Cyber risk management means looking into the different definitions of risk as well as the resulting management methods.
The 2021 International Cybersecurity Forum (FIC) was held in Lille, France in September. It was an opportunity for the attending experts from the French information systems national security agency to warn the public that the “threat is growing exponentially”.
Cybersecurity represents a colossal challenge for companies in 2021, it requires methodical and efficient management strategies. To that end, you need to develop your risk management solutions. Even though today cyber risk is a recurring topic, its definition can often vary depending on the school of thought you follow. From these conceptions arise different theories of what good risk management processes should be. What is the definition of risk in cybersecurity? How can you deal with what cannot be predicted?
The concept of “risk” is used on a daily basis. Yet it does not come with an obvious definition, especially when you are talking about companies. However, when you try to come up with a definition, a notion of exposure to danger is usually implied. How can one make sense of this mishmash?
The ISO 31000 standard gives the following definition of risk: “the effect of uncertainty on the objectives”. The ISO / IEC Guide 73 standard further specifies this point, stating that risk is about the “combination of the probability of an event and of its consequences”.
This official and academic definition therefore implies the consequences of a risk might be either positive or negative, beneficial or harmful to the company. Risk management would then become threat management, but also opportunity management.
However, company functions rarely use the term risk to refer to a happy opportunity. This definition of risk proves to be difficult to reconcile with certain areas. How can one claim that a risk related to employee safety can have positive consequences?
As in the other functions of a company, there are several definitions of risk in the IT area:
ISO - the possibility that a given threat exploits the vulnerabilities of an asset or group of assets and thereby causes harm to the organisation. It is measured by combining the probability of an event occurring with its consequences.
NIST SP800-30 - Risk is a function of the probability that a given threat source will exert a particular potential vulnerability and the impact of that adverse event on the organisation.
Those cyber risks can result from cyber attacks, that is to say from attacks carried out for malicious purposes on your information systems. As reminded in our article on cyber attacks, those split into 4 categories: cybercrime, image damage, espionage and sabotage. But in a large proportion of incidents, cyber risk is related to human error or technical failures. These two major families of risks affect all sizes of business.
At C-Risk, in order to be able to reduce risks, we use the definition of the Factor Analysis of Information Risk - FAIR ™ standard which describes cyber risk as the probable frequency and extent of a future financial loss resulting from a cyber incident. A cyber disaster is any event affecting the confidentiality, integrity or even the availability of the information system or computer data (Confidentiality, Integrity and Availability: the CIA triad).
Risk management essentially depends on how you define risk. If a risk can have positive consequences, as suggested by ISO 31000, then risk management may also become about managing “good surprises”.
Yet, this definition does not translate really well to cybersecurity. In this area, risk management is firstly about identifying risks and understanding cyber threats, and then about mitigating risks to maintain them to a level deemed acceptable by your company.
According to ISO 27005 and 31000, risk management is the process by which a company deals with potential risks in a “methodical” way. The whole process covers both the identification of significant risks and the implementation of adapted responses – adapted treatments in particular. Yet, contrary to common belief, dealing with risk does not amount to seeking to reduce or eliminate all types of risk.
This is why the new version of ISO 31000 says that risk management must allow “realisation and protection of value”. This definition aligns with the vision of quantitative management of cyber risks that we develop at C-Risk. This vision consists of identifying and then dealing with cyber risks based on the potential financial losses they represent. Quantitative risk analysis allows for good risk management.
As shown with the above definitions, risk management is primarily a matter of applying a specific method. It is indeed a “continuous improvement process”, to quote the reference framework for risk management published by the Federation of European Risk Management Associations (FERMA).
Risk management regroups several objectives, including:
Risk management is a method that can be broken down into 6 main stages:
1/ risk assessment, which covers both risk analysis and risk evaluation;
2/ report on risk assessment;
3/ decision-making;
4/ implementation of risk management solutions;
5/ internal and external communication on identified risks;
6/ long term monitoring of the risk management strategies.
Risk assessment refers to the process that includes the analysis and evaluation of risk, according to ISO / IEC 73. Its first step, analysis, itself covers four sub-steps: identification, description, estimation and evaluation of risks.
1.1 Identifying the risk
Risk identification is to determine the threats to your company by methodically scanning its environment and its strategic and operational objectives. This scan should enable you to isolate the significant activities of your structure. It is also used to pinpoint instabilities that may represent a risk.
