the probability of an event and its consequences”. These consequences can therefore be positive as well as negative, and refer to both damage and benefit.
A positive conception of risk is nevertheless not very useful when it comes to digital risk analysis. The latter effectively has a role of prevention and protection in regard to IT dangers. Digital risk analysis does not anticipate “beneficial” cyber risks, since there is no digital danger with potential desirable effects.
At C-Risk, we follow the definition of risk as stated by the taxonomy of the FAIR™ standard (Factor Analysis of Information Risk): “the probable frequency and magnitude of future loss”. Although initially developed in the context of information risk, this definition also obviously applies to operational risks. In cybersecurity, those risks involve information in a digital format or elements of an information system.
Some methods of analysis distinguish between intentional risks and accidental risks on the ground that intentional risks can be dealt with, upstream, by abiding by compliance procedures. We see this distinction as very theoretical and some company managers we work with simply do not recognise it. Fortunately, FAIR™ taxonomy and its definition of risk makes it irrelevant and we can then deal with probable future losses, be they accidental or malicious.
Indeed, cyber risks can be explained by failures in IT management, by human errors, or by hacking attempts. As recalled in our article on cyberattacks, these are defined as malicious computer attacks which can be split into 4 categories: cybercrime, image damage, espionage, and sabotage.
Heads of small and medium-sized businesses sometimes consider that digital risk primarily concerns big companies with large-scale digital operations.
This belief is partly due to the fact that the media often report cases of large-scale cyberattacks, such as those carried out against Yahoo, Renault, Sony, or even public hospitals. It is also true that cyberattacks in 2021 affected 61% of companies with more than 1,000 employees, against 51% in 2020 (Hiscox Cyber Readiness Report 2021).
As a matter of fact, hackers increasingly target small and medium-sized businesses, too, because they know these companies are less prepared. SMEs and VSEs are also more exposed to the risk of bankruptcy associated with cyberattacks. In 2021, one in six businesses had their survival threatened by a cyberattack.
The risk associated with cybersecurity sometimes secretly lies in daily habits that we do not envision as dangerous:
Cyber risks are no longer just a matter of securing information systems. The digitalisation of work processes now entails global, cross-department responsibility for IT risk management. Companies now need to foster a holistic culture of IT risk, as it impacts all of an organisation’s activities.
Analysing risks and determining the structure's risk appetite therefore now involves many stakeholders:
This is why one may say that digital risk takes strategic, legal and economic dimensions at the same time.
Risk analysis is part of a risk management process. Risk management can indeed be broken down into several steps, with risk analysis being one of the first. Its goals are to identify, describe, and estimate risks. According to ISO, it is the foundation for risk evaluation (categorisation) and decision-making within a risk treatment approach.
As seen above, according to both ISO 27005 and NIST, risk analysis also includes the following activities:
Digital risk analysis is essential for understanding risks, measuring security, and determining mitigating actions that can be taken to further secure your organisation. It is part of a decision support process in many use cases, such as:
However, risk analysis also involves a number of pitfalls you need to pinpoint in order to avoid them as much as you can.
1/ Time-consuming
Because it is necessarily transversal to the entire company and includes all stakeholders, digital risk analysis can prove to be time-consuming. It is therefore paramount that the objectives and rationale of the analysis are well understood and defined. This is why all stakeholders need to keep in mind the one decision or all of the decisions that they are trying to explain.
2/ Potentially biased
As shown before, risk analysis methods are numerous. They have one thing in common, though: they do not give recommendations on how you should measure risks. Practitioners mostly use nominal and ordinal risk scales. The working group will estimate, for example, the probability of the threat as “strong” or “weak”. It will also assign it an index of severity of “1 out of 3”, or “3 out of 3”, without basing this assessment on objective or mathematical criteria. Numerous scientific studies have shown that those approaches on which most of the risk matrices are still based "obscure rather than enlighten the communication" about the risks.
The quantitative risk analysis method FAIR™️ (Factor Analysis of Information Risk), tries to circumvent those cognitive biases that tend to affect working groups. At C-Risk, we do our best to compare quantitative values in order to offer a probabilistic and objective risk analysis.
There are many risk analysis methods. Each company uses the approach that best fits its habits, strategic objectives and cybersecurity needs.
The management of risks associated with third parties has historically only been about supplies. With the digitisation of procedures, ensuring cybersecurity requires collaboration with all partners, upstream but also downstream. In July 2021, for example, the Swedish supermarket chain Coop found itself unable to serve its customers. The issue was that the subcontractor who managed the cash desks had been hacked.
