Use of Cyber Risk Assessments in Developing Cyber Operations and Resiliency Policies, Metrics, Testing and Security Solutions for an Organization
Cyber-attacks are inevitable that is the truth of the day. With the information digitalization, we transform all our data and store them in information systems. Information in our systems is in constant danger of being stolen or damaged. The information security is crucial for the continuity and profitability of the business. The initial step for securing our data is Cyber Risk Assessment. Cyber Risk Assessment serves as a road map to develop cyber operations and resiliency policies, metrics, testing, and security solutions for an organization.
Cyber Risk Assessment:
Cyber risk assessment is the systematic process that aims to identify vulnerabilities in the organization’s IT environment and threats, internal or external, towards the systems, assess the likelihood of a security event and determine the potential impact of such events [1]. According to NIST (National Institute of Standards and Technology), a complete risk assessment process consists of four steps: Preparing for the assessment, Conducting the assessment, Communication of results and Maintaining the assessment[2].
- Preparing for the Assessment: This is the initial step for the risk assessment. In this step, the purpose and scope are defined. Also, priorities, constraints and assumptions are identified. Sources of data, risk models and analytic approaches to be employed are identified [3]. This section is crucial to describe under what circumstances the risk assessment is conducted and what resources are available for the assessment.
- Conducting Risk Assessment: The second step is to conduct the risk assessment. In this step, assets to be protected, are identified and prioritized. Threats and vulnerabilities are identified. Controls in place to protect the assets against cyber-attacks are analyzed and new controls are implemented if needed. Mitigation methods are identified. The likelihood of the (probability) events occurring and the impact of various scenarios are calculated. All the identified elements are documented [4].
- Communication of Results: After finishing the assessment, the results are communicated with the department leaders and organizational decision-makers with an appropriate method to maintain understanding and support.
- Maintaining the Risk Assessment: The final step is to maintain risk assessment. With evolving circumstances and technology; the threats, vulnerabilities and assets can change. All previous steps need to be followed to update and maintain risk assessment. Risk assessment should be conducted again as needed. Results should be shared with the stakeholders [2].
Use of Cyber Risk Assessment in Cyber Operations and Resiliency Policies:
Cyber resilience described as “an organization’s ability to identify, respond, and recover swiftly from an IT security incident.” [5] Main goal of the cyber resilience is to be prepared for cyber-attacks, being able to respond quickly and being able to recover from the cyber events. During cyber risk assessment, we define and prioritize risks, define threats and vulnerabilities, define mitigation methods. These actions are well aligned with the cyber resilience principles. Cyber operations and resiliency policies are created to prevent our assets, withstand cyber events and recover in case of an event. Thoroughly made Cyber Assessment contain necessary information about these. Using Cyber risk assessment as a foundation, detailed risk mitigation strategies and policies can be constituted.
Use of Cyber Risk Assessment in defining metrics and Key Performance Indicators:
By definition “metrics are quantifiable measurements used to assess performance, track progress, and measure the success of various processes, initiatives, or entities.” [6] We use metrics to state our cyber security performance and effectiveness in numbers. Metrics and Key Performance Indicators (KPI) provide to see the performance of our organization in preventing, detecting and responding to cyber threats. Number of vulnerabilities, vulnerabilities exposed, security incidents, unidentified devices in networks, intrusion attempts, mean time to Detect (MTTD), mean time to Resolve (MTTR), patching cadence, number of different attacks, cost per incidence are some examples of metrics and KPI’s to keep track of [7]. The vulnerabilities, threats, events and impacts were defined in Cyber Risk Assessment. Prioritized one should be under surveillance. Also, mitigation methods, such as network monitoring, patch management, incident response are part of the Cyber Risk Assessment.
Use of Cyber Risk Assessment in Cyber Security Testing:
The aim of the security testing is to find vulnerabilities and weaknesses in our organization’s information systems. Security testers subject the software or applications in controlled scenarios, to identify potential. Most common security tests are vulnerability scanning, penetration testing, static application security testing (SAST), dynamic application security testing (DAST) and ethical hacking [8]. These tests asses the vulnerabilities, reliability of our security measures defined in the Cyber Security Risk Assessment.
Use of Cyber Risk Assessment in Security Solutions
Security solutions are the services that defend organizations against cyber-attacks. These services provided by companies that are specialized to produce strategies, protocols and technologies to fulfill cybersecurity needs of organizations [9]. The vulnerabilities, threats and current mitigation methods are identified in cyber risk assessment. This information can be used to source out cyber security services individually or as a whole package.
To sum up, Cyber Risk Assessment is a foundational process to define vulnerabilities, threats, mitigation methods and impacts. This ongoing process is iterated due to changing circumstances. Every iteration provides a new data to be used in creating cyber operations and resilience policies, creating metrics and KPI’s, choosing the correct cyber security testing methods and deciding to shop cyber security solutions. Cyber-attacks are unavoidable but organizations should prepare themselves to respond and recover.
References:
[1] P. Nohe, “How to perform a cyber risk assessment,” Hashed Out by The SSL StoreTM. Accessed: Oct. 16, 2024. [Online]. Available: https://www.thesslstore.com/blog/cyber-risk-assessment/
[2] Joint Task Force Transformation Initiative, “Guide for conducting risk assessments,” National Institute of Standards and Technology, Gaithersburg, MD, NIST SP 800-30r1, 2012. doi: 10.6028/NIST.SP.800-30r1.
[3] “How to Perform a Cybersecurity Risk Assessment | UpGuard.” Accessed: Oct. 30, 2024. [Online]. Available: https://www.upguard.com/blog/how-to-perform-a-cybersecurity-risk-assessment
[4] “How to Perform a Cybersecurity Risk Assessment in 5 Steps | TechTarget,” Security. Accessed: Oct. 30, 2024. [Online]. Available: https://www.techtarget.com/searchsecurity/tip/How-to-perform-a-cybersecurity-risk-assessment-step-by-step
[5]“What Is Cyber Resilience?,” Cisco. Accessed: Nov. 03, 2024. [Online]. Available: https://www.cisco.com/c/en/us/solutions/hybrid-work/what-is-cyber-resilience.html
[6] N. Saifi, “What are Metrics? Definition, Meaning and Types,” Glossary. Accessed: Nov. 03, 2024. [Online]. Available: https://chisellabs.com/glossary/what-are-metrics/
[7] CyberTalents, “Top 15 Cybersecurity Metrics and KPIs for Better Security,” CyberTalents Blog. Accessed: Nov. 03, 2024. [Online]. Available: https://cybertalents.com/blog/top-15-cybersecurity-metrics-and-kpis-for-better-security
[8] V. Chinnasamy, “Security Testing: Types, Attributes and Metrics | Indusface Blog,” Indusface. Accessed: Nov. 03, 2024. [Online]. Available: https://www.indusface.com/blog/attributes-and-types-of-security-testing/
[9] “What Are Cybersecurity Solutions?,” Akamai. Accessed: Nov. 03, 2024. [Online]. Available: https://www.akamai.com/glossary/what-are-cybersecurity-solutions
