Cybersecurity Strategy Management Framework
This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.
Purpose
The constantly evolving threat landscape makes it impractical for organizations to invest equally in all cybersecurity areas. The purpose of reviewing the threat landscape is to pinpoint the most significant risks to the organization and prioritize protection measures accordingly.
Objectives
Inputs
Activities
Choose your approach
The first step in a threat landscape review is choosing a practical risk management approach. By adjusting traditional risk assessment methods, we can perform a broader evaluation, helping to prioritize security areas and guide strategic planning, as detailed in part 1 of this article – “1D. Review threat landscape (1/5)“.
Prepare for assessment
In preparing for a threat landscape assessment, aligning the scope with your cybersecurity strategy and identifying relevant internal and external threat sources is crucial. As part 1 of this article outlines, adequate preparation is the foundation for a robust threat landscape review – “1D. Review threat landscape (1/5)“.
Identify crown jewels
The process of conducting a threat landscape review begins with the identification of your organizational crown jewels. These are assets whose compromise could have a significant impact on your business. The detailed procedure for identifying them is documented in part 2 of this article – “1D. Review threat landscape (2/5)“.
Assess threat sources
Threat sources are anything that can cause harm to your information assets. Understanding potential threat sources to your organization is vital. Comprehensive listing, probability and strength assessment of these threats allow prioritizing risks. The approach for this is detailed in Part 3 of this article – “1D. Review threat landscape (3/5)“.
Assess threat events
A threat event is an event or situation initiated by a threat source, which may lead to undesirable consequences for your information assets. Understanding cybersecurity risks requires a detailed assessment of potential threat events, their sources, origin and affected assets. Steps for identifying these threat events is detailed in Part 4 of this article – “1D. Review threat landscape (4/5)“.
Assess inherent likelihood
Inherent likelihood quantifies the frequency at which a specific threat source might initiate a particular threat event against your organization, regardless of the robustness of controls implemented to mitigate the risk. This factor is instrumental in calculating the criticality of your risk.
To evaluate the inherent likelihood of identified threats:
Review the threat source probability. Start by reviewing the threat source probability rating you previously assigned in step “4. Determine threat sources”, which suggests how often a threat source might initiate threat events that affect your organization. Generally, your inherent likelihood will be consistent with the threat source probability. However, it might be lower when adversaries deploy certain techniques more often than others.
Review threat source characteristics. Review the threat source characteristics assessed earlier. For adversarial threats, these may influence the choice of techniques used and the varying likelihood of initiating specific threat events. For instance, individual hackers with lower motivation levels are unlikely to devote time to launching Advanced Persistent Threat (APT) attacks using custom-developed malware or exploiting zero-day vulnerabilities. However, this scenario may differ for nation-state actors with higher motivation.
Examine historical data. Your organization’s historical data can guide you in determining the frequency of specific threat events. Since you are assessing inherent event likelihood, consider all detected attempts, not just successful ones.
Review market data. Your internal data might not fully capture the extent of threat events launched against your organization. Therefore, reviewing market reports related to threat events, particularly those specific to your industry, can be beneficial. We have listed examples of these reports in the “Identify information sources” activity description.
Determine inherent likelihood. Based on the steps above, decide on the inherent likelihood of your threat event. Then, you can record this rating in the inherent likelihood column of your Threat Events table.
As a result of this activity, every threat event in your Threat Events table should have an assigned inherent likelihood.
Assess inherent impact
Inherent Impact gauges the potential consequences if a threat source successfully initiates a threat event against your information assets. Similar to inherent likelihood, it does not consider the strength of controls in place to mitigate potential impacts. This factor is crucial in calculating your risk criticality.
To assess the Inherent Impact of identified threats:
Select the threat event. Choose the threat event from your Threat Events table that you wish to analyze for impact.
