More about technical cyber risk assessments

Our last article presented business leaders with a question not always considered synonymous with cyber risk – how do you successfully assess and measure cyber culture within an organization? Taking this series and our theme of management attention to the next level, we’ll pose another question to business leaders: How do you know if your approach to cyber risk management, and technical cyber risk assessments specifically, is the correct approach? The simple answer is that you need to involve the business and ensure that your technical cyber risk assessments align with your business strategy and objectives. However, the implementation of this practice is not so simple.

Cybersecurity is no longer just technology focused. Security leaders are involving business leaders and their teams to strengthen and enhance the cyber resilience of the organization in an integrated way. Cyber is improving and leveling the playing field with its attackers. Getting the most value for every cybersecurity dollar spent becomes more critical as entities automate, as every new automated process and asset becomes a new vulnerability for cyberattack.

To make things even more challenging, most executives lack confidence in the budgeting process. According to a recent study¹ of over 3,000 companies, more than half of business and tech/security executives indicated that they lack confidence that cyber spending is aligned to the most significant risks. They lack confidence that their budget funds remediation; that risk mitigation and/or response techniques will provide the best defense; that budgets provide the resources needed for a severe cyber event; or that the process monitors the cyber program’s effectiveness in comparison to expenditures. Cyber budgets could align to overall enterprise or business unit budgets in a strategic, data-driven way, but most executives lack confidence that their current budgeting process does this. They similarly lack confidence that cyber budgets provide proper controls over emerging technologies.

So, it stands to reason that in conducting technical cyber risk assessments, the business wants to make sure that the most critical vulnerabilities are identified and that they are spending their money on mitigating controls that are: 1) aligned in support of its strategy and 2) will provide the greatest return for the implemented control. To do this, care must be taken to ensure that technical cyber risk assessments are performed with the right participants and are conducted with an eye toward the strategic objectives of the company. The primary purpose of a cyber risk assessment is to help inform decision-makers and support proper risk responses. It also provides an executive summary to help executives and directors make informed decisions about security.

Why perform a technical cyber risk assessment?

The most basic reasons to perform a technical cyber risk assessment are:

• To reduce long-term costs: Identifying potential threats and vulnerabilities and working on mitigating them can prevent or reduce security incidents which will save the organization money and/or reputational damage in the long-term.
• To improve organizational understanding and awareness: Knowing organizational vulnerabilities provides a clear idea of where the organization needs to improve and raises the importance of security awareness.
• To avoid network outages and application downtime: Being more aware of potential threats and organizational vulnerabilities, can better ensure that the organization’s corporate network, as well as internal and external facing systems, are properly protected and segregated to ensure continued availability.
• To avoid data loss and data breaches: Theft of trade secrets, code, or other critical information assets could result in loss of business to competitors. Managing data securely is a critical responsibility of any organization and failure to do so can have considerable financial and reputational impacts.

Technical cyber risk assessments not only help to clarify what vulnerabilities the organization has but improves the organization’s understanding of its strengths and weaknesses in their ability to recover from any incident with the least impact and disruption to the organization. Cyber risk assessments are integral to information risk management, as well as to an organization’s enterprise risk management strategy.

Cyber risks are usually categorized as zero, low, medium, and high. Categorization factors include: 1) a definition of what the threat is; 2) a determination of the environment’s vulnerability to the threat; and 3) the reputational or financial damage that could result from a network outage or breach.

If the organization has no physical security, there would be increased risk associated with a cyberattack against an operating system with a known vulnerability that is easily exploitable via physical means and which stores high value information. If the organization has strong IT staff who can identify vulnerabilities (weaknesses in the control environment, in this case, the operating system) that can be exploited and patched or update the operating system to the latest version, the vulnerability can be mitigated, even though the information value is still high because the vulnerability was patched in the new version of the operating system.

Note that there are very few things with zero risk to a business process or information system. Risk simply means there is some level of uncertainty. If something is guaranteed to happen, it's part of general business operations and not a risk at all.

How is a technical cyber risk assessment performed?

Before assessing and mitigating risks, it is important to understand what data and infrastructure is in place and the value of the data that is being protected.

