Component-driven risk assessments are the most mature and common types of assessment within the cyber security profession. This section describes what component-driven techniques have in common, where they add value, and where they don't.
Scope and assets
Unsurprisingly, component-driven risk assessments are focused on system components. So what do we mean by 'system components'? Typical examples include:
- hardware (computers, servers, etc.)
- data sets
- personal information
- business critical information
The focus on system components requires you to start by defining the function that you are analysing (for example, a payroll function). This function is known as the 'scope' of your assessment. You then need to state which components you are considering in your risk assessment of the scope, and which you aren't. This is generally referred to as an 'asset list' or 'asset register'.
Components which you have no control over (but which your own system depends on) are known as dependencies, and can be included alongside your asset list, provided long it is clear how these dependencies affect those components which you can control. A scope is sometimes best presented as a diagram, which clearly shows what is in, what is out, and how the key assets are connected.
Elements of risk
Once you have identified your scope, most component-driven approaches require the risk analyst to assess three elements of risk. These three elements are typically described by the terms impact, vulnerability and threat.
Impact is the consequences of a risk being realised. When conducting component-driven risk assessments, impact is usually described in terms of the consequences of a given asset being compromised in a given way. This impact is described in different ways, but one of the more common techniques is to assess the impacts to confidentiality, integrity and availability, of information. For example, an impact might be described in terms of a loss of confidentiality of a customer dataset, or the corruption (loss of integrity) of your company's accounts. A loss of one of these properties can be connected to other types of consequence, such as lost money, loss of life, delays to projects, or any other kind of undesirable outcome.
A vulnerability is a weakness in a component that would enable an impact to be realised, either deliberately, or by accident. For instance, a vulnerability could be a piece of software which allows a user to illegitimately increase their user account privileges, or a weakness in a business process (e.g. not properly checking the identity of someone before issuing them credentials for access to an online system or service). Regardless of the type of vulnerability in question, it is something which can be used to cause a impact.
Threat is the individual, group or circumstance which causes a given impact to occur. For example, this could be:
- a lone hacker, or a state-sponsored group
- a member of staff who has made an honest mistake
- a situation beyond the control of the organisation (such as high-impact weather)
The purpose of assessing threat is to improve the assessment of how likely a given risk is to be realised. Typically, when assessing a human threat actor, analysts consider people who are likely to want to harm the organisation. This then allows them to consider both the capability and intent of these groups. Risk experts use threat taxonomies and categorisation methods to provide a common language of threat capability.
One of the weaknesses of threat assessments is that a threat's capability can change rapidly, and reliable information on these changes can be hard to come by. Because of this, don't treat your assessments of threat capability as if they are static, and make sure you recognise uncertainty and variability in your threat assessments.
Applying and communicating threat, vulnerability and impact
Once these elements of risk have been assessed, the next step is to combine these assessments to identify which risks are most concerning. Some techniques do this by combining the assessments of threat, vulnerability and impact into a single measurement of risk for each system component. This is not as straightforward as some standards claim; the three components of risk are fundamentally different from each other, and comparing them is like comparing apples with oranges. Some approaches recommend the use of risk matrices to combine assessments of threat, vulnerability and impact.
Prioritising your risks
Once the various threats, vulnerabilities and impacts have been assessed and combined to create a list of risks, they can be prioritised according to how concerning they are. This allows you to manage the most concerning risks first. You can communicate this prioritisation of risks in a variety of ways. For example, you could:
- estimate the financial loss of an impact, if it were to be realised
- provide a narrative of the chain of events that would need to occur if an asset were to be compromised
Many standardised component-driven risk management techniques use qualitative labels to describe levels of impact, usually with labels like 'high', 'medium' and 'low'. Whilst these are fairly intuitive, research shows that there is a huge difference between how different individuals interpret these labels. When considering this lack of consistency of understanding, these labels (and similar 'traffic light' approaches) should be used very cautiously. The technique you use should be tailored to the risk assessment's audience; who is it seeking to influence? What decision are you trying to inform? Does the information you are presenting from your assessment aid decision making or hinder it?
Some approaches have a ready-made list of tasks or objectives that can be used to mitigate the risks you have identified. These are known as 'control sets', from which you can select the most appropriate set of mitigations for each risk.
Commonly used component-driven cyber risk management methods and frameworks
This section provides a brief description of commonly used component-driven cyber risk management methods and frameworks. Click on the relevant hyperlinks for more detailed information about each method/framework. There are many more component-driven risk management techniques which have not been listed here. This list does not include system-driven techniques.
Selecting a technique that's right for you
When selecting a risk method or framework, you need to consider:
- The overall cost of using the method. For example, the procurement of tools, licencing and expertise.
- The scope of the project. Is the risk method proportionate to what is being assessed?