Examine Impacted Assets. Review your Threat-Assets table that maps threat events to potentially impacted assets. Filter by the threat event and evaluate overall impact ratings that you assigned based on impacted information attributes – confidentiality, integrity and availability. NIST suggests analyzing inherent impact per asset as potential impact levels may vary across different assets. However, given that this assessment occurs at a strategic level, a simpler approach of considering the global impact is recommended. Therefore, you can opt for the highest impact among your impacted assets. However, the risk impact may accumulate if multiple assets are affected, justifying a higher rating.
Consider threat source strength. The higher the threat source strength, the more assets it can affect, or to a greater extent before detection, resulting in a higher impact. In the case of adversarial threats, the more capable and committed cyber criminals are, the more damage they can inflict.
Determine inherent impact. Decide on the inherent impact of the threat event. This value should consider the maximum impact on your affected information assets. Record this value in the inherent impact column of your Threat-Events table.
Identify key impacted assets. Choose the top three assets based on their overall impact stored in the Threats-Assets table and add their names to the Key Impacted Assets column in your Threat Events table. This information will be helpful later when presenting an overview of the threat landscape and will help substantiate the Inherent Impact rating.
Provide a risk example. If possible, provide a representative example of a situation in which a specific threat source successfully initiated a threat event. At the very least, include a year, target organization, and estimated financial losses. This information helps stakeholders comprehend that the discussion extends beyond potential risks to events that have already transpired in your organization or industry.
Repeat this process for each threat event in your Threat Events table.
As a result of this activity, each threat event in your Threat Events table should have an assigned inherent impact.
Calculate inherent risk
Inherent risk is a crucial factor that aids in prioritizing threat events, thus facilitating the effective allocation of your efforts. Given the constraints of organizational resources, this rating is vital in determining your crucial cybersecurity focus areas.
After completing this activity, you should have a prioritized list of threat events. Here is how you can achieve this:
Choose your approach. If your organization already utilizes an established method and risk matrix for calculating risk ratings, it is best to follow them for consistent risk communication. If not, you can adapt the process outlined below.
Determine inherent risk rating. Risk is a combination of likelihood and impact. Typically, the inherent risk rating is derived using a matrix that highlights risk criticality areas based on the likelihood and impact of the threat event. The matrix usually appears as shown in the example below. Some organizations also assign numeric values to likelihood and impact ratings and multiply them to produce a numeric value for the risk rating. However, I do not recommend it when the inputs are qualitative.
Prioritize threat events. To ensure effective risk presentation, you can sort your threat events in descending order using the inherent risk rating column. This ordering draws attention to the most significant risks.
| ID | Threat Event | Inherent Likelihood | Inherent Impact | Key Impacted Assets | Inherent Risk Rating | Risk Example |
|---|---|---|---|---|---|---|
| TE001 | Phishing | 4 - High | 5 - Very High |
| 5 - Very High | 2016 - Crelan Bank - 76 mln USD |
| TE002 | Ransomware | 4 - High | 5 - Very High |
| 5 - Very High | 2017 - Maersk - 300 mln USD |
| TE003 | Data leakage - accidental | 4 - High | 5 - Very High |
| 5 - Very High | |
| TE004 | Data leakage - theft | 3 - Medium | 5 - Very High |
| 5 - Very High | |
| TE005 | Vulnerability exploitation | 3 - Medium | 5 - Very High |
| 5 - Very High | |
| TE006 | Insufficient vendor oversight | 3 - Medium | 5 - Very High |
| 5 - Very High | |
| TE007 | Denial of service | 3 - Medium | 5 - Very High |
| 4 - High | 2021 - Bandwidth Inc. - 12 mln USD |
| TE008 | Misconfiguration | 2 - Low | 5 - Very High |
| 4 - High | |
| TE009 | Power failure | 2 - Low | 5 - Very High |
| 4 - High | |
| TE010 | Ineffective security design | 2 - Low | 5 - Very High |
| 4 - High | |
| TE011 | Regulatory incompliance | 2 - Low | 5 - Very High |
| 4 - High | |
| TE012 | Fire | 1 - Very Low | 5 - Very High |
| 3 - Medium |
Summarize the threat landscape
During stakeholder discussions, referring to your organization’s threat landscape can be beneficial. However, you should communicate it in a straightforward and easily digestible manner. Yet, it is crucial to relay this information in an easily comprehensible and concise manner. The goal is to help stakeholders grasp the critical risks that could impact their areas of responsibility. You also want to convincingly present your cybersecurity strategy as the solution to these challenges.
