Identifying Risk
Last time, I introduced the 3rd COSO guiding principle of Performance. This week, we’ll move on to the first point under Performance, which is Identifies Risk
Performance has 5 points:
Identifies Risk
Assesses Severity of Risk
Prioritizes Risk
Implements Risk Responses
Develops Portfolio View
Oddly enough, minimizing risk starts with first identifying the risk, but in all seriousness, identifying risk is easier said than done. It is impossible to identify every possible risk, but it is possible to identify the most likely risks that impact an organization's goal of meeting its objectives.
From a cyber risk perspective, risk identification comprises four primary inputs:
Inventory and value of assets
Identifying potential threats
Identifying successful attack scenarios
Evaluating potential consequences
Let’s talk about some key activities that you should undertake for each of these inputs.
Inventory and Value of Assets
Any risk assessment must first understand your organization's digital and physical assets and their value to the organization. Organizational value always breaks down to dollars and cents, but it is not always easy to translate it to those terms. Risk to revenue may be easy to calculate, but risk to reputation or risk to health and safety? Not so much.
Traditionally, a business impact analysis (BIA) allows you to accomplish the goal of understanding the importance of assets to your organization. The BIA assesses the amount the organization stands to lose when there is business disruption and is necessary to differentiate between critical and non-critical services, technologies, or processes so that you can prioritize security controls and remediation efforts.
For this reason, an organization cannot conduct the BIA in a vacuum. It must be undertaken and driven by senior management throughout the organization.
Identifying Potential Threats
Now it’s time to conduct a threat modeling exercise. Threat modeling is a structured process where potential threats, can be identified, and enumerated so that mitigations can be prioritized.
There are many sources of available cyber threat information, ranging from paid subscriptions to free sources, such as the Cybersecurity and Infrastructure Security Agency (CISA).
Several threat modeling techniques are available for analyzing these threats. These techniques focus on two approaches: top-down and bottom-up.
A top-down approach is an asset view that evaluates critical assets for what could potentially go wrong. A bottom-up approach is a threat view that assesses the potential impact of a given set of defined threat scenarios. Some examples of each type of approach are:
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®) (top-down): Helps organizations tie together assets that are critical to achieving organizational objectives. The threats to those assets and the vulnerabilities those threats may exploit.
Microsoft STRIDE (bottom-up): STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Escalation.
MITRE's ATT&CK™ (bottom-up): A globally accessible knowledge base of adversary tactics and techniques based on real-world observations
No matter which method you use, it is vital to consider them in the context of your business, the threat actors (e.g., script kiddies versus nation-states) and the impact of their actions.
Identifying Potential Attack Scenarios
Now that we understand how to identify threats, we need to determine how they can exploit our environment's weaknesses by identifying potential attack scenarios. Remember, a threat cannot become a risk unless there is a weakness, or a vulnerability, that the threat can exploit.
Here is another example of why understanding business context is essential. Attack scenarios will differ for your type and size of organization. A Fintech startup will have vastly differing attack scenarios than a nuclear power plant. Take the time to identify the attack scenarios that attackers are most likely to use in your environment.
There are three primary methods to identifying potential attack scenarios that are similar, yet distinctly different: penetration testing, red teaming, and threat hunting.
Evaluating Potential Consequences
Now that we understand the potential threats and attack scenarios, we need to evaluate the potential consequences the threats and attacks, or incident scenarios, may have on our identified assets.
The impact of the incident scenarios must consider our business context. Through the BIA, assets should have assigned values based on their financial cost and business consequences if they are damaged or compromised.
Examples of some consequences to consider are:
Health and safety (particularly in operational technology environments)
Investigation and repair time
Work time lost
Opportunity cost
Costs to bring in outside help for remediation activities
Image reputation and goodwill
Next time well talk about assessing the severity of each risk.
As always, I love your comments, and if you want to have a direct conversation, please shoot me a message and we’ll set something up.
Have a great week!