Risk Analysis and Review (RAR) Guidelines Related to Cybersecurity Incident Response (CIR)
Managing cyber security risks to an acceptable level is a definite task that organizations have to undertake to ensure business continuity.
Without proper risk analysis and review (RAR) procedures and frameworks, organizations are unaware of the threat that cybercriminals pose and the loopholes within the organization that the cybercriminals can exploit.
If an organization fails to conduct a proper risk assessment, there is a possibility that the organization will become unable to complete business when an unexpected threat occurs.
1. Risk Assessment
Risk assessment involves risk identification where vulnerabilities, threats, and related risks of an organization are identified. This is followed up with risk evaluation, where the likelihood and associated impacts on business are measured quantifiably and qualitatively.
The organization then determines if its current existing mitigation measures are sufficient and proposes new response measures that can be implemented to lower the risks to an acceptable level. Once these data (Chmielecki et al., 2014) have been compiled, it is presented to the management to justify developing a cyber security program.
2. Risk Identification
Possible cyber security threats and risks that may affect the organization are identified. Once the cyber security threats have been identified, it is essential to study the potential impacts (PECB, 2016c) that these risks can cause to the organization through qualitative and quantifiable assessments.
From there, the organization can identify which technological infrastructures are affected by cyber security threats and can think of the appropriate response measures. The risk identification process consists of the identification of the following:
- Organization’s vulnerabilities; and
- Threats that the organization’s information assets will face.
3. Organisational Vulnerabilities
Organizational vulnerabilities refer to gaps or loopholes within the daily operations and processes that the organization performs. Cybercriminals can then exploit these loopholes to gain unauthorized access to the organization’s systems and execute their crafts, such as installing malware and encrypting the information.
Currently, organizations manage cyber security by reducing vulnerabilities within the organization. This can be seen through introducing preventive measures such as installing firewalls and patching the IT infrastructures. By installing mitigation controls, cybercriminals' attack vectors can decrease, minimizing the gaps within the organization that can be exploited.
4. Human Errors
Human error is an example of an operational vulnerability. It is one of the most critical vulnerabilities (Goh, 2008a), as the employees of an organization are usually the last line of defence.
So once the employees fail to manage the CIR appropriately, considerable impacts to the information assets and business functions can suffer.
Examples of Human Error:
- Work ethics deterioration
- Access control management
- Stressful work environment
- Lack of awareness
5. Cyber Security Threats
Cyber Security Threats are dangers that exploit vulnerabilities to cause harm to organizations specific to technological infrastructures. A detailed description of the various cyber security threats can be found in Appendix 13.
Refer to Appendix 14 for Verizon’s recommended practices for tackling the various cyber security threats. The cause of cyber security threats can be categorized into four main categories. They are:
7. Methods of Identification
An organization needs to establish how they identify the threats (Goh, 2008a) that they face. An organization consists of many different business units containing numbers of employees. Each area of the organization may be under different threats. So, to identify all the threats the organization faces, some standard methods include observation, checklists, and workshops.
7.1 Observation
Many areas within and near the organization can go unnoticed, which are potential platforms for a cybercriminal to utilize to attack the organization. It can be elementary such as leaving a computer terminal switched on unattended.
The employees use the technological infrastructures to perform daily operations; it is advisable to ask them what loopholes a cybercriminal can exploit since they are experienced with handling the facilities. This also includes administrative areas such as validating that documents are up-to-date and ensuring that management of unauthorized access is in place.
7.2 Checklists
Although the organization has to ensure that all relevant cyber security threats should be identified, the identification process should be simplified, and the burden on the employees should not be too high.
A small group within the business continuity team can be formed to develop this checklist. The checklist gives the organization an indication of the potential cyber security threats that they are likely to face.
It is important to note that the list is not fixed; it is a quick and time-saving document used as a baseline for the threat identification process. The business continuity team cannot use the checklist as the finalized document because the list is not comprehensive enough and is based on predetermined assumptions.
Cyber security threats can adapt quickly so that pre-set conditions cannot harm the organization.
7.3 Workshops
Employees from different business units are gathered to participate in a workshop to identify threats. This process relies more on creativity and innovation from the employees to brainstorm and identify specific cyber security threats that their respective departments face. This method is more effective than checklists because attention is given to every threat faced.
8. Risk Evaluation
Cyber security risks are calculated using the equation:
- Risk = Probability X Vulnerabilities X Impacts
To evaluate if a risk is within the organization's risk appetite and what risk treatment strategy should be adopted, these three threat components must be determined to give a value to quantify if the threat poses a serious risk to the organization.
By evaluating the risk, the organization can determine the allocation of resources for developing measures against the threat and gauge the organization's current ability to manage cybersecurity incidents.
Note: Determining vulnerabilities is discussed during Risk Identification
8.1 Probability
Probability refers to how likely the threat will occur. Knowing how common or rare the occurrence of a threat influences the decision-making process.
Organizations can determine the probability of cyber security threats based on historical information on their organization or from statistical data on the frequency of cyber security attacks in the industry. For simplicity, the probability that is not quantifiable is described as "likelihood."
8.2 Quantitative Assessment of Impacts
Quantitative assessment (Leal, 2017) utilizes facts and measurable data to assign a value to the financial impacts (tangible losses) caused by cyber security threats.
Usually, the value is derived from the monetary value of the damage caused. Concepts utilized during this assessment include Single Loss Expectancy (SLE) and Annual Loss Expectancy (ALE).
- Single Loss Expectancy (SLE): The expected amount of money to be lost from one incident
- Annual Loss Expectancy (ALE): The expected amount of money to be lost throughout the year from one incident.
8.3 Qualitative Assessment of Impacts
Qualitative assessment (Leal, 2017) utilizes human perception to determine the non-financial impact on the organization. The values or determinants used for measurement are subjective and differ based on the nature of the organization.
Since the units of measurement are established from human judgment, it is not very objective according to the people that set the units. However, risks can be ranked relative to each other, forming a natural sequence in order of criticality to address.
8.4 Combining Qualitative and Quantitative Assessment
Since qualitative assessment is based on human perception, it is advisable to perform it first to get an overview of the respective departments' concerns and how consequential the impacts are to them.
Based on their responses, the quantitative assessment is carried out to provide facts (Leal, 2017) to support the employee’s judgment. Detailed supporting information facilitates the decision-making processes.
8.5 Risk Rating
With the values for probability, vulnerabilities, and impacts established, the risk matrix can be developed through simple multiplication, and values can be assigned for every cybersecurity threat. The organization proceeds to categorize the different values regarding severity.
Understanding the risk ratings for every cyber security threat individually is not good enough to effectively manage cyber security incidents. Organizations need to understand that cyber security risks do not exist in isolation; cybercriminals can deploy multiple techniques to attack multiple vectors (Bassett, 2017) within an organization.
Putting together an attack surface that connects the different identified cyber security threats and organizational vulnerabilities allows the formation of relationships between the cyber security risks, so the organization can narrow down the attack paths and techniques that the cybercriminals are most likely to deploy, allowing the organization to identify the locations to place their mitigation strategies.
Related Topics to CIR RAR and BIA
Do You Want to Continue BCM Training onsite or online?
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 6Risk Analysis and Review and Business Impact Analysis 6.6 Risk Analysis and Review
Note: This version was the draft 2nd Edition being updated by 2023. The numeric in the square bracket [X.X] cross-refers to the actual chapter and section in the 1st Edition.