The management of risks related to third parties has become critical to the "extended digital enterprise", whose IT partners with upstream supply and downstream distribution activities have become essential to most value chains. Managing those third-party risks means identifying software platforms and networks, treatment and exchange of data that exist between your company and its partners, suppliers, subcontractors, service providers, intermediaries, and grantees.
Third-party risk analysis is usually conducted in 4 steps:
1 / Identifying third parties and categorising them according to the nature of the potential risks;
2 / Determining the digital risk evaluation criteria;
3 / Defining who should conduct third party controls and how often;
4 / Evaluating the IT practices of third parties with regard to international and local regulation.
In our article on FMEA, or Failure Mode and Effect Analysis, we discuss the advantages and disadvantages of such a methodology. This procedure, which was developed in the USA, is used to obtain an analysis of risk forecasts.
It revolves around the identification of “failure modes” which can affect the functioning of your business. Those failures are due to risks to which “criticality indices” should be attributed. This risk analysis as a whole then gives rise to the development of preventive and corrective measures.
Like HAZOP, FMEA has two specificities you should take into account:
To avoid the cognitive biases inherent to most norms and standards which do not prescribe a method for measuring risks, C-Risk follows the FAIR™ standard for risk analysis. It is a method of quantitative analysis as well as a taxonomy of the variables which make up a risk.
Next, you can estimate the potential loss your company would suffer in the future should a data or IT incident occur. Having an idea of that quantified loss will help you to make decisions regarding risk treatment.
This risk analysis method is pragmatic by design: you can indeed delve more or less into the taxonomy in order to quantify and prioritise your company’s risks. It proves less time-consuming than other methods because it seeks to identify the most probable risks rather than establishing an exhaustive inventory of anything that might happen. Finally, it is a more tenable methodology as you resort to estimates of data ranges and probabilistic calculations, so you can account for the uncertainty of future events.
This is, without a doubt, the most widely used approach in Europe. It is very closely inspired by the ISO31000 method of risk management of all kinds, and it specifically deals with IT risk analysis.
According to ISO (both 31000 and 27005, by the way), analysis is the second of the three steps of risk assessment.
The first is about identifying risks: determining which scenarios could result in a loss, and understanding how, where, and why. ISO indicates this inventory must include the risks, even if their source is under your organisation’s control.
During the analysis stage, you will be able to measure the level of risk by estimating the likelihood or probability of occurrence of an event and the extent of its consequences. ISO states that you can perform either quantitative or qualitative risk measurements.
In the third step, you will draw conclusions from your risk analysis in order to make decisions about risk treatment.
The NIST conceptualised a risk analysis guide called Guide for Conducting Risk Assessments. This guide is based on the Nist cybersecurity framework which is largely inspired by nominal and ordinal risk analysis methods such as the usual colour risk maps. These methods can however suffer, as explained before, from cognitive biases.
Whatever your favourite risk management method may be, risk analysis should always follow roughly the same process.
1 / Identifying risks requires you to understand your business environment as a whole. Your first objective should be to define what your company’s critical assets and activities are. What qualifies these business assets and processes as “critical” is that they affect the company’s strategic objectives, or day-to-day operations, its finances, legal compliance, or data protection. Within the FAIR™ framework, you need to prioritise the activities which create the most value.
2 / Throughout the second step, you will determine the main risk scenarios: those are the ones where you can describe an event that may impact a critical asset and where the consequences are measurable.
Here, the method you will use – be it a qualitative or a quantitative approach – will have a very high impact on the relevance and the objectivity of the estimates of the next step, and ultimately on the relevance and objectivity of the results of the analysis.
3 / The risk estimation will be conducted according to your risk management method. When based on nominal scales, it often suffers from the limitations documented in ISO27005, section 8.3. You may also want to opt for a mathematical approach involving statistical and probabilistic estimates, such as those provided by FAIR™.
4 / Finally, risk evaluation is not always included in risk analysis. Here again, practices vary depending on your method. In any case, you will need to select risk comparison criteria. These may be subjective severity criteria (such as investor concern) or quantitative criteria (such as potential financial loss).
To determine the cost of a cyberattack, the financial evaluation takes into account:
Risk evaluation is the step that guides decision-making on risk treatment.
Risk analysis is a step of the risk management process. It only provides for the identification, estimation and evaluation of risks, and not their treatment. It is essential to decision making.
There are several methods of risk analysis. Some companies favour the methods recommended by official entities. Others prefer to opt for more mathematical methods, with real predictive capabilities. The right method for you is the one that allows you to make risk management decisions, keep track of them, and justify them internally and externally.
Nowadays, companies of all sizes should do it. It is advised to launch a risk analysis as soon as the team dedicated to this task has been formed, then, it should be at least conducted again on a yearly basis.
related to cybersecurity and cyber risk quantification