How to Do a Cyber Risk Assessment (Part 1 - Overview)

Before we dive into the cyber risk assessment process, let's start by defining what risk is. In the broadest sense, risk refers to the potential for loss or damage when an outcome is uncertain. It involves two key elements: the likelihood of an event occurring, and the impact or consequences if it does occur.

For example, consider the risk of a house fire. The likelihood may be low, but the impact would be devastating - both in terms of potential harm to inhabitants and destruction of property. The same principle applies to cyber risk, which refers to the potential for loss or damage resulting from a cyber threat or attack.

In the context of cybersecurity, risk can be seen as the intersection of threats, vulnerabilities, and impacts. A threat, in this context, is anything that could exploit a vulnerability in your organization's systems or networks, leading to a negative impact. This could be anything from hackers trying to steal sensitive data, to employees accidentally downloading malicious software.

A vulnerability, on the other hand, is a weakness in a system or network that could be exploited by a threat. This could be a software bug, weak passwords, or even a lack of employee awareness about phishing scams.

Impact is the potential damage that could be caused if a threat exploits a vulnerability. This could range from financial loss and reputation damage, to regulatory penalties or operational disruption.

So, when we talk about a 'cyber risk assessment', we're essentially talking about a systematic process to identify and evaluate the cyber threats your organization faces, the vulnerabilities that could be exploited, and the potential impact on your organization. Now, let's delve into how this is done in practice through the five major steps of a cyber risk assessment.

What does a cyber risk assessment do?

Much has been written on risk in general and cyber risk in particular, and I'm going to link to a lot of excellent tools that you can use to go deeper into the rabbit hole. However, in this article I'll show you how you can extract the necessary concepts from the literature and put them to work in a real situation. So let's begin!

Here are the five major steps you need to take to figure out what risk you are running based on your cyber security posture.

1. The first step in your journey to understanding your cyber risk is the Threat Description. This is where you take a deep dive into the universe of potential threats your organization could face. This steps assumes that you already have a very good understanding of what your business functions and IT assets are. This knowledge is essential because it is these assets that attract, unfortunately, threat activity. During this stage we figure out exactly what kinds of threat activity these assets could attract. This requires  extensive research and vigilance, as the nature of threats can evolve rapidly with technological advancements and changes in attacker strategies. The output of this step will be the identification or relevant threat actors, and what we will call "threat patterns", which refers to the ways in which threat actors undertake their activity at the tactical level (i.e., what they actually do to exploit your IT assets and impact your business functions).
2. The second step is the Expected Impact Estimate. Here, based on the identified threats, you need to forecast the potential damage if these threats were to materialize. This is not just a monetary value, but also includes aspects like damage to reputation, regulatory repercussions, and impact on customer trust. The estimate is typically a function of how often these threats are likely to occur and the average severity of the damage they could cause. It's vital to be realistic in this stage, as underestimating the potential impact could leave you unprepared.
3. The third step is about Security Controls. Now that you understand what you're up against and the potential implications, the next step is to assess your organization's current defenses. This involves examining your existing security measures, their implementation, and their effectiveness against the identified threats. It's about asking: Are these controls enough? Where are the gaps, and what more can we do?
4. Finally, the fourth step is determining the Residual Risk. This is the risk that remains after your existing security controls have been taken into account. No security system is entirely foolproof, so it's crucial to understand what risk still exists despite your best efforts. This step should also involve exploring different options to address this residual risk - whether through enhancing your security controls, transferring the risk (e.g., via cyber insurance), or accepting the risk if it's within your organization's risk tolerance. Understanding your residual risk is a fundamental part of creating a resilient cyber risk strategy.