Assessing Cyber security risks

Technology is permeating all aspects of business at an increasing rate. New ways of conducting business processes, BYOD (bring your own device) and now WFH (work from home) are bringing about an incredibly broad and diverse domain of cyber risks that are here to stay.

An Enterprise Risk Management (ERM) program has to include cyber security risks as one of its key strategic risk components to be assessed and managed regularly, just as how financial or other business process related risks are measured, monitored, mitigated and reported.

This approach is really the crux of bringing in what is called as a new approach – IRM (Integrated Risk Management). There are a lot of proponents who have backed this and other three-letter acronyms pointing out the benefits of each and opining how the others have gone out of existence. In my opinion, a truly integrated view (call it by whatever acronym – ERM, GRC, IRM) of Enterprise Risk Management must consider all risk factors and different risk domains.

This brings us to the next question on how to assess, measure, monitor and report on cyber security risks.

Traditionally, a financial, regulatory or operational risk is classified and defined based on its “causes and effects”.  Examples such as these are well known – what happens if the bank lending rate increases, what would be the impact on imported materials if the exchange rate fluctuates, where to source in the event of a critical supplier bankruptcy, why is our stockyard not insured for theft, what if there is a new regulation the imposes restrictions on trade, etc.

This leads to the next step of assessing, measuring and calculation of that risk. Normally risk managers with the help of business, measures the “impact” of that risk – either in monetary terms or qualitatively – and multiply this by the factor called “probability of occurrence”, “likelihood”, “odds of happening” – either in terms of percentage (0-100%) or in terms of risk scores.  Low-impact events with high probability are given lower ranking as compared to high-impact events with low probability and can be represented in what are called “heat maps” to draw attention to the red areas requiring immediate attention.

Cyber security risk assessment challenges:

  1. Security experts and the CISO’s office are mostly caught up with measuring technical exposures, discovering vulnerabilities and evaluating tools, that they hardly spend time to see the connect with the business impact. The security teams and business – do not align their risk definitions in order to have their understanding at the same level.
  2. “Threats”, “Vulnerabilities and “risks” are many a times used interchangeably.
    1. “Threats” represent something that might happen. Natural threats like floods, earthquakes or tornadoes can be acted upon in advance based on weather forecasts or previous learnings. However, cyber security threats (conducted by threat actors or hackers) that aim to steal or destroy data or disrupt business operations are real fears that organizations have to be concerned about. Examples of such threats are very many and keep growing in different forms – viruses, ransomware, malware, phishing, social engineering, denial of service attack, data breaches, complete shutdown of assets, etc.
    2. “Vulnerabilities” (in the context of systems) represent weaknesses in hardware, networks or software. In business and other applications these vulnerabilities are normally patched up periodically by the vendor/ manufacturer and applied by the security organization. Other examples like unsolicited emails or phishing attempts also can make the system vulnerable to attacks. Unauthorized access (whether intentional or unintentional, whether by insiders or outsiders) to applications and data centers violates and bypasses security policies and the person/s can take advantage of the vulnerability.
    3. “Risks” are considered as those that can potentially harm the IT systems and business. Risk is a function of both “threat” and “vulnerability”, meaning that the higher the likelihood of the threat against a known vulnerability is seen as a high risk factor, as against a low level threat for a less vulnerable asset can be classified with a lower risk rating.
  3. Quantifying the business impact of a cyber security threat event is a very difficult task bordering on the impossible. Estimating the probability of its occurrence is even harder because of the evolving technological advances and new ways in which breaches can occur. Cyber security has always been considered as a tactical response to threats – either a security breach occurred or it did not. Thinking about what is the business impact of the risk of a threat occurring requires putting on a different thinking cap. Currently the majority thinking is that if a cybersecurity breach does not occur then it is not a risk to be addressed on priority.
  4. A big challenge today is that the technically-oriented CISO’s office understands the need for preventing security attacks but not how to express the ramifications of those attacks in business terms. Security experts understand and articulate that if, for example, a vulnerability in the network or an application is not patched up, there could be a threat of theft of database or network downtime. However, they are not able to put up in front of the Board or the CFO, a business-focused description like “setting up preventive measures will reduce the risk of exposure to the customer database, which if exposed will cost an estimated “x” amount of money in lost business, expenses and litigation” or “critical enterprise wide applications hacked through social engineering techniques have to be monitored as close to real-time to identify the attacker and the employee/s involved to prevent the risk of loss of financial results that could swing the stock market adversely by x%”.
  5. The above subjective assessment is only a starting point and can have many holes pointed in it. It is not straight forward like financial transactions that have honed the metrics for calculations – every cybersecurity breach is different, unprecedented and unpredictable with ever-changing technology.
  6. Many vendors offer their scorecards and applications that promise nice and jazzy scorecards. But behind all that there are tons of work to be done for ensuring meaningful data – identifying risk factors, classifying and documenting all the assets and feed it into one of theses systems.

