Today’s businesses are under constant threat of cyber-attacks. Recent cyber security attacks showed the importance of prioritising cyber security threat remediation.
Here are 7 steps on how to prioritise cyber security threat remediation within your organisation:
Step 1. Involve the Business Stakeholders in the Process
Cyber security threat remediation is often left to the “IT people”. Business stakeholders, which include those in senior management positions and those possessing unique perspectives, experiences, and skills that IT may not possess, are invaluable in prioritising cyber security threat remediation.
A survey conducted by Info-Tech Research Group showed that organisations that were able to engage business stakeholders in cyber threat identification were 79% more successful in identifying all threats compared to organisations where business stakeholders’ participation was minimal. Another Info-Tech survey found that 97% of organisations that involved business stakeholders in the cyber risk assessment process reported success.
It’s beneficial to involve business stakeholders as they can put forward perspectives that IT departments may have overlooked, and they can bolster IT’s knowledge regarding risks and their overall effect on the organisation.
Step 2: Identify Cyber Security Threats
In identifying cyber security threats, determine the threat categories, threat scenarios and threat events.
Threat Categories
Threat categories are advanced groupings that label threats relating to major IT functions. The following are some of the identified categories:
- Operations risks
- Hardware risks
- Software risks
- Project risks
- Personnel risks
- Data risks
- Vendor risks
- Disaster & business continuity risks
- Compliance & security risks
Threat Scenarios
After identifying the threat categories, identify the threat scenarios or common situations for each category. For instance, in the data risk category, threat scenarios could be data theft, data integrity, data confidentiality, and data availability.
Threat Events
Threat events refer to specific vulnerabilities under a particular threat scenario. An example of a threat event under data integrity includes data recovery/loss within the system.
Step 3: Determine the Threshold for Acceptable and Unacceptable Risk
Establish a threshold that sets what comprises as an acceptable and unacceptable risk for the organisation. This threshold should be in a concrete dollar value and should be based on the ability of the organisation to absorb financial losses and its tolerance towards risk. For instance, an organisation’s threshold could be $100,000. A cyber threat costing below $100,000 is acceptable, while above $100,000 is an unacceptable threat.
Step 4: Create a Financial Impact Assessment Scale
Cyber threat has a corresponding financial consequence. It’s difficult for senior management to make intelligent decisions about cybersecurity threats if they don’t know what their financial impact will be. For each identified threat event, it’s critical to create a scale to assess the financial impact. Typically, financial risk impacts are assessed on a scale of 1 to 5 or low to extreme. Make sure that the unacceptable risk threshold is reflected in the scale. Let’s say,
- Financial loss of $10K to $34K falls under Scale 1 (Negligible)
- Financial loss of $35K to $59K falls under Scale 2 (Low)
- Financial loss of $60K to $99K falls under Scale 3 (Moderate)
- Financial loss of $100K (this being the threshold) to $249K falls under Scale 4 (High)
- Financial loss of $250K falls under Scale 5 (Extreme)
In the financial impact assessment, include project overruns and service outages. For instance, a cyber security project that runs for 20 days, with 8 employees, an average cost of $300 per day, and a total estimated cost of $48,000, falls under the low impact scale. Another example is a service outage that runs for 4 hours, with $10K loss of revenue per hour and an estimated cost of $40,000, which falls under the low impact scale.
Step 5: Create a Probability Scale
For every threat event, create a scale to assess the probability that the event will happen over a given period. Make sure that the probability scale has the same number of levels as the financial impact scale. Let’s say,
- 1 to 19% probability falls under Scale 1 (Negligible)
- 20 to 39% probability falls under Scale 2 (Low)
- 40 to 59% probability falls under Scale 3 (Moderate)
- 60 to 79% probability falls under Scale 4 (High)
- 80 to 99% probability falls under Scale 5 (Extreme)
Step 6: Threat Severity Level Assessment
For all threat events, assess the severity level. To calculate the severity level of each threat event, multiply the financial impact cost by the probability of occurrence. A threat event with a probable financial impact cost of $250K or “high” multiplied by the probability of occurrence which is 10% or “low” generates a $25K or “medium” threat severity level.
Step 7: Determine the Proximity of the Threat Event
Over a period, the financial impact and probability of occurrence of a threat event often fluctuate. The relationship between threat severity and time is called threat proximity. These fluctuations are every so often unpredictable. Some threat events are, however, predictable. The risk severity of losing key personnel is constant. The risk severity of a data breach leading up to a new product launch is confined to a particular point in time. The risk of severity of project overrun after staff layoffs either increases or decreases after a particular point in time.
In determining the proximity of the risk event, focus on “high” and “extreme” threats. Describe the proximity of these high and extreme threats. For instance, for a particular threat event, the threat proximity can be described in this way: “The probability of this threat event will fall when the new budget for the IT department is released.”
So what’s the difference between threat severity and threat proximity? The threat proximity description notifies senior management about the urgency of a cyber threat event and the importance of timely implementation of risk responses, while threat severity notifies senior management about the relative importance of each threat event.
Cyber Security Threat Remediation Equals Cost Effectiveness
Threat identification and prioritising these threats demand time and money. But the time and money spent on these security risk management tasks can mean the difference between staying on budget and spending too much.