How to Measure Cybersecurity Risk: The Secret to Getting the Maximum Value From a Risk Assessment
At LMG Security, we conduct a lot of cybersecurity risk assessments, and they don’t all look the same – one of the big differences between assessments is how we measure cybersecurity risk. Some clients engage us to identify their top cybersecurity risks to help them plan and prioritize risk reduction activities. Others require annual or periodic risk assessment to meet compliance obligations, such as HIPAA or financial industry regulations. Others may focus on a specific threat, application, business area, data type, or implementation of a new SaaS solution. Understanding how to measure cybersecurity risk and scope your assessment to get the right information is the first step to ensure you get the maximum return on your investment.
In general, risk assessment involves identifying what you need to protect (i.e., sensitive data, critical systems) and the vulnerabilities and threats associated with those assets. Vulnerabilities and threats are then assessed for the likelihood and the potential impact of an exploit, taking into account existing security controls (technical or non-technical) that can mitigate or lower your risk. You can also watch our short 2-minute video on how to assess your risk for additional ideas.
This blog offers ideas and considerations on planning the scope of your cybersecurity risk assessment to maximize value for your organization and support the overarching goal of risk reduction. I will also share some trends we’re seeing in cybersecurity risk assessment, such as intentionally limiting the scope to a specific high-value asset or sensitive data or choosing to dig into a specific threat an organization is worried about.
How to Measure Cybersecurity Risk
It’s easy to assume that a cybersecurity risk assessment by nature must be comprehensive to include all possible threats, assets, and risks, but it doesn’t! To get the most value from your assessment and meet your organizational concerns and goals, it can be beneficial to define your scope carefully up front. How to measure cybersecurity risk will change based on your organization’s needs. A broad scope may make sense in some cases, but consider it may come at the cost of added complexity, timeline, and resource usage. Intentionally limiting or targeting your scope can add speed and efficiency while maximizing value in terms of identifying opportunities to reduce risk. How to measure cybersecurity risk depends on your goals, budgets, and timelines. Let’s look at some ways you can customize your risk assessment so you get the most bang for your buck.
The Secret is to Properly Define Your Scope
One size does not fit all when you are scoping a cyber risk assessment. Most organizations don’t realize that spending more time on this initial part of the engagement can help maximize their ROI. Here are some best practices for planning the scope of your assessment and tips for determining if a targeted scope may fit your needs:
- Focus on potential for high impact: Are your organization’s “crown jewels” housed primarily in a specific application or accessed by one department? If so, consider a targeted risk assessment on a specific application or sensitive data type to focus on threats and vulnerabilities most applicable to those areas. By choosing to scope your assessment this way, you are focusing on how to measure cybersecurity risk in an area with the highest potential impact in the event of a security incident. This approach fits with risk-based planning, by explicitly deciding that other applications or data present lower risk to your organization and therefore do not justify the same level of focus as your higher-stakes assets.
- Tip: Pair a targeted risk assessment with technical testing for a complete picture of risk to your critical assets and data. For many organizations a web app pen test can identify exploitable vulnerabilities that automated scanners can miss.
- Focus on high likelihood: Considering every possible threat scenario is time-consuming and may not provide much actionable value for the threats that seem like a low likelihood for your environment. It’s ok to focus on a single threat your organization has experienced or is concerned about or decide to focus on a handful you think are most likely.
- Review your organization’s history of incidents. Did most of them start with phishing? Or do your users consistently perform poorly on phishing tests? If so, use that knowledge to put phishing on your short list of top threats. You can use LMG’s 10-step checklist for an effective phishing testing program to reduce risk.
- Consider most common threats, such as ransomware and business email compromise. Consider factors that may increase the likelihood of an incident. Also consider your organization’s preparedness to respond to these types of incidents. A high level of preparedness can reduce the overall negative impact on your organization if your team is ready to respond quickly and efficiently. LMG’s COO, Karen Sprenger wrote a recent blog on incident response plan best practices if your team needs advice in this areas.
- Focus on vulnerabilities: If your organization keeps a risk register or Plan of Action and Milestones (POA&M), or if you’ve recently done an audit or controls gap assessment (internal or through a third party), consider using those existing repositories as the basis for your risk assessment. The idea here is to focus on identified gaps and weaknesses to determine the risk level they present for your environment. This can help with prioritization of risk treatment activities and budget/resource allocation.
- Tip – if you have an existing repository to work from, simply add columns or fields for likelihood, impact, risk rating, and any relevant notes on how the ratings were selected, like data sensitivity considerations, system criticality, or compensating controls. There’s no value in reinventing the wheel if you can leverage an existing spreadsheet or other repository.
After you nail down how to measure cybersecurity risk to meet your organization’s needs, another area that deserves some thought and planning in advance is how to make your assessment results actionable to support cybersecurity risk reduction. Read my other blog, “How to Ensure Your Cybersecurity Risk Assessment Results are Actionable,” for more planning tips!
Also take a look at my previous blog on what to do after your risk assessment for guidance on using your risk assessment results to prioritize and plan your risk treatment activities. Thinking ahead to what you will do with the results can be hugely helpful in planning your assessment scope, approach, structure, and outputs.
Would you like advice or support assessing risk to your sensitive data and critical systems? LMG Security’s experienced consultants can work through this process with you to scope a risk assessment to best suit your organizational goals and needs. Contact us for more information.