Many organizations still focus their security priorities on meeting compliance.
This often leaves significant control gaps, as programs designed to satisfy compliance obligations often neglect areas not specifically addressed in the regulation. Other organizations take an ad hoc approach to security that implements controls on an as-needed basis, lacking a coherent strategy.
A more effective option is to adopt a risk-based approach to security based on how the whole business perceives its security risks. Cyber-related risks must be identified, analyzed and prioritized like any other risk an organization might face.
Risk-based approaches to information security allow organizations to adopt strategies that are tailored to their unique operating environment, threat landscape and business objectives.
Risk = Likelihood x Impact
This means that the total amount of risk exposure is the probability of an unfortunate event occurring, multiplied by the potential impact or damage incurred by the event. If you put an euro value on the impact, then you can value the risk and in a simple way compare one risk factor to another.
Risk can also be defined as follows:
Risk = Threat * Vulnerability * Consequence
Risk =Threat * Vulnerability * Asset Value at Risk
Threat – Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset.
Vulnerability – Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset
Risk – Risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets.
Risk assessment methodology
The heart of a risk assessment framework (e.g. ISO27005, NIST SP 800-30, EBIOS Risk Manager, Monarc) is an objective, repeatable methodology that gathers input regarding business risks, threats, vulnerabilities, and controls and produces a risk magnitude that can be discussed, reasoned about, and treated.
The various risk frameworks follow similar structures but differ in the description and details of the steps. However, they all follow the general pattern of identifying assets and stakeholders, understanding security requirements, enumerating threats, identifying and assessing the effectiveness of controls, and calculating the risk based on the inherent risk of compromise and the likelihood that the threat will be realized.
Conducting a cybersecurity risk assessment will allow a business to target its effort on the risks most applicable and impactful to itself.