- Ensuring the required resources are proportionate and sustainable. What specialist resources are required, and do you have them?
- Are there any licencing restrictions?
|Method / Framework
What is it?
|How does it work?
||Who is it for?
||Cost and prerequisites
An international standard providing guidelines for information risk management. Although it does outline a generic risk assessment process, it leaves the choice of that risk assessment technique to the business.
ISO 27005 is part of the ISO 27000 family of standards.
|The standard is not prescriptive about which risk management technique should be used. As such, this could encompass system-driven as well as component-driven techniques. However, ISO 27005 requires that a risk assessment takes into account threats, vulnerabilities, and impacts, which emphasises a component-driven approach.
||The principles of ISO 27005 can be applied to a variety of types and sizes of organisation.
||Given the broad nature of the guidance, specialist skilled resources are needed to tailor the implementation to the requirements of the business. The cost of these resources should be considered along with the cost of purchasing the standards.
|Information Security Forum (ISF) IRAM 2
The ISF's risk management methodology is intended to help organisations better understand and manage information risks.
|This approach uses a number of phases to identify, evaluate and treat risks through the analysis and assessment of risk components (threat, vulnerability and impact).
||IRAM 2 is aimed at organisations.
||IRAM 2 is only provided to members of the ISF and organisations will need to have in place information risk management expertise to use it effectively. This should be factored into the cost.
|HMG Information Assurance Standard 1 & 2
Information Assurance Standard 1 & 2 (IS 1&2) and its supporting documents is a legacy suite of information risk management guidance, produced by CESG, prior to the creation of the National Cyber Security Centre.
The use of IS 1 & 2 for conducting technical risk management used to be mandatory for public sector organisations. Whilst this ceased to be the case in 2015, after which time the standard was no longer supported, the risk assessment method within IS 1 & 2 is still available for use.
|The risk treatment method includes: the production of a risk treatment plan, defining an implementation approach for the identified controls (largely based on ISO 27002), the development of an assurance plan, a residual risk assessment and gap analysis. The risk assessment method includes defining the scope, the corresponding information assets and then conducting an impact, threat and vulnerability assessment of them.
||IS 1 & 2 is used predominantly by public sector organisations. However it could also be used by any organisation to assess and manage their technical risks.
||The steps presented in IS1 & 2 are complex and achieving a consistent and reasoned outcome requires a skilled practitioner.
|US National Institute of Standards and Technology (NIST) SP 800-30
||The US government’s preferred risk assessment methodology, mandated for US government agencies. It features a detailed step-by-step process from the initial stages of preparing for an assessment, through conducting it, communicating the results, and maintaining the assessment. The guidance itself is comprehensive and clear. Unsurprisingly, as a US standard, much of the supporting documentation in the NIST Risk Management Framework is heavily US-focussed, often dwelling on regulatory issues that may have little relevance to non-US users.
||The risk assessment process in SP 800-30 takes inputs from a preparatory step that establishes the context, scope, assumptions, and key information sources for the process, and then uses identified threats and vulnerabilities to determine likelihood, impact and risk. The process next requires that the results are communicated and the assessment maintained, including monitoring effectiveness of controls and verifying compliance.
||The methodology should be usable by organisations of all sizes in both the private and public sectors. It is designed to be consistent with the ISO standards, and flexible enough to be used with other risk management frameworks.
||It is freely available directly from the NIST website.
||The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) methodology originates from Carnegie Mellon University in the USA. Older versions are still in use but the most recent version, OCTAVE Allegro, is more streamlined and is actively supported. It is primarily intended as a qualitative assessment, although may be used for simple quantitative analysis.
||Octave Allegro is an asset-focussed method. The first step is establishing consistent, qualitative risk measurement criteria specific to the organisation’s drivers and objectives. After assets have been profiled, threats and impacts are considered in light of real world scenarios to identify risks. These risks are then prioritised according to the risk measurement criteria and planned mitigation.
||OCTAVE is intended to be managed in a ‘workshop’ style, with a small group of participants from the operational and IT areas of the business, not requiring extensive expertise. Therefore, this approach might suit organisations looking for a risk assessment process that can be done without investing heavily in training or consultants.
||The resources to perform a risk assessment can be downloaded for free and are integral to the process.
|ISACA COBIT 5 for Risk
||COBIT 5 for Risk is provided by ISACA and provides guidance covering the governance of and understanding of enterprise IT risk.
||COBIT 5 for Risk provides risk management and governance framework in the form of principles and guidance.
||COBIT 5 for Risk is likely to suit organisations seeking to improve their approach to security risk management and governance
||The COBIT 5 for Risk book is available for purchase on the ISACA website. An organisation looking use COBIT 5 for Risk will also need to take into account any specialist resources necessary to implement its guidance and principles.