Cybersecurity Risk Mapping: a Step-by-Step Guide

What is risk mapping?

First and foremost, risk mapping consists of a table organized around a color classification (“heatmap”) of threats to a company. Though its implementation seems simple, the organization it entails is cumbersome and involves stakeholders at every level of a business.

Definition of risk mapping and schematization

The French media company Agefi (an economic and financial agency) defines risk mapping as “identifying, evaluating, prioritizing, and managing the risks which come with an organization’s activities”.

As part of a risk management process related to cybersecurity breaches, risk mapping has two goals:

• identifying and managing key risks to ensure the organization's cybersecurity;
• granting general management and the information systems division sufficient resources to set up successful and effective preventive measures.

The result of this methodology is a map – a sort of graphic representation. It summarizes a company’s risks within a double entry table:

• the horizontal axis represents a risk’s degree of seriousness, ranging from minor to major, or even “catastrophic” depending on the scale that you wish to adopt.
• the vertical axis illustrates the risk’s degree of probability, ranging from improbable to very probable/certain.

Companies sometimes reverse these axes when mapping, the probability then being on the x-axis and the severity on the y-axis. In all cases, the criticality of the risk corresponds to the ratio between its impact and its likelihood. So, risks mapped at the bottom left of the table represent a low probability and danger. The closer a risk is to the upper right of the table, the more tangible and serious the threat.

Color codes often play an important role in risk mapping; the graph goes from green to red. Green is an acceptable risk and red is a critical risk, which may prove to be more than what your company can endure.

Who should be involved in risk mapping?

Ideally, the design of cyber risk mapping should include heads of all the business’ main departments. Each employee – from the managing director to the receptionist – is exposed to or actively involved in risk scenarios which must be clearly identified in order to be assessed: it is essential to include as many different departments as possible, from all levels of the organization, from management down to operational staff.

From a cyber risk assessment perspective, the Chief Information Security Officer (CISO) naturally plays a major role in setting up the cyber risk map. Nonetheless, they need to cooperate with risk management and internal control, if your company happens to have such departments. Risk assessment cannot possibly be effective without flawless communication between divisions.

Why do you need to map risks?

As mentioned before, risk mapping is above all a risk management tool intended for the company's decision makers. It focuses on listing all the main risks a company faces, covering management, sales, human resources, cyber risks, corruption, and even natural disaster or health risks. The schematic visualisation of probabilities and impacts makes it easier to understand the risks to which your company is exposed.

Risk mapping can also be performed for each department of your organization. In this case, the company carries out its risk assessment by category of hazard: one for cybersecurity, one for management, and another for human resources, etc. In the cybersecurity field, the risk table is intended to ensure everyone in every part of the organization has a good grasp of IT-related risks, meaning that every department head is in an informed position to make the right decisions about cybersecurity.

Risk mapping is not a mandatory procedure. It can nevertheless be used as a proof that your company endeavors to uphold cybersecurity, in the context of a court of law. Besides, stock-listed companies have a duty to adopt an effective risk management strategy, by listing the major risks to which they are exposed.

‍