Create an initial summary
To convey your message effectively, concentrate on the top ten risks, detailing as follows:
Risk category and description. It is essential to present the risks in a language that business leaders can easily understand. Each risk should have a title and description that reflects its nature without resorting to technical jargon. Consider leveraging the organizational risk taxonomy to ensure consistency and clarity.
Threat source. Identifying the highest priority threat source helps to illustrate its characteristics and the efforts needed to prepare for risk mitigation. For instance, organizations often targeted by advanced hacking groups require significantly more resources to counter these threats.
Threat source intent. For adversarial threat sources, you can include the intent of the threat source to demonstrate its motivation.
Impacted assets. Identify the top three assets that would face the highest impact. Pinpointing the assets most at risk allows stakeholders to comprehend each risk’s potential consequences and severity.
Risk rating. Provide your risk rating. Sharing a risk rating provides a snapshot of its severity relative to others.
Risk example. It is helpful to use real-world examples to bring these risks to life. Include the most recent instances where similar risks materialized, whether within your company or the industry. Provide the company’s name, the year, and, if available, the financial impact value to help stakeholders appreciate the reality of the risks.
Group similar risks
Upon analysis, you may find that some risks are overly detailed, or you might notice clusters of similar threat event categories.
In these scenarios, aim to aggregate similar risks into broader categories. Remember, this is a strategic-level assessment intended for high-ranking stakeholders. They should understand the nature of these risks, perceive their importance, and you need to convince them to act on them. Your cybersecurity strategy will be the solution to these problems.
| Risk Title | Risk Description | Threat Source | Intent | Key Impacted Assets | Rating | Example |
|---|---|---|---|---|---|---|
| Phishing | External attackers can send emails prerenting to be from a legitimate source to our employees to reveal their credentials or introduce malware into our systems to obtain initial access into our organization. | TS001 Hacking group | Financial gains, Disruption | A006 Authentication data | 5 - Very High | 2016 - Crelan Bank - 76 mln USD |
| Ransomware | External attackers can deliver and install malware into our systems to steal our sensitive information or spread ransomware for financial gains. | TS001 Hacking group | Financial gains, Disruption | A004 Client data | 5 - Very High | 2017 - Maersk - 300 mln USD |
| Data leakage - accidental | Insiders can leak our confidential data by mistake, by loosing data storage devices or by not following information handling guidelines. | TS006 User | A004 Client data | 5 - Very High |
Outputs
References
Use the following links to deepen your knowledge about this topic.
- Freund, J., & Jones, J. (2015). Measuring and Managing Information Risk: A FAIR Approach. [Elsevier]
- Landoll, D. (2021). The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments. [CRC Press]
- Talabis, M. R., & Martin, J. (2021). Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis. [Elsevier]
- Wheeler, E. (2011). Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. [Elsevier]
- Cyber Leadership Institute (2019). CISO Playbook: Protecting the Crown Jewels
- Information Security Forum (2017). IRAM2: The Next Generation of Assessing Information Risk
- Information Security Forum (2016). Protecting the Crown Jewels: How to Secure Mission-Critical Information Assets
- Information Security Forum (2016). Protecting the Crown Jewels: Implementation Guide
- ISO (2011). ISO/IEC 27005: Information Technology – Security Techniques – Information Security Risk Management
- NIST (2012). NIST SP 800-30 Rev. 1 – Guide for Conducting Risk Assessments
- NIST (2011). NIST SP 800-39 – Managing Information Security Risk: Organization, Mission, and Information System View
Cybersecurity Strategy Management Framework
This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.