How do small businesses commonly execute risk assessments?
A small business qualitative cyber risk assessment typically goes something like this:
- Develop a list of things of value to the organization—assets—such as users, intellectual property, customer info, IT components, facilities, etc.
- Develop a list of vulnerabilities associated with those assets, especially in users and IT components. For example, users are susceptible to social engineering, and a vulnerability scan on IT components will undoubtedly turn up missing patches and insecure configuration
- Develop a list of threats the organization faces, such as social engineering, loss/theft, hacking, etc.
- In a matrix, iterate through each threat and determine the probability of that threat exploiting each vulnerability
- In a separate matrix, combine probability and impact to determine risk, according to some algorithm, e.g. low probability x high impact = moderate risk
The screenshots below show the results of a steps 4-6 of a typical exercise, undertaken in a tool commonly used by small business, a spreadsheet:
However, for most small businesses, steps 2 and 3 are a significant challenge because:
- The business lacks a process to identify vulnerabilities, and
- The business does not have the expertise or tools to conduct a threat modeling exercise to determine specific threats
"Assumed Risk" Approach
Therefore, I’d like to present a different approach for small business risk assessment based on assumed risk, threat event outcome, and layers of currently employed mitigations. In this approach, the risk assessment goes something like this:
- Develop categories of things of value to the organization—asset classes—such as users, customer info, workstations, servers, facilities, etc.
- Utilize a standard list of possible threat event outcomes should any threat source exploit any vulnerability. This list includes the following:
- Social Engineering
- Unauthorized access to data or system
- Unauthorized use of data or system
- Unauthorized disclosure of data
- Disruption of data or system availability
- Unauthorized modification of data or system
- Unauthorized destruction/loss of data or system
- In a matrix, iterate through each asset class and determine the impact to the organization—high, moderate, or low (or some finer granularity, if desired)—should each threat event outcome affect that asset class
- In a matrix, iterate through each asset class and determine what control types are implemented to mitigate the vulnerabilities or threat for each threat event outcome. There are four control types that could possibly be implemented (determining if each control type is implemented can be binary: yes or no):
- Avertive: Warning banners, honeypots, acceptable use policy, user training
- Preventive: Access control enforcement, encryption, strong authentication
- Detective: Audit trails, intrusion detection systems, checksums, honeypots
- Corrective: Incident Response/Contingency plans, backup restore procedures, redundancy
- In a separate matrix, combine impact and existing control implementation, to determine risk, according to some algorithm, e.g. three control types implemented x high impact = moderate risk. Risk level defaults to impact level, unless control type implementation threshold is reached (assumed risk).
Benefits of an "Assumed Risk" Approach for a
Qualitative Risk Assessment
This is a much simpler and less daunting approach to risk assessment and will encourage the practice amongst small businesses, because:
- Most small business executives and administrators have a good sense of the impact to the business as well as the controls and mitigations they current have in place, so steps 4 and 5 are much more palatable
- The threat events and control types are pre-determined for the business, so vulnerability assessment and threat modeling are unnecessary
The algorithm for determining risk assumes that each organizational asset class is at risk for each threat event and incorporates an understanding that the organization must utilize a defense-in-depth approach to lower risk. Hence, to lower the risk score, the calculation requires multiple different types of controls to be implemented for each asset class against each threat event outcome. In the calculation example given in step 5, if less than three control types were implemented, the algorithm would default the risk value to the impact value, in this case “high”. The organization could actually tweak the algorithm to suit its risk appetite, for example:
- tweak the parameters based on its risk appetite, e.g. two controls types vs. three required to mitigate risk down one level
- change the algorithm to calculate “low” risk for asset classes protected by all four control types
This type of risk assessment can be utilized by novice organizations. As the organizational cybersecurity program matures, the organization can undertake more sophisticated risk assessments. The key is to get the organization in the habit of performing risk assessments so they can prioritize risks to mitigate.
The screen shots below show example spreadsheet results for steps 3-5 from such an assumed risk assessment:
If you’d like to obtain a copy of the “assumed risk” spreadsheet I used to generate the latter screen shots, fill out the form below.