Risk Mapping

How to create an efficient cyber security risk mapping ?

What is risk mapping? What methods should you follow to make it useful? Whom should you involve in the process? How to adapt it to cyber risks?
C-RiskC-Risk
Published on Dec. 3, 2021, 3:05 p.m. (Updated on 28 January 2022 18:19)

Risk mapping is a management tool to help you visualise the risks a company is exposed to. It is a table or a graph with 3 to 6, sometimes more, levels of abscissa and ordinate, to rank risks from lowest to highest.

Risk mapping is a technique used to detect cyber risks. It is particularly important in 2021, now that cyber security has become a vital stake for companies for a few years now (as shown in WEF_The_Global_Risks_Report_2021 and Allianz Risk Barometer). Here is everything you need to know to build a risk map. What information do you need to gather? Which actors do you need to contact to get this kind of information? Which are the main objectives you need to pursue?

What is risk mapping?


First and foremost, risk mapping consists in a table organised around a colour classification (“heatmap”) of threats to society. If its implementation seems simple, it actually entails a heavy organisation, with partakers from different hierarchy levels.

Definition of risk mapping and schematisation

The French media company Agefi (economic and financial agency) defines risk mapping as “identifying, evaluating, prioritising and managing the risks which come with the activities of the organisation”.

As part of a risk management process related to cybersecurity breaches, risk mapping has two goals:

  • identifying and managing key risks to ensure the organisation's cybersecurity;
  • granting the general management and the information systems division enough resources to set up satisfying and effective preventive measures.

The result of this methodology is a map, a graphic representation. It summarises the risks of the company within a double entry table:

  • The horizontal axis represents the degree of seriousness of the risk, ranging from minor to major, or even “catastrophic” depending on the scale that you wish to adopt.
  • The vertical axis illustrates the degree of probability of the risk, ranging from improbable to very probable/certain.

Companies sometimes reverse these axes when mapping, the probability then being on the x-axis and the severity on the y-axis. In all cases, the criticality of the risk corresponds to the ratio between its impact and its likelihood. So, the risks mapped at the bottom left of the table represent a low probability and danger. The more the risk is close to the top right of the table, the more it represents a real and serious threat.

Colour codes often play an important role in risk mapping; the graph goes from green to red. Green is an acceptable risk and red is a really important risk which sometimes might be more than what your company can endure.

Example of risk mapping

Whom do you need to involve in risk mapping?

Ideally, the design of cyber risk mapping should include all the heads of the main departments of the business. Each employee - from general management to telephone secretaries - is exposed to or actively involved in risk scenarios which must be pinned down in order to be assessed: it is important to include as many different departments as possible, from all hierarchy levels, from management down to operational staff.

From a cyber risk assessment perspective, the Chief Information Security Officer (CISO) obviously plays a major role in setting up the cyber risk map. Nonetheless, they need to cooperate with risk management and internal control, if your company happens to have such departments. Risk assessment cannot possibly be effective without perfect communication between divisions.

Why do you need to map risks?

As mentioned before, risk mapping is above all a risk management tool intended for the company's decision makers. It focuses on listing all the main risks to the company, covering management, sales, human resources, cyber risks, corruption or even natural or health risks altogether. The schematic visualisation of probabilities and impacts makes it easier to understand the risks your company is exposed to.

Risk mapping can also be performed for each department of your organisation. The company then does its risk assessment by hazard category: one for cybersecurity, one for management, another one for human resources, etc. In the cybersecurity area, the risk table is intended to ensure everyone in every branch of the organisation has a good grasp on the IT related risks so that every department head is in an informed position to make the right decisions when it comes to cybersecurity.

Risk mapping is not a mandatory procedure. It can nevertheless be used as a proof that your company did its best to ensure cybersecurity, in the context of a court of law. Besides, stock-listed companies have a duty to adopt an effective risk management strategy, by listing the major risks to which they are exposed.

How to successfully risk map your company?


Once the general principle of risk mapping has been assimilated, you need to follow a few tips and guidelines so that this tool reaches maximum efficiency:

  • Exhaustiveness also implies scalability: the map must be regularly updated and adapted to potential new threats;
  • Naming the risks is not enough: you need to place them in the overall functioning of the company;
  • The way in which the frequency and severity of hazards is determined should be defined and described in the appendix to the risk table as specified by ISO 27005; for a substantial projective value, you might want to pair risk mapping with a quantitative method of financial risk assessment. An approach such as VaR, Value at Risk, consists in collecting statistical data in order to establish probability estimates of cyber risks. It is far more thorough and reliable than qualitative approaches.
  • This mapping must remain a document accessible to and understandable by all employees.

