IT security leaders depend on cyber risk assessments to identify vulnerabilities, assess the maturity of their security programs, and prioritize investments in security controls. For these reasons and more, cyber risk assessments are an effective tool for defending organizations against cyber threats.
Cyber risk assessments involve the same basic activities, including:
- understanding the organization’s security posture and compliance requirements
- collecting data on threats, vulnerabilities, and assets
- modeling potential attacks
- prioritizing mitigation actions
However, there are numerous approaches with important differences in emphasis and results. You should be aware of these differences before purchasing cyber risk assessment software or solutions.
Here are the three leading approaches to cyber risk assessments.
Approach 1: Compliance-driven
A cyber risk assessment that is driven by compliance focuses on comparing an organization’s security controls with requirements specified in cybersecurity and regulatory frameworks. These might include, for example, frameworks published by the National Institute of Standards and Technology (NIST), ISO/IEC, the Payment Card Industry Security Standards Council, or the European Union. In fact, some of these organizations even provide guidance on how to conduct a cyber risk assessment, such as NIST SP 800-30 and ISO/IEC 27005.
These frameworks are well established and very credible as guidelines for compliance activities and basic security practices. However, they provide mostly high-level, “one size fits all” recommendations and typically lack detail on (or ignore) important areas such as cloud security and secure coding practices. Sometimes they lead to a “check-the-box” mentality where security teams are incentivized to fix many vulnerabilities quickly even when they pose no significant risk to the organization.
Approach 2: Threat modeling
This approach to cyber risk assessment starts with compiling comprehensive lists of the threats facing the organization, vulnerabilities in systems and networks, and infrastructure and information assets. This information is acquired through questionnaires and interviews with IT and business managers, together with vulnerability scanning. The data is used to model the impact of possible security events based on factors such as the probability of attacks, the severity of vulnerabilities, the weaknesses of existing controls, the value of assets, and the consequences of outcomes such as data breaches and business interruptions. The security team can then select the remediation actions that reduce risk the most.
A cyber risk assessment based on extensive threat modeling generates valuable, detailed insights into potential threats and gaps in existing controls. The results identify the greatest risks to the organization and help prioritize remediation actions.
Unfortunately, this approach requires a large investment of staff time compiling lists, completing questionnaires, holding interviews, collecting data, estimating probabilities, and modeling long catalogs of threats and vulnerabilities. It may take weeks or months before the analysis is complete and ready to be applied, by which time much of the analysis may be obsolete.
Approach 3: Attack Route Analysis
Attack route analysis starts with gathering information about likely threats and key assets. However, instead of relying primarily on checklists, questionnaires, and interviews, it utilizes the techniques and thought processes of real attackers: discovering and exploiting existing vulnerabilities, exploring the organization’s environment, and deciding on a sequence of tactics to reach critical business assets.
The information gathered from this activity enables the security team to build a graph of attack routes between the likely threats and the key assets. These routes are the paths threat actors could take to reach the critical assets, including systems, networks, and cloud platforms with vulnerabilities. Routes also include security controls that can block attacks.
Security teams can use the graph of attack routes to focus on modeling those attacks that pose a real danger to the organization. They can deprioritize the vast majority of vulnerabilities which either are not on an attack route leading to a critical asset or are on an attack route that is blocked by an existing control.
The graph also helps identify the most effective remediation options. An attack route can be eliminated by removing any of the vulnerabilities in the path or by deploying a security control. With a little analysis, and sometimes merely by viewing the graph, security teams can quickly determine the most cost-effective mitigation action to protect a specific asset.
The attack route analysis approach also simplifies communication with non-technical managers. The graph shows them how threats operate to reach critical assets and how the threats can be neutralized by removing vulnerabilities or adding controls. However, to achieve maximum benefits, the assessment must be revisited periodically so the organization can address emerging threats and medium-priority vulnerabilities not covered in the first round of modeling.
Want to learn how to conduct an effective cyber risk assessment? Download our new ebook.