A part of developing a cyber-secure environment involves evaluation of the possible risks facing the organization. This is a crucial component of your organization’s incident response plan, but it can be an overwhelming task that leads to neglect and oversights. There are many guidelines and calculations to assist with identifying cyber risks and defining the level of that risk and mitigation strategies. NIST 800-30, “Guide for Conducting Risk Assessments,” goes into great detail to define the process and provide a formula to assist with identification. This 95 page document provides detailed documentation for the entire process.
Again, this can be a massive undertaking for an organization. Taking the time and personnel to identify, formulate and apply a matrix can be a staggering task, but you can pare down this process to something easier to understand and apply while still following the basic principles of cyber risk assessment.
First, identify your possible threats and vulnerabilities.
- Malware and viruses
- Ransomware
- Cyber attacks on the network (DDoS, data breaches, credential theft)
- Insider threats (intentional and accidental)
- End-of-life systems and software
- Patching
- Internet of things devices
Now determine two things about those threats and vulnerabilities.
- probability of occurrence
- Impact of occurrence
Either create a graphical interface to represent where the threat falls into the matrix or assign a numerical value to each threat depending on where they fall into the matrix.
For instance, a DDoS attack may be highly likely, so you would assign a value of five for likelihood and a value of five for impact. Multiply these values for a total score of 25. Do this with all of your potential threats and then put those in order. This can give you better insight on your overall risk posture and assist with processes to better secure against a threat.
Similarly, assign values to your known vulnerabilities to assist with prioritizing remedies, budgeting and planning.
There are many matrix options available, and you need to follow one that fits best into your organization. It can be complex or simple, but the key is, don’t let it intimidate you to the point of ignoring it. This is an integral part of your incident response plan. Don’t have a plan? Start with risk analysis and you will see that the rest will fall into place much easier.