Simple steps to assess and prioritise cyber risks for your enterprise

In a risk-based approach to cybersecurity, ranking cyber risks by importance is a key element. This allows you to focus on the cyber risks that can most affect the organisation and use your resources or time, effort, skills, and money to the best effect. Cyber risk assessments should also be clear and easy to understand, especially for boards and senior management. Risk assessment frameworks like those already in use can help make cyber risk comprehensible. By using the same approach and terminology as for the rest of the enterprise risk management, you can get top-down support for your cybersecurity solution recommendations afterwards. 

Figuring out how much cyber risk matters

In a risk-based approach to cybersecurity, you’ll need to know how much each cyber risk matters to your enterprise, to decide how to handle it. Two factors typically determine the level of risk: the impact of the threat on your organisation; and the probability of the impact occurring. The output from your cyber risk analysis and assessment can then be a matrix to show levels of cyber risk as: 

Cyber risk = impact X probability.

Qualitative and quantitative assessment

To keep information easily digestible for boards and top management, it may be a good idea to use a simple classification of cyber risk initially. Qualitative assessments like low, medium, and high ratings are often used in overall enterprise risk management. They can be applied to cyber risk specifically too.

For example:

• A low risk might be a rare or exceptional security threat to a server containing only publicly available information.
• A medium risk could be a possible attack targeting a website with promotional information on products or services.
• A high risk could be a threat to a supply chain application with a web interface for managing confidential customer data.

Quantitative assessment will then give a numerical estimate of costs incurred if a risk materialises.

Whether adopting qualitative or quantitative methods, higher risks will need appropriate risk treatment. Avoidance, mitigation, and transfer are possible responses. The lower the cost, the lower the need to apply controls and protection. In some cases, it may cost more to protect against the risk than to simply accept it.

Risk appetite

In general, risk appetite can be defined as the amount of risk an organisation is ready to accept to achieve its strategic goals. An organisation can describe its cyber risk appetite in terms of:

• How cyber assets such as data and data-processing systems relate to the values and goals of the organisation
• The reasons why these cyber assets are important 
• The risk tolerance associated with each cyber asset, for example, low or zero for assets relating to personally identifiable information (PII), medium for certain operational systems, and so on.

Any risk that is left after treatment is the residual risk. It is important to know the cyber risk appetite of the organisation to see if the residual risk is acceptable compared to the corresponding level of risk tolerance.

Risk assessment frameworks 

Many enterprises and organisations already use a standard, well-accepted risk assessment framework, whether generally or for specifically for cyber. The National Institute of Standards and Technology cybersecurity framework is one example for cyber which provides guidance and recommendations to manage security risks and improve defences. The NIST CSF can be integrated with other industry frameworks like ISO 27001 for establishing information security management system and ISO 27005 for information security risk management. Using such a framework helps you to cover all the cybersecurity aspects relevant to your organisation. It also avoids wasted time and effort in “reinventing the wheel”.

Microsoft solutions

Microsoft offers customers different services to help them in their cyber risk assessments, including:

• Microsoft Service Trust Portal (STP) for self-service audits and compliance (for authenticated users with a Microsoft cloud service account)
• Microsoft Solution Assessments for cybersecurity, as well as other areas, designed to help customers get the most from their Microsoft investments.
• Microsoft 365 Security Center and Microsoft 365 Defender which can help you discover and govern sensitive information assets, detect security threats and mitigate risks of malicious activities across endpoints, identities, email, and applications to provide integrated protection for end-users.
• Azure Security Center and Azure Defender which can help you manage and reduce security risks to your data that’s hosted in Azure, on premises, or in other clouds, discovery critical security vulnerabilities, and detect malicious events targeting servers, applications, databases, storage, containers and IoT.