Risky Business: 6 steps to assessing cyber risks for the enterprise
Risk is an unavoidable consequence of doing business in the digital age. These six steps for creating a risk assessment plan can help anticipate the danger.
With the explosive rise of digital information, the continued success of modern enterprises has become inextricably bound to the effective use and management of data. However new efficiency-driving technologies, global interconnectivity, and remote work have also introduced several significant and high-profile information risks.
The specter of risk is leaving organisations with no choice but to improve the overall management of various cyber risks. What follows is a step-by-step process (based on the Information Security Forum’s IRAM2 methodology) that cybersecurity and risk practitioners can leverage to assess and manage information risk.
Step 1: Scoping exercises
The objective of a scoping exercise is to provide a business-centric view of an identified risk. This involves achieving alignment and agreement between stakeholders on the business scope (intellectual property, brand or reputation, organisational performance) and the technological scope of the assessment (information architecture, user profiling, assessment of a technology or a service).
This exercise can help determine which party will be responsible for assessing the various risk domains and the mandate behind a particular risk assessment. For example, choosing who will handle the introduction of a new business service or technology or address management concerns about a particular area of the business.
Step 2: Business impact assessment (BIA)
A BIA is used to determine the potential business impact should any information asset or system have its confidentiality, availability, or integrity compromised. The first step in a BIA is to identify all relevant information assets, such as customer and financial data, and information used for the operation of services and systems, across all environments and across the entire information lifecycle (input, processing, transmission, storage).
Once assets are identified, a value (rank or priority) can be assigned to them. Then the extent of any potential security incident can be determined by comparing realistic scenarios comprising the most reasonable impact with worst-case scenarios for each asset.
Step 3: Threat profiling
This phase helps to identify and prioritize threats and understand how they can manifest. Threat profiling starts with the identification of potentially relevant threats through discussion with key stakeholders and analysing available sources of threat intelligence (e.g., an internal threat intelligence team or external commercial feeds).
Once the threat landscape is built, each threat it contains should be profiled. Threats can be profiled based on two key risk factors: likelihood of initiation — the likelihood that a particular threat will initiate one or more threat events — and threat strength, or how effectively a particular threat can initiate or execute threat events.
Threats can also be further profiled by separating them into an overarching group: adversarial, accidental, or environmental.
