In this article, the focus will be on the Risk Analysis phase in the Risk Assessment process. I will go through the phase, Analysis, and the elements within it.
Risk Analysis is the second phase of the Risk Assessment process. If you want to read about the Risk Identification phase (which is the first phase), check the article The Risk Assessment Process & Identification Phase explained.
If you are new to Risk Management, I recommend you read the article What is Risk Management.
This illustration is a summarized view of Risk Management and the Risk Assessment process.
The illustration is an example of the Risk Management discipline. It may vary between frameworks, standards, and how organizations implement it but in general, it contains more or less the pieces in the illustration.
The Risk assessment process consists of four phases, these are Identification, Analysis, Treatment & Response, and Monitoring & Reporting.
rISK ANALYSIS PHASE
When a risk has been identified and recorded to the risk register and the activities in the Risk Identification phase are conducted it is time to move into the Risk Analysis phase. The Risk Analysis phase has as purpose, as the name of the phase stipulates, to analyze the risk.
In the Risk Analysis phase, the following, but not limited to, activities are conducted:
Let’s go through each of them as I at the same time share some knowledge and experience from the field.
This activity has as purpose to summarize the risk. From the Risk Identification phase, data and information were gathered with the help of different methodologies and techniques. This data and information will be used to describe the risk.
I strongly recommend being as specific as possible when describing the risk. Whit this I mean, the description should include the threat, vulnerability, and consequence. These elements were identified during the Risk Identification phase and at this point, it should be boiled down to a specific description.
I will give an example of a good risk description and a bad one.
- Bad risk description
“A cybercriminal exploits a vulnerability in a system exposed to the internet and steals organizational data.”
- Good risk description:
“A cybercriminal targets our organization’s systems exposed to the internet. Due to the lack of strong authentication mechanisms, such as for example multi-factor authentication, weak passwords are exploited. The initial foothold to the system exposed to the internet gives the threat actor the possibility to further advance into critical and sensitive systems in the network. This is made possible due to the lack of security controls, such as for example network segregation, separation, isolation.”
Strive to be as specific as possible. The description of the risk shall be easy to understand by a broader audience. Try to form the message with a specific and understandable description. Try to limit the usage of technical terms and acronyms as these might be only understood or understood by a limited number of persons.
During the Risk Analysis phase, each risk shall be contemplated around the specific scenario in which the risk might be actualized. The risk scenario is the event and situation in which the negative event potentially will take place. The risk scenario will help the Risk Analysis phase, and later phases in the Risk Assessment process, to determine the preparedness, current state, and probable impact on the organization.
The scenario is prepared in the Risk Identification phase. The data and information gathered in the Risk Identification phase will be used to build the scenario. I have seen some organizations building the scenario as a part of the Risk Identification phase. I think this makes perfect sense and there is no right or wrong in which phase the scenario is built, as long as the activity is conducted.
Personally, I prefer to have the scenario built in the Risk Analysis phase. The reason for this is due to that at this point more data and information are usually gathered that can be used for the scenario building.
Building a risk scenario helps the team and participants in the Risk Assessment process to better understand the potential impact of the risk. Risk scenario building is a powerful tool and a great way to frame the risk together as a team. It will anchor the understanding of the risk and the potential negative impact on the organization. This exercise creates a common understanding of the risk.
The general rule for building a strong and powerful risk scenario is, as mentioned earlier, to be as specific as possible. Craft the scenario with specifics to the organization and keep technical terms and acronyms to as few as possible, in the best case; try to not use them at all. Being specific is key.
LIKELIHOOD, IMