What is risk mapping? What methods should you follow to make it useful? Whom should you involve in the process? How to adapt it to cyber risks?
Risk mapping is a risk management tool to help you visualise the risks a company is exposed to. It is a table or a graph with 3 to 6, sometimes more, levels of abscissa and ordinate, to rank risks from lowest to highest.
Risk mapping is a technique used to detect cyber risks. It is particularly important in 2021, now that cyber security has become a vital stake for companies for a few years now (as shown in WEF_The_Global_Risks_Report_2021 and Allianz Risk Barometer). Here is everything you need to know to build a risk map. What information do you need to gather? Which actors do you need to contact to get this kind of information? Which are the main objectives you need to pursue?
First and foremost, risk mapping consists in a table organised around a colour classification (“heatmap”) of threats to society. If its implementation seems simple, it actually entails a heavy organisation, with partakers from different hierarchy levels.
The French media company Agefi (economic and financial agency) defines risk mapping as “identifying, evaluating, prioritising and managing the risks which come with the activities of the organisation”.
As part of a risk management process related to cybersecurity breaches, risk mapping has two goals:
The result of this methodology is a map, a graphic representation. It summarises the risks of the company within a double entry table:
Companies sometimes reverse these axes when mapping, the probability then being on the x-axis and the severity on the y-axis. In all cases, the criticality of the risk corresponds to the ratio between its impact and its likelihood. So, the risks mapped at the bottom left of the table represent a low probability and danger. The more the risk is close to the top right of the table, the more it represents a real and serious threat.
Colour codes often play an important role in risk mapping; the graph goes from green to red. Green is an acceptable risk and red is a really important risk which sometimes might be more than what your company can endure.
Ideally, the design of cyber risk mapping should include all the heads of the main departments of the business. Each employee - from general management to telephone secretaries - is exposed to or actively involved in risk scenarios which must be pinned down in order to be assessed: it is important to include as many different departments as possible, from all hierarchy levels, from management down to operational staff.
From a cyber risk assessment perspective, the Chief Information Security Officer (CISO) obviously plays a major role in setting up the cyber risk map. Nonetheless, they need to cooperate with risk management and internal control, if your company happens to have such departments. Risk assessment cannot possibly be effective without perfect communication between divisions.
As mentioned before, risk mapping is above all a risk management tool intended for the company's decision makers. It focuses on listing all the main risks to the company, covering management, sales, human resources, cyber risks, corruption or even natural or health risks altogether. The schematic visualisation of probabilities and impacts makes it easier to understand the risks your company is exposed to.
Risk mapping can also be performed for each department of your organisation. The company then does its risk assessment by hazard category: one for cybersecurity, one for management, another one for human resources, etc. In the cybersecurity area, the risk table is intended to ensure everyone in every branch of the organisation has a good grasp on the IT related risks so that every department head is in an informed position to make the right decisions when it comes to cybersecurity.
Risk mapping is not a mandatory procedure. It can nevertheless be used as a proof that your company did its best to ensure cybersecurity, in the context of a court of law. Besides, stock-listed companies have a duty to adopt an effective risk management strategy, by listing the major risks to which they are exposed.
Once the general principle of risk mapping has been assimilated, you need to follow a few tips and guidelines so that this tool reaches maximum efficiency:
Keeping this objective of legibility in mind, some structures choose to rank by number their key risks. This is notably the strategy of risk measurement of the consulting firm McKinsey & Company. This consulting firm suggests associating cyber risk mapping with a note from 1 to 4 for the main cyber risks. In the example below, four key risks are featured: disruption of online services (1), data breach (2), cyber fraud (3), risk related to suppliers or sellers (4).
You can use this numbering strategy to help employees who do not take part in the development of your risk mapping understand. This type of risk matrix is dependent on your task force’s subjectivity, so you should talk the rest of your employees through its details. Indeed, as documented in ISO270005 section 8.3 and Addendum E2, this qualitative approach, based on nominal or ordinal scales is heavily biased, it leaves little room for reliably comparing scenarios or protective measure efficiency and it does not really help the decision making process. The issue here is not the graphic representation but rather the probability and impact measurement methodology, which is unreliable.
