Discussing Risk in Cyber Security
Risk is a concept that we all face, at work and in our personal lives. Everything we do involves risk — investment risks your capital, surgical procedures contain risk, even walking down the road involves a certain level of risk. Most of this risk we accept, sometimes without registering it, as it would be impossible to live without doing so.
In cyber security, risk denotes the likelihood of an attack resulting in exposure or loss of data or systems. A common equation used, which trivialises much of the content, is Threat × Vulnerability × Value (or Likelihood × Vulnerability × Impact) . This is obviously at a high level, and some values used are obtained through perception — Value/Impact, for example, can be difficult to quantify or project. When working with data and at a high level, this could be attributed to a scale, such as Low, Medium and High. The same can be said for Threat/Likelihood, but for both of these there needs to be significant analysis on how to manage and adopt these values, and to document the procedures required with the justification for the values.
There are resources available that help manage these values, such as the Common Vulnerability Scoring System, which evaluates several metrics to provide a score for the severity of the Vulnerability. There are several versions here, and they offer different scores based on the metrics and analysis, so it is important to ensure that the latest version is used — currently 3.1. It is important to note here that scores can change when changing the CVSS version — this is due to changes in the analysis of the threat, complexity, current landscape and other parameters.
When assessing risk using these parameters, an organisation will prioritise mitigations according to their score. Whereas no vulnerability should be ignored, regardless of score (due to the ability to chain exploits), low priority risks may end up in the task graveyard of tech debt. This is known as Risk Appetite — a concept that an organisation is willing to continue or pursue other development, consuming the risk posed by the vulnerability. Risk appetite differs from organisation to organisation — this may depend on the nature of the business, the regulatory obligations or other impacts such as roadmaps or projections within the business.
In cyber security, we often think about digital threats that would be exposed. However, as demonstrated in recent attacks, vulnerabilities are present in procedures and training (or lack thereof) where an exploit of trust or physical breach can result in loss of data or systems. Conducting a risk assessment for an organisation must include all access to a system — which includes who has access and how it is accessed, physically and digitally.
Consider how risk is applied within your organisation — would you apply the same approach to your personal life? How do you measure the value of what you are protecting? If you are unclear on the answers to these questions, it might be time to consult with professionals in this area. Using third parties for risk assessment and consultation removes bias and the ability to justify away any negative results, however that does not mean that an organisation should not have in-house teams to manage ongoing risk — in these cases it is equally as important to demonstrate governance, accountability and transparency, but ultimately is not a replacement for using external parties.