Cybersecurity risk analysis: Cybersecurity in the Organization
This lesson focuses on cybersecurity risk analysis, explaining how organizations can assess and mitigate risks. It begins by discussing the probabilistic nature of risk, emphasizing that no system is completely secure. Risk is a function of two components: impact (the damage caused by an event) and likelihood (the probability of the event occurring).
Key Concepts:
1. Risk Grid:
• The lesson introduces a risk grid to classify threats based on impact and likelihood.
• Some risks may have low likelihood but high impact (e.g., a meteor hitting a data center), while others may have high likelihood and high impact (e.g., phishing attacks in banking).
• Organizations must prioritize high likelihood and high impact risks by implementing mitigation strategies to reduce either the impact, likelihood, or both.
2. Inherent vs. Residual Risk:
• Inherent Risk: The level of risk before any security controls are applied.
• Residual Risk: The level of risk that remains after mitigation controls are implemented. While risk cannot be eliminated entirely, it can be reduced to an acceptable level.
3. Expected Monetary Value (EMV):
• A quantitative approach to risk analysis is presented through the Expected Monetary Value (EMV) formula:
EMV = Impact × Likelihood.
• For example, if a cyber attack is expected to cost $100,000 and has a 70% chance of occurring in a year, the EMV is $70,000.
4. Risk Terminology:
• Single Loss Expectancy (SLE): The potential loss from a single event.
• Annual Rate of Occurrence (ARO): The likelihood of an event occurring annually.
• Asset Value and Exposure Factor: The value of the asset being protected and the percentage of loss if an incident occurs.
5. Risk Mitigation Decision:
• The lesson walks through a risk mitigation scenario with two technology options, each reducing the likelihood and impact of a cybersecurity event.
• Technology 1: Costs $100,000 annually and reduces the impact by 30% and likelihood by about 6%.
• Technology 2: Costs $65,000 annually but provides a smaller risk reduction (5% to 10% impact reduction).
• A decision tree is used to compare the costs and benefits of each option, ultimately showing that the more expensive option (Technology 1) provides a better return on investment in terms of reduced expected losses.
6. Risk Assessment Framework (NIST 800–30):
• The lesson introduces a basic risk assessment framework from NIST, which includes:
1. Identifying threat sources and events: These could be insider threats, nation-state actors, or specific incidents like phishing.
2. Identifying vulnerabilities: Both technical and non-technical vulnerabilities, such as outdated software or insecure organizational practices.
3. Estimating likelihood and impact: Based on empirical data and past experience.
4. Calculating risk: Based on the likelihood and impact of identified vulnerabilities and threats.
In other words, if we dig further, we know that:
1. Expected Monetary Value (EMV):
• Formula:
EMV = Impact × Likelihood
• Impact refers to the monetary value of the loss if the event occurs.
• Likelihood is the probability of the event occurring within a certain time frame (e.g., once a year).
Example:
If a cyber incident is expected to cause $100,000 in damage and has a 70% chance of occurring in a year, the EMV is calculated as:
$100,000 × 0.7 = $70,000.
2. Single Loss Expectancy (SLE):
• Formula:
SLE = Asset Value × Exposure Factor
• Asset Value is the monetary value of the asset being protected.
• Exposure Factor is the percentage of the asset’s value that would be lost if a risk event occurs.
Example:
If an asset is worth $2 million and there is a 20% chance of it being destroyed, the SLE is calculated as:
$2 million × 0.20 = $400,000.
3. Risk Mitigation Comparison:
The lesson also provides an example of comparing the costs of different technologies or mitigation strategies:
• Technology 1 costs $100,000 annually and reduces both the likelihood and impact of a cyber event by a specific percentage.
• Technology 2 costs $65,000 annually but provides less risk reduction.
The decision tree is used to calculate how much the expected monetary value of the risk is reduced after applying these technologies, allowing for a cost-benefit comparison.
4. Annual Rate of Occurrence (ARO):
• This is another way to express the likelihood of an event occurring within a year. It is essentially the same as the probability of the event happening annually.
In conclusion, the lesson emphasizes the importance of using data to make informed decisions about risk mitigation and introduces simple formulas and frameworks that organizations can apply to assess and reduce cyber risk. While no system can be completely risk-free, understanding and managing risks is essential to minimizing potential damage.