A proper risk mapping procedure comprises at least four stages. This approach is the most conventional one, it aims to identify the company's core operation and the associated risks.
In many cases, risk mapping simply includes four stages:
1 / List the main activities of your structure and its key assets;
2 / Identify the threats it could be confronted with. This phase is about determining the vulnerabilities of your company. List here the problematic situations that could put your company in a crisis situation, or even threaten its survival. When it comes to cybersecurity, you have to consider every potential cyber attack: DDoS attack, phishing, ransomware, man-in-the-middle attack (MITM), and other malware.
3 / Evaluate the impact and the likelihood of those risks. A cyberattack can impact the reputation of the company, the interruption of its operation, its financial assets or the personal data of users and customers.
Allocate a degree of severity to each of those consequences: green, yellow, orange or red. Then assign each of those risks a probability of occurrence, again green (unlikely) or red (very likely). By using this classification, you should have a risk map organised around 4 levels of abscissa and 4 levels of ordinates.
Note that this risk ranking method, both nominal and ordinal conveys personal and subjective evaluations which are influenced by the representations of your task force members as well as their own personal histories. If you want to achieve a really effective prevention work, you should maybe consider complementing your risk mapping with financial quantification methods of the main cyber risks. Thanks to scientific studies, it has been shown that even experts often are victims of a high degree of subjectivity (see Harvard Business Review and 19710101 - Amos Tversky and Daniel Kahneman - belief-in-the-law-of-small-numbers-stats-org-uk.pdf).
4 / Determine what measures you should take to detect those cyber risks before a crisis occurs, then evaluate the means which could help mitigate their impact.
1 / Focus on the threats before having identified the critical assets, the essential ones to the operations of the organization for which we would fear one of the three effects of the C-I-A triad (Confidentiality, Integrity, Availability)
2 / Neglecting the elements of context in which your business operates (business model, business ecosystem, B2B or B2C model, geographic territory, etc.)
3 / Remain too theoretical in terms of the risks identified. Your mapping must address specific risk scenarios, of which the feared loss event is measurable.
4 / Not sufficiently involving the general management and business functions, whereas they are knowledgeable of the company value chain and the critical processes and assets that underpin it.
5 / Be content with a qualitative analysis, based on nominal and ordinal scales, which by nature are subjective. The problem is not the final rendering of the risk mapping but the way the frequency and the impact on losses are estimated.
There is an advantage with this type of mapping: it is easy to understand. The colour system is rather enlightening and this is why it is widely used to assess risks whatever the company’s activities may be. Yet, this simplicity can lean towards excess and even might be partially false (cf ISO 27005, Annex E 2 ; How To Measure Anything in Cyber Risk – Doug Hubbard and Richar Seiersen)
However, the world has changed, the risks to companies have greatly evolved, especially with digital technology. Risk mapping as it stands is sorely lacking in precision. It benefits from an association with mathematical methods of probability quantification of the cyber risks.
Today, the challenge is to assess risks and possible consequences much more accurately, to the point of quantifying impact in financial terms. This is paramount to better manage security (and especially cybersecurity) budgets.
To go further, we advise you to take a look at the FAIR™️(Factor Analysis of Information Risk) methodology.
Risk mapping is a risk management tool in the form of a table. The risks are classified according to their probability and their impact, from lowest to highest.
Risk mapping usually follows a 4-stage approach: identifying the key activities of the structure, pinning down the risks, assessing their likelihood and impact, developing detection and protection measures. Nevertheless, this approach varies from a theoretician to another.
Risk mapping brings to light potential threats to the activities or to the survival of the company. It is a simple and readable graphic tool which helps make relevant decisions in terms of risk management.
related to Cybersecurity and Cyber Risk Quantification (CRQ)