A good first step is to audit data assets and ask:

• What data is being collected?
• How and where is the data stored?
• How is the data documented and protected?
• How long is the data kept?
• Who has access to the data? (internal and external)
• Is the data properly secured?

Next, define the scope and intent of the assessment. Ensure that the purpose and intended deliverables of the assessment are clearly defined. Follow this 7-step plan to execute the assessment.

• Step 1: Define critical corporate information assets and their value
  Most organizations don't have an unlimited budget for cyber risk management so limit scope to the most business-critical assets. Define a standard for categorizing the importance of an asset. Most organizations include asset value, legal standing and business importance.
• Step 2: Identify and prioritize assets
  Once defined, use the asset classification to tag each asset as critical, major or minor (1, 2, or 3). This will help to prioritize which assets to assess. It may not be reasonable to perform an assessment on every application, server, device, dataset, piece of intellectual property, and so on. It is important to remember that not all assets have the same value.
• Step 3: Identify cyber threats
  A cyber threat is any vulnerability that could be exploited to cause harm, such as a network outage of any magnitude, or the theft of data from the organization. The most dangerous threats are those that could impact what is most important to the business, whether it be information, operations, or anything else that is critical to the attainment of business strategy and objectives. As threats are most effectively accomplished in conjunction with partners from the business, engage the business operations representatives so that they can assist in assessing potential threat impacts.
• Step 4: Identify vulnerabilities
  Pivot from thinking about what “could" happen to what realistically has a chance of happening. A vulnerability is a weakness that a threat can exploit. Vulnerabilities are found through vulnerability analysis, the National Institute for Standards and Technology (NIST) vulnerability database, audit reports, vendor data, incident response reports, and software security analysis. While some organizational software-based vulnerabilities can be reduced with proper patch management, do not forget to address physical vulnerabilities and what can be done to minimize their likelihood.
• Step 5: Assess controls and define new controls
  Evaluate the controls that are in place to minimize or eliminate the probability of a threat or vulnerability. Controls can be implemented through technical means, such as hardware or software, encryption, intrusion detection mechanisms, two-factor authentication, automatic updates, continuous data leak detection, or through nontechnical means like security policies and physical mechanisms like locks or keycard access. Classifying these controls as preventative or detective will assist in determining which to implement and in what order.
• Step 6: Calculate the likelihood and impact of various scenarios on a per-year basis
  From the above steps, the value of the information the organization is managing has been clarified, vulnerabilities have been outlined, threats have been identified, and potential mitigating controls have been itemized and categorized. The next step is to assess how likely the defined threats are to occur and what their potential impact might be. This information can be utilized to determine how much to spend to mitigate each of the identified cyber risks. Here is where it is important to engage the business operations representatives previously defined, so that they can assist in assessing potential threat impacts. Their knowledge of the business operations is crucial to identifying and walking through the flow of how and what could happen to best itemize such impacts.
• Step 7: Prioritize risks based on the cost of prevention vs information value
  Use risk levels as a basis and determine actions for senior management or other responsible individuals to mitigate the risk. Here are some risk level general guidelines:
  • High – corrective actions to be taken as soon as possible
  • Medium – corrective actions to be taken within a reasonable period of time
  • Low - decide whether to accept the risk or mitigate

If it costs more to protect the asset than it's worth, it may not make sense to implement a mitigating control to protect it. While going through this evaluation, it may be prudent to consider whether the organization could be faced with a reputational impact in addition to a financial impact. There is a fundamental difference in developing the support for the protection of an asset (be it information, control system, business process or IP), and other investment opportunities. The key is to recognize that in prioritizing risks, the cost of prevention vs. asset value is clear. Conducting Technical Cyber Risk Assessments with a team of business representatives that understand the business, its operations, communications, and its strategy, will promote alignment to corporate strategy, and enable the objective assessment of assets, threats, vulnerabilities and mitigating controls to ensure that a return on controls is indeed achieved.

Footnote

¹ PwC Consulting, 2021. Rethink your cyber budget to get more out of it. Digital Insights. https://www.pwc.com/us/en/services/consulting/cybersecurity-privacy-forensics/library/global-digital-trust-insights/cyber-budget.html

Disclaimer

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc.

Author

---

Claudia Piccirilli

Senior Director, Global FINEX Data Science & Analytics

email Email phone +1 267-231-9880

---