Keeping this objective of legibility in mind, some structures choose to rank by number their key risks. This is notably the strategy of risk measurement of the consulting firm McKinsey & Company. This consulting firm suggests associating cyber risk mapping with a note from 1 to 4 for the main cyber risks. In the example below, four key risks are featured: disruption of online services (1), data breach (2), cyber fraud (3), risk related to suppliers or sellers (4).

Cartographie des risques McKinsey

You can use this numbering strategy to help employees who do not take part in the development of your risk mapping understand. This type of risk matrix is dependent on your task force’s subjectivity, so you should talk the rest of your employees through its details. Indeed, as documented in ISO270005 section 8.3 and Addendum E2, this qualitative approach, based on nominal or ordinal scales is heavily biased, it leaves little room for reliably comparing scenarios or protective measure efficiency and it does not really help the decision making process. The issue here is not the graphic representation but rather the probability and impact measurement methodology, which is unreliable.

What methods can be used in cyber risk mapping?


A proper risk mapping procedure comprises at least four stages. This approach is the most conventional one, it aims to identify the company's core operation and the associated risks.

The standard risk mapping approach in 4 stages

In many cases, risk mapping simply includes four stages:

1 / List the main activities of your structure and its key assets;

2 / Identify the threats it could be confronted with. This phase is about determining the vulnerabilities of your company. List here the problematic situations that could put your company in a crisis situation, or even threaten its survival. When it comes to cybersecurity, you have to consider every potential cyber attack: DDoS attack, phishing, ransomware, man-in-the-middle attack (MITM), and other malware.

3 / Evaluate the impact and the likelihood of those risks. A cyberattack can impact the reputation of the company, the interruption of its operation, its financial assets or the personal data of users and customers.

Allocate a degree of severity to each of those consequences: green, yellow, orange or red. Then assign each of those risks a probability of occurrence, again green (unlikely) or red (very likely). By using this classification, you should have a risk map organised around 4 levels of abscissa and 4 levels of ordinates.

Note that this risk ranking method, both nominal and ordinal conveys personal and subjective evaluations which are influenced by the representations of your task force members as well as their own personal histories. If you want to achieve a really effective prevention work, you should maybe consider complementing your risk mapping with financial quantification methods of the main cyber risks. Thanks to scientific studies, it has been shown that even experts often are victims of a high degree of subjectivity (see Harvard Business Review and 19710101 - Amos Tversky and Daniel Kahneman - belief-in-the-law-of-small-numbers-stats-org-uk.pdf).

4 / Determine what measures you should take to detect those cyber risks before a crisis occurs, then evaluate the means which could help mitigate their impact.

Establish risk mapping steering committee

What common mistakes should be avoided when you design your risk map?

1 / Focus on the threats before having identified the critical assets, the essential ones to the operations of the organization for which we would fear one of the three effects of the C-I-A triad (Confidentiality, Integrity, Availability)

2 / Neglecting the elements of context in which your business operates (business model, business ecosystem, B2B or B2C model, geographic territory, etc.)

3 / Remain too theoretical in terms of the risks identified. Your mapping must address specific risk scenarios, of which the feared loss event is measurable.

4 / Not sufficiently involving the general management and business functions, whereas they are knowledgeable of the company value chain and the critical processes and assets that underpin it.

5 / Be content with a qualitative analysis, based on nominal and ordinal scales, which by nature are subjective. The problem is not the final rendering of the risk mapping but the way the frequency and the impact on losses are estimated.

The limitations of risk mapping


There is an advantage with this type of mapping: it is easy to understand. The colour system is rather enlightening and this is why it is widely used to assess risks whatever the company’s activities may be. Yet, this simplicity can lean towards excess and even might be partially false (cf ISO 27005, Annex E 2 ; How To Measure Anything in Cyber Risk – Doug Hubbard and Richar Seiersen)

Range compression problem

However, the world has changed, the risks to companies have greatly evolved, especially with digital technology. Risk mapping as it stands is sorely lacking in precision. It benefits from an association with mathematical methods of probability quantification of the cyber risks.

Today, the challenge is to assess risks and possible consequences much more accurately, to the point of quantifying impact in financial terms. This is paramount to better manage security (and especially cybersecurity) budgets.

To go further, we advise you to take a look at the FAIR™️(Factor Analysis of Information Risk) methodology.

FAQ

Risk mapping is a risk management tool in the form of a table. The risks are classified according to their probability and their impact, from lowest to highest.

Risk mapping usually follows a 4-stage approach: identifying the key activities of the structure, pinning down the risks, assessing their likelihood and impact, developing detection and protection measures. Nevertheless, this approach varies from a theoretician to another.

Risk mapping brings to light potential threats to the activities or to the survival of the company. It is a simple and readable graphic tool which helps make relevant decisions in terms of risk management.