Asessing cyber risks

By Roddy

Risk management is central to cyber security. It is impossible to create a fully secure system (even an air-gapped one) so there are always risks to the confidentiality, integrity and availability of any information held or processed in any technology-based system. Obviously, there are risks in any information storage system – paper, memory, knotted strings – but these other storage methods are outside our current scope.

So we start designing an information security management system by looking at the risks that the owner of the information faces. But how do we work out what those risks are? We can:

  • Ask the information owner (perhaps a whole hierarchy of managers in an organisation)
  • Use a checklist of standard risks
  • Look at each system or storage location or device, and identify any event which would compromise its functionality
  • Look at each information flow and consider how it might be disrupted.

There are, as in anything, strengths and weaknesses in each approach but we should be able to arrive at a reasonable list of untoward events. Then, the problem is, how do we work out the likelihood of each event and how much damage it might cause. We need to do this to allow us to identify the most important risks so as to direct resources to tackling them, rather than wasting efforts on trivial risks.

Calculating likelihood is, in theory, fairly simple, even if we have to use some subjective judgement. We don’t need to arrive at a precise figure: a position on a relative scale is generally adequate. We can look at whether the risk has occurred before, to us or elsewhere in any similar scenario. For hardware, we may have access to Mean Time Before Failure stats. We can, if we have the right resources, incorporate threat intelligence, vulnerability assessments and expert advice.

Calculating the potential damage of each risk is much harder. The risk could occur at different times, on different scales, following different paths, with widely varying consequences. So what do we do? I suggest picking a middle value between the most extreme assessments and then validating this with someone who has a direct interest in this: a data owner – an individual or a business manager in an organisation.