 Make a start in addressing the challenges

  1. Ensure that you present the importance of cyber security to the Board level executives -not by scary stories that happened recently at a different organization – by articulating clearly the specific business objective that would be impacted if a particular threat is not addressed to mitigate or lower the risk, how this would be done and what would be the cost of mitigation. This would bring about clarity to both IT and business on why the budget needs sanction.
  2. Bring your IT team resources on the same page on understanding the context in which risk management has to be aligned at the enterprise level.
  3. Make sure everyone understands the various terms like threats, vulnerabilities and how risks can be rated or calculated – whether subjectively at first and then gradually move up the ladder to more complex metrics to quantify the same.
  4. Invest time in making and checking an inventory of all system and IT resources and document them for risk and control assessment plans. Make sure that acquired or merged organizations are included in the overall landscape assessment.
  5. Do not just focus on the “perimeter” risks (such as firewalls, sniffers, etc.) – there are already a host of tools that address these well at the technical level.
  6. Make sure to look at vulnerabilities in internal home-grown applications, legacy systems, ERP applications, user access controls, physical access controls to server rooms, etc. Addressing potential insider threats is equally important as identifying and preventing external attacks.
  7. Various logs streaming in from applications and audit logs carry a lot of information on activities and their patterns. Look out for tools and solutions that can help you collate and analyse them as close to real-time in a meaningful human readable form, so that actions can be taken.
  8. Performing what-if scenarios for possible breaches, use of artificial intelligence and machine learning algorithms applied on various log databases can help a lot in reporting and prevention, but it still requires human interpretation to make decisions.
  9. Conduct periodic penetration testing by third parties and ethical hackers to assess and measure the areas and level of vulnerability present in the system landscape.
  10. Be realistic in assessing how long it would take to mitigate newly discovered threats, rank them in the order of risk priority before committing to bring the risk down to an acceptable level.

To sum up, assessing cyber security risks, identifying threats and vulnerabilities is a continually evolving subject and is not an exact science. It is a new discipline that requires a strategic thinking and cooperation between top management, finance experts and the IT / CISO’s office.

Risk Analysis-A short overview

The topic on risk analysis is always fraught with multiple dimensions and choices.

Each industry – and specific risks that are typical of those industries – are to be looked at differently and there is no one-approach-fits-all answer to risk analysis.

In the Banking industry – for example – the definition of Credit risk refers to the risk that a borrower may not repay a loan and that the lender may lose the principal of the loan or the interest associated with it. Credit risk arises because borrowers expect to use future cash flows to pay current debts; Read more at //www.investopedia.com/terms/c/creditrisk.asp#ixzz5GtGVzh7Q

In this article, I am not dealing with industry-specific practices of risk analysis, but generic operational risks that are common to all industries or organizations.

Risks could be analysed through multiple approaches – at the end of the risk analysis you would have calibrated and possibly arrived at the probability of outcome of each material risk that you had defined (see earlier article on identifying and defining risks).

  • Quantitative – putting a rupee or dollar impact based on the probability of occurrence of the risk event happening.

  • Qualitative – not able to estimate a financial number right away – but assessing the damage that could happen – for example – customer dissatisfaction, damage to reputation, product bill of material or recipe stolen by competitors, key personnel poached by competition, insiders leaking information, etc. These types of risks ultimately would result in a financial loss, but are hard to quantify right at the beginning of risk assessment, but at a later stage.

  • Three point analysis – you want to take a measured approach and take a ‘best case’, ‘worst case’ and ‘most likely case’ and calculate a weighted average approach to rank your risk.

  • Speed of onset of the risk – a very important factor that influences prioritization of responding or treating the risk.

  • Use advanced statistical methods, monte carlo analysis, scenario modelling to analyze the risk on several factors.

  • Use Machine Learning (ML) on past data and predict possible outcomes in areas where risk is expected to be trending.

How does one start with risk analysis?

  1. You may want to conduct a workshop or a collaborative survey with key stakeholders in different functional areas to arrive at inherent risk analysis – which is basically saying what do they understand as the risk drivers or causes, what are the possible consequences or impacts, where does this risk stand at present? What is the probability of its occurrence and impact.

  2. This becomes the starting point for conducting continuous or periodic risk assessments by risk owners or groups responsible. Risk owners or managers may be more comfortable giving qualitative rankings for probabilities or impacts in understandable terms rather than as percentages or scores. Have a mapping mechanism to convert them for arriving at impact measurement in quantitative or qualitative terms.

  3. Have easily understandable measures of impacts to the business and its effect on strategic objectives. Impact measures should not be limited to only direct financial losses, but should include qualitative measures such as loss of production hours, time delays in hours, productivity measurements, media exposure time, geopolitical factors, customer satisfaction index, vendor reliability, customer credit rating, etc. These would ultimately be converted into financial numbers once you start assessing the risks.

  4. Risk assessments would set targets for each risk on what is the acceptable level the organization can live with – this is sometimes referred to as ‘planned risk’.

  5. Response treatments, remediation or mitigation measures are put in by the risk owners to lower the risk from the observed “inherent risk level” to the “planned risk level”.

  6. Sometimes the response treatment or mitigation normally takes some time to implement or become effective and periodic assessments during the interim usually can be shown as a “residual risk level” which is nothing but the difference between the current assessed risk level and the planned risk level.

  7. Typically risk prioritization is shown visually through “heat maps” that buckets the various risks into critical / high, medium and low impacts on one axis and the probability of occurrence on the other. The third dimension – time or the speed of onset of the risk – can throw up very useful insights for actionable decisions to avert the risk event.

More on risk assessments and response treatments in my next article.