Do we need to rethink how risk assessments are applied to the cyber world? As cyber-attacks and the risks associated with these attacks, are 100% likely. Someone at some time is likely to try to attack each and every organisation connected to the internet in the world.
Risk assessments are not new and have been used very effectively in a number of situations, for example to reduce the incidence of serious injury in the world of health and safety. It is often the starting point for any plans for the choice of actions taken to address the risks, thereby helping to determine cost-effective solutions to the risks an organisation faces. Many will recall the “4 Tees” ways of dealing with risk:
1. Treating it – taking mitigation action(s) to reduce the likelihood or impact of the risk occurring;
2. Terminating it – doing something in a different way to remove the risk altogether;
3. Transferring it – passing the risk to someone else, usually in part, by, for example, taking out insurance;
4. Tolerating it – accepting it and simply monitoring the risk.
In the health and safety world consideration is given to potential events, their potential effect (damage) and the potential reduction of the risk by good management. In general, risk management relates to the likelihood and the impact. The greater these two are, the more likely we are to spend money and time on managing the risk. This means that in general, whilst we might consider the possibility of the devastating accident of the proverbial airplane landing on the roof of the factory, in reality, we pay little attention to it. It is recognised that, whilst it could result in a serious business impact, perhaps even business closure, the likelihood is so small it is not worth worrying about too much.
In cyber security, however, there is a slight problem with risk assessment and we perhaps need to rethink how it is done when applying it to the cyber world. The future security of a system of computers, telephones, personal device such as phones, laptops and tablets that are going to be implemented effectively relies on good protective measures rather than risk assessment.
The likelihood of almost any risk caused by a cyber-attack (in the broadest sense of the word) is virtually 100% likely. Someone at some time is likely to try to attack each and every one of the organisations connected to the internet somewhere in the world. It is true that some attacks are more likely than others and so there is some merit in thinking about defending against those first, but to ignore others (like the proverbial aircraft crash) is a much greater risk than in other business areas.
The reason is that most cyber-attacks are relatively easy to do and, whilst there are those that require more effort, a lot of help and advice is available to achieve successful results – “crime as a service” if you will. Sending out a million spam emails may seem pointless (and costs almost nothing), but one email might generate a large sum of money and make it all worthwhile. There is also a more serious issue that the cyber world is developing new attacks all the time and so, whilst we might take actions to defend against today’s probable attacks, we have very little idea what tomorrow’s attack will look like.
So the traditional risk assessment is much less useful and indeed in many cases is not very helpful in identifying the actions to take to defend against cyber-attack. What is required is a way of determining which cyber-defence controls are the most effective against the known attacks and how well those controls are going to defend the organisation, not only against the attacks seen today, but against any attack that might be thrown at those defences tomorrow.
The Cyber Defence Capability Assessment Tool (CDCAT) was developed by the Defence Scientific and Technical Laboratory (Dstl) on behalf of the MOD to assess the maturity and effectiveness of the controls defending all their systems. Quick to complete, and with a fully comprehensive report produced, it can ensure the right protections are in place for any system - thereby helping to ensure the always-limited budgets are spent in the right places. This assessment can then provide the basis of the plans for the organisation to undertake the continuous improvement in their cyber-security measures that is critical if they are to continue defending themselves successfully in the future.
Andy Taylor, Lead Cyber Security Assessor for APMG International.