These “significant activities” may refer to:
1.2 Describing the risk
During this stage, you will need to structure the presentation of risks in order to communicate them better internally. To do this, you may want to create a table of identified risks, specifying:
1.3 Estimating the risk
Finally, estimating the risk is a delicate step for which the methods diverge. You can estimate the risk qualitatively, i.e. by naming the threat according to a classification designed for this analysis: “strong”, “medium”, “weak”, for example. The risk probability can also be assessed by name: “high”, “average”, “low”.
This very common method is used by the National Institute of Standards and Technology (NIST) in its Guide for Conducting Risk Assessments as well as in ISO 27005. The results from the risk analysis are then compiled into a matrix – every company or even every analysis has its own matrix– and ranked following a colour code: red for the risks deemed to be the most severe, orange for the average ones and green for the lesser ones. The limits of this type of approach which does not stipulate how to estimate the risks, are unfortunately numerous and well documented. Section 8.3 ISO 27005 thus warns that the qualitative approach suffers from the subjectivity of the scales. Many studies, such as the one conducted by Andrew and Michael J. Mauboussin, demonstrate the limits of nominal and ordinal scales.
At C-Risk, however, we favour more pragmatic and prescriptive quantitative risk estimation methods, which do not allow for any subjective interpretation. This is why we use the FAIR method, “Factor Analysis of Information Risk”.
This method breaks down risk factors into quantifiable variables which make it possible to quantitatively estimate the acceptable and unacceptable financial losses for your company. This risk model is the only quantitative method to measure IT risks. It is the 2005 OpenFAIR standard of the Open Group consortium.
For more information on risk analysis in cybersecurity, we invite you to read our dedicated article.
1.4 Evaluating the risk
Once risk analysis is done, you need to compare the risks resulting from the estimate, according to chosen criteria. In the case of the FAIR method, this comparison is based on quantitative criteria related to costs. Some companies may prefer other criteria such as regulatory compliance or stakeholders concern.
Risk evaluation should help you to determine the importance of all the risks as well as the tolerance that the company can have towards them. It then leads to a decision-making stage. It is also the ability to tolerate or not a risk that determines which ones to treat as a priority.
This is a specific step in risk management, relying on action. It is no longer a question of measuring, but of taking measures to mitigate or eliminate threats. These measures can actually fall into 4 categories, referred to as the 4 Ts:
During this phase of implementation of preventive measures, you need to aim at the proper functioning of your structure, but also at compliance with the appropriate regulations. When dealing with cyber risks, it is necessary to take an interest in regulations on the protection of privacy and personal data such as the GDPR for example, but also foreign regulations concerning subsidiaries, particularly in the United States and China.
The choice of one risk treatment measure over another depends on several factors:
Your company should at the same time develop both internal and external communication on its risk management processes.
Internal risk communication has several goals:
Risk communication is also an obligation towards stakeholders. It is about demonstrating your company’s performance in terms of prevention, which necessarily implies choosing the right method. Shareholders and investors need to know that their interests are safe and that your business will continue to generate value.
Risk monitoring ensures the relevance of the risk management approach you chose in terms of:
The treatment and prevention of cyber risks obviously take different forms depending on the structure concerned. A good quantitative analysis should let you identify the factors that contribute to the frequency or significance of the impact in order to determine which control mechanisms are the most effective. This is why, ahead of a disaster, you need to focus your action on what is called preventative controls (avoidance, deterrence and resistance) in order to reduce the probability of a disaster occurring. Downstream, to limit the post-disaster consequences, the response controls (detection, response and recovery) need to be implemented.
In this stage, you then need to draw up a business continuity plan in the event of a cyber attack, but also a disaster recovery plan:
Finally, note that the pervasiveness of cyber risks in recent years may entice companies to try certain beneficial approaches:
Risk management, when applied to companies, refers to a procedure aimed at identifying, preventing and dealing with risks likely to appear in the course of its day-to-day operations.
Risk management is a broader process than risk analysis, which is only one stage of the former.
Because of the different theories, the stages of risk management vary, but we generally find: risk identification, risk analysis, risk evaluation, the development of a preventive action plan and a phase dedicated to monitoring its progress.
related to Cybersecurity and Cyber Risk Quantification (CRQ)