CCSP: Risk Assessment Methods

Business Impact Assessment, Evaluating Failure Impact, Enterprise Risk Management, Qualitative Risk Assessment, Quantitative Risk Assessment

Loading...

What Constitutes Enterprise Risk Management?

Organisations face a complex collection of cybersecurity risks:

• Reputational

• Financial

• Operational

Enterprise risk management aims to

1. Bring order to the process of identifying risks.

2. Address the identified risks.

Enterprise risk management (ERM) is an approach to identifying, assessing, managing, and mitigating risk across an organisation.

It involves a systematic and structured process to

1. Understand risk.

2. Address risk.

Organisations take a formal approach to risk analysis.

Threats, Vulnerabilities, and Risk

Threats are any possible events that might have an adverse impact on the confidentiality, integrity, and/or availability of information or information systems.

Vulnerabilities are weaknesses in our systems or controls that could be exploited by a threat.

Risks occur at the intersection of a vulnerability and a threat that might exploit that vulnerability.

• Both a threat and a vulnerability must be present or exist for a risk to be present.

Risk Calculation

Risk evaluation factors include

• The likelihood of occurrence/probability

  • Typically expressed as a percentage chance that a threat will exploit a vulnerability over a specified period of time.

• The magnitude of the impact, that the risk will have on the organisation if it does occur.

  • Typically expressed as the financial cost that we will incur as a result of this risk.

Combining risk factors, we can assign each risk a conceptual score…

RISK SEVERITY = Likelihood * Impact

Risk assessment is the evaluation of the likelihood and the potential impact of identified risks.

Risk assessment methodologies:

• Quantitative risk assessments

• Qualitative risk assessments

Quantitative Risk Assessment

• It is methodical and objective process used to assess and analyse risks. It involves assigning numerical values to various aspects of risk. The primary goal is to quantify the potential impact of risks and their likelihood of occurrence.

key components

• Probability assessment

  • Quantifying the likelihood of various risk events occurring. This is often done using probabilities expressed as percentages or ratios.

• Impact assessment

  • Assigning monetary values to the potential impact of identified risks. This could include financial losses, operational disruptions, or other measurable impacts.

• Risk exposure calculation

  • Combining the probabilities and impacts of multiple risks to calculate the overall risk exposure for an organisation or specific processes.

  • Assessing risks collectively as a portfolio rather than in isolation.

• Decision support

  • We can provide decision-makers with quantitative information to make informed decisions about

    • Risk mitigation

    • Risk acceptance

    • Risk transfer strategies

Processes

Determine the asset value (AV):

• It is expressed in financial terms, e.g., Dollars

• It may be determined by

  • The cost to acquire the asset

  • The cost to replace the asset

  • The depreciated cost of the asset

Determine likelihood:

• Determine the likelihood that a risk will occur in a given year.

• Expressed as the number of times the risk is expected each year (annualised rate of occurrence - ARO). For example

  • A risk that is expected to occur twice a year has an ARO = 2/1 = 2.0

  • A risk that is expected once every 100 years, has an ARO = 1/100 = 0.01

Determine the exposure factor (EF):

• EF is the amount of damage that will occur to the asset if the risk materialises

• Expressed as a percentage of the asset expected to be damaged.

  • EF for complete damage = 100%

  • EF for half damage = 50%

Determine the single loss expectancy (SLE):

• SLE is the amount of financial damage expected each time this specific risk materialises.

SLE = AV * EF

Determine the annualised loss expectancy (ALE):

• ALE is the amount of financial damage expected from a risk each year.

ALE = SLE * ARO

Let’s say: You are concerned about the risk associated with a denial-of-service (DoS) attack against your email server.

• You use the email server to send emails to customers, offering products for sale.

• The server generates $1000 in sales per hour that it is in operation.

• You believe that a DoS attack is likely to occur three times a year and it would last for three hours before you are able to control it.

Determine the asset value (AV):

• The asset is: the ability to send email.

• Asset value = $3,000 (1000 * 3 hours)

Determine the ARO:

• Your threat intelligence estimates that the risk will occur three times per year, making your annualised rate of occurrence 3.0.

• ARO = 3.0

Determine the exposure factor (EF):

• You believe that the server would operate at 10% capacity during a DoS attack.

• EF = 100% - 10% = 90%

Determine the SLE:

• Your single loss expectancy (SLE) is calculated by multiplying the AV by the EF.

• SLE = $3000 * 0.9 = $2,700

Determine the ALE:

• Your annualised loss expectancy (ALE) is the product of SLE and ARO.

• ALE = $2700 * 3.0 = $8,100

The primary objective of any risk assessment is to systematically identify, evaluate, and prioritise risks that an organisation may face.

Organisations can use annualised loss expectancies (ALEs) to

1. Prioritise remediation activities

2. Determine the level of investment in mitigating controls

This approach to risk assessment makes it cost-beneficial to your organisation:

• From a financial perspective alone, it would not make sense to spend more than the ALE on an annual basis against a risk.

Qualitative Risk Assessment

Qualitative risk management is an approach to risk management that focuses on assessing and analysing risks using non-numerical methods.

• To evaluate and prioritise risks, it relies on

  • Subjective jugement

  • Expert opinions

  • Descriptive scales

Challenges/Solutions

Limited data availability:

• Challenge: In situations where precise data on the likelihood and impact of risks are scare or difficult to obtain, quantitative methods may be challenging.

• Solution: Qualitative risk assessment allows for risk evaluation based on available information, expert judgement, and qualitative descriptions.

Subjective human factors:

• Challenge: The subjective nature of risk perception and the influence of human factors can complicate objective risk assessment.

• Solution: Qualitative risk assessment acknowledges subjectivity, but provides a structured approach to capturing expert opinions and diverse perspectives.

Early-stage assessments:

• Challenge: In the early stages of a project or when specific data is not yet available, a detailed quantitative analysis may not be feasible.

• Solution: Qualitative risk assessment enables organisations to conduct preliminary risk assessments, fostering early awareness and risk identification.

Communication with stakeholders:

• Challenge: Communicating complex quantitative risk metrics to non-experts/stakeholders without a strong background in risk analysis can be challenging.

• Solution: Qualitative risk assessment provides a more accessible way to communicate risk information, using descriptors like low, medium, and high.

In the example, the greatest risks facing the organisation are :

• Stolen unencrypted devices

• Spear phishing.

Both risks share a high probability and high magnitude of impact.

• This risk assessment informs us that our time and money would likely be better spent on full-disk encryption for mobile devices and a secure email gateway.

Many organisations combine quantitative and qualitative techniques to get a comprehensive perspective of both the tangible and intangible risks they face.