Cyber Risk Assessment Stages - Week 7

Questions and Answers

What is the primary goal of establishing context in a cyber risk assessment?

• To reduce firewall costs
• To ensure stakeholder confidence and legal compliance (correct)
• To avoid identifying threats
• To identify all software vulnerabilities

Asset identification is only concerned with external factors impacting cyber risk.

False (B)

What are the two main categories of threats during risk identification?

Malicious and Non-Malicious

Which of the following factors is considered an external context in a risk assessment?

Regulations and laws (C)

Technical data such as logs is not useful for identifying risks.

False (B)

The scales for risk evaluation help to define _____ and impact scales.

likelihood

What is the first step in the process of identifying threats?

Threat Identification (C)

Vulnerability scanners are only used for identifying threats.

False (B)

What scales can be used to evaluate the severity of vulnerabilities?

High, Medium, Low

The process of examining how threats can impact assets is known as __________.

Risk Analysis

Match the following analysis types with their descriptions:

Threat Analysis = Assess likelihood of identified threats Vulnerability Analysis = Evaluate vulnerability likelihood and severity Incident Analysis = Determine impact of incidents on assets Consequence Analysis = Document potential outcomes of incidents

What approach does Non-Malicious Threat Identification follow?

Following the reverse order from incidents to threats (C)

Logs and industry data are irrelevant in estimating threat likelihoods.

False (B)

What type of evidence is critical for continual risk treatment?

Evidence and reasoning

Flashcards

Threat Identification

Identifying specific dangers and potential attack points in a system from specific sources

Vulnerability Identification

Finding weaknesses in defenses or lacking defenses; using tools like scanners.

Incident Identification

Recording security incidents (attacks) caused by vulnerabilities and affected assets.

Risk Analysis Purpose

Evaluating risks by analyzing threats, vulnerabilities, likelihoods, and incident consequences on assets.

Likelihood Assessment

Using a frequency scale (e.g., rare, common) to estimate how likely a threat is to occur.

Vulnerability Severity

Rating vulnerability seriousness as high, medium, or low, explaining the reason.

Incident Likelihood

Estimating the probability of a security incident occurring, using a frequency scale.

Risk Treatment Effect

Applying risk treatment methods changes the level of risk

Cyber Risk Assessment Context

Understanding the environment and factors affecting a cyber risk assessment, including goals, scope, internal/external factors, assets, and potential consequences.

Risk Identification Goals

Determining the aims and objectives, such as identifying and managing risks to minimize cyberattacks, alongside security and legal compliance.

Asset Identification

Identifying the valuable resources needing protection (e.g., data, systems), considering factors like integrity, confidentiality and availability.

Risk Scales

Defining likelihood and impact scales for assessing risk, visually displayed using grids, to classify risks and prioritize mitigation strategies. (e.g. Low, Medium, High)

Malicious Threats

Threats designed to harm a system, often originating from external attackers or insiders. These include actions that start from threat sources

Non-malicious Threats

Threats not intentionally designed to harm, but which still cause negative impacts on the system. These impacts start from incidents

Attack Surface Identification

Mapping system entry points for potential attackers, focusing on interface points with networks (e.g., internet or mobile).

Risk Identification Techniques

Using diverse methods like data analysis (e.g., logs, testing), interviews, and brainstorming to identify potential cyber threats, both malicious and non-malicious.

Study Notes

Cyber Risk Assessment Stages

• Context Establishment is crucial for a successful assessment. Incorrect context can impact the entire process.
• Goals and Objectives need to be defined, including aims like reducing cyber attack likelihood and ensuring stakeholder confidence in security and compliance.
• Scope and Focus should be determined, potentially limiting the assessment to certain parts of the system and defining assumptions like insider motivations.
• Internal and External Context is important, considering external factors (regulations, laws, customer expectations) and internal aspects (assets, processes, risk management constraints).
• Assets need to be identified for protection, considering factors like integrity, availability, and confidentiality.
• Risk evaluation uses scales to assess likelihood and impact, categorizing risks into, for example, minor or major, to decide on mitigation actions.
• Potential consequences of each asset need to be defined, understanding the impact of each risk, with supporting evidence.
• Attack surface identification maps system interfaces (e.g., internet, mobile) to find potential entry points for attackers.

Risk Identification

• Purpose is to identify potential malicious and non-malicious attacks on the system.
• Malicious vs. Non-Malicious attacks are handled differently – malicious attacks start by identifying sources, threats, vulnerabilities, and incidents; non-malicious attacks reverse the order, starting with incidents.
• Identification Techniques include technical data (logs, penetration testing), and input from developers, operators, and external experts. Interviews and brainstorming also gather diverse perspectives.
• Identifying Malicious Threats follows steps like identifying adversaries and threat sources, identifying potential threats by each source, identifying and assessing vulnerabilities, and documenting specific incidents resulting from vulnerabilities and threats.
• Non-Malicious Threat Identification follows a reverse order, starting from incidents and moving backward to identify vulnerabilities, threats, and sources.

Analysis

• Purpose of risk analysis is to evaluate the level of risk by analyzing threats, vulnerabilities, likelihoods, and consequences.
• Likelihood and Severity Assessment uses frequency (e.g., rare, every 10 years) to rate threat likelihood and vulnerability severity (high/medium/low); reasoning must be documented. Incident likelihood is also rated on a frequency scale.
• Sources for Estimation include logs, industry data, security data, and expert judgment. The basis for each assessment should be clearly documented.
• Threat Analysis involves assessing the likelihood of each identified threat, differentiating between malicious and non-malicious.
• Vulnerability Analysis uses tools like scans and code reviews to evaluate vulnerability likelihood and severity, rated using accessible scales.

Incident and Consequence Analysis

• Incident and Consequence Analysis determines the impact of incidents on each affected asset, referencing the scales defined in context establishment. Assessments should be documented.
• Continual Risk Treatment applies treatment that affects risks, regularly inspected by new teams and regulators. Evidence and reasoning are critical.