Risk Scenarios and Assessment

Risk Scenarios

As a baseline for identifying and assessing cyber risks, a risk scenario approach can be used. For that reason, a predefined risk register and assessment tool has been created to ease the cyber risk identification and assessment process. As a first task, an organization should analyse the list of threats and risk scenarios that is listed in Annex 1. During this task, all irrelevant risk scenarios and threats should be removed. The rest of them can be modified to reflect the current cyber risk landscape where the organization is operating. Next, additional risk scenarios along with accompanying threats should be described in the risk register. Once the list of threats and risk scenarios is analysed and fine-tuned according to the specifics of the organization and the environment, an assessment of risk scenario impact and likelihood should take place. The scales of impact and likelihood can be customized according to the specifics of the organization. One of the most lightweight scaling would describe likelihood and impact as follows:

Likeli hood	How possible is a failure of the security controls	Likelihood of DETECTION & PREVENTION
1	Low possibility	Control will prevent/detect potential cause and subsequent failure. Failures of control are unlikely or relatively few.
2	Medium possibility	Moderate chance the control will prevent/detect potential cause and subsequent failure. It is possible that occasional failures take place.
3	High possibility	Low chance the control will prevent/detect potential cause and subsequent failure. It is possible that repeated failures take place.

Impact Rating	General description	Impact of the effect
1	Low	Little to no impact on the organization's operations, finances and reputation. Problems are known and can be controlled. Minor violations of procedures.
2	Medium	Medium impact on the organization's operations, finances and reputation. Problems are known and can be controlled. Major violations of policies or process
3	High	High or very high impact on the organization's operations, finances and reputation. Problems are known, but cannot be controlled.

An assessment of risk scenario impact and likelihood gives the organization an overview of the most critical risk scenarios. When advancing to the next step of risk treatment, those controls that treat the most critical risks should be applied as the first priority.

Risk Assessment

After the value of the information assets is determined, a more advanced approach can be used instead of risk scenarios to assess the information security risks. This step of risk assessment identifies the applicable threats and vulnerabilities that exist, determines the potential consequences and, finally, prioritizes the derived risks.

Figure 2: Risk management process according to ISO/IEC 27005:2018.

Risk identification

The purpose of risk identification is to determine what can happen to cause a potential loss, and to gain insight into how, where and why the loss can happen. Risk identification requires input from identification of threats, existing controls, vulnerabilities and consequences.

Identification of threats

A threat has the potential to harm assets such as information, processes and systems and, therefore, organizations. Threats can be of natural or human origin, and can be accidental or deliberate. Both accidental and deliberate threat sources should be identified. A threat can arise from within or from outside the organization.

Input to the threat identification can be obtained from the asset owners or users, human resources staff, facility management and information security specialists, physical security experts, legal department, the CERT, and other relevant organizations. Internal experience from incidents and past threat assessments should be considered in the current assessment.

Identification of existing controls

Identification of existing controls should be made to avoid unnecessary work or cost, e.g. in the duplication of controls. In addition, while identifying the existing controls, a check should be made to ensure that the controls are working correctly.

An existing control can be identified as ineffective, or insufficient, or not justified. If not justified or insufficient, the control should be checked to determine whether it should be removed, replaced by another more suitable control, or whether it should stay in place, for example, for cost reasons.

Identification of vulnerabilities

Vulnerabilities can be identified in the areas of organization, processes, management routines, personnel, environment, system configuration or equipment. The presence of a vulnerability does not cause harm in itself, as there needs to be a threat exploiting it. A vulnerability that has no corresponding threat may not require the implementation of a control, but should be recognized and monitored for changes.

Identification of consequences

A consequence can be loss of effectiveness, adverse operating conditions, loss of business, reputation, or damage. This activity identifies the damage or consequences to the organization that can be caused by an incident scenario. An incident scenario is the description of a threat exploiting a certain vulnerability or set of vulnerabilities in an information security incident.

Risk Analysis

Assessment of consequences

Firstly, the business impact on the organization that can result from possible or actual information security incidents should be assessed, taking into account the consequences of a breach of information security such as loss of confidentiality, integrity or availability of the assets. To measure the consequences, the business impact value can be expressed in qualitative and quantitative forms, but any method of assigning monetary value can generally provide more information for decision making.

Assessment of incident likelihood

After identifying the incident scenarios, it is necessary to assess the likelihood and impact of each scenario. This should take account of how often the threats occur and how easily the vulnerabilities can be exploited.

Level of risk determination

Risk analysis assigns values to the likelihood and the consequences of a risk. Risk analysis is based on assessed consequences and likelihood. Additionally, it can consider cost benefit, the concerns of stakeholders, and other variables, as appropriate for risk evaluation. The estimated risk is a multiplication of the likelihood of an incident scenario and its consequences.

Risk Evaluation

In this step, the level of risk is compared against the risk evaluation criteria and the risk acceptance criteria. Decisions that are taken in the risk evaluation activity are mainly based on the acceptable level of risk. The following are an example of risk acceptance criteria:

a) The impact is low
b) The cost of treatment is not cost-effective (more expensive than not applying the treatment) and its implementation is lengthy (takes months or more) c) The risk can be tolerated in a short-term perspective (in a case-by-case basis, e.g. for less than 72 hours, less than 5 days...).

However, these examples are not exhaustive and an organization may decide to accept certain risks due to its specific context.

Also consequences, likelihood, and the degree of confidence in the risk identification and analysis should be considered for risk evaluation. Risk evaluation uses the understanding of risk obtained by risk analysis to take decisions about future actions. Decisions should include:

a) whether an activity should be undertaken
b) priorities for risk treatment considering estimated levels of risks.

For example, it is mandatory to treat risks with the medium and high risk level and it is optional but recommended to treat risks with a low risk level. The higher the risk level, the more urgent the risk treatment activity is. The risk treatment activity most often resuls in applying new or amending the existing security controls, which lower the likelihood and/or impact of the cyber risk. Risk evaluation, and especially risk acceptance, must be always subject to management’s approval.