Cyber Security Risk Management in Context
Author – Robyn Bailey
A good cyber security program requires good management of risk, usually in accordance with Risk Management Standard ISO31000, although there’s almost always one critical step that is overlooked.
Setting the context of a risk assessment is the first and one of the most important steps – if all participants of the assessment are not working and analyzing at the same context then there is bound to be a mismatch and incorrect risk ratings assigned. This can lead to over-application of controls (and a lack of return on security investment leading to reputational issues for the cyber security specialists) or under application.
The following diagram represents the multi layered approach to cyber security risk management and examples of key stakeholders for input to a risk assessment within each context.
Each layer should then be further broken down into vulnerabilities and threats.
An example I often use to explain these layers and contextual awareness (or lack of) is the identification of a vulnerability in a browser on a server by an operational staff member. Whilst industry vulnerability ratings (eg http://cve.mitre.org/) may identify the vulnerability as High, the threat may be low (no or minimal human threat actors as there is very minimal use of the browser) therefore the risk, even at the Operational context, is not High. Once we “roll-up” the risk to the layer layers, this particular risk should get consumed within more important business cyber risks – the CEO and Audit and Risk are not concerned with one vulnerability on a server.
Delving deeper into individual risks, as a risk practitioner of many years, I often see a lack of contextual alignment in the likelihood and impact. For instance, using a basic risk of Weather event causes data centre outage, we can assume that a weather event may be Possible and a data centre outage could have a Severe impact when the factors of the risk are treated separately – perhaps giving a Very High risk rating. However, when the full context of the risk is documented – for example, Weather event causes data centre outage beyond 3 days, we can see that the likelihood is probably Rare, the Impact remains as Severe, giving a Medium risk rating (depending on your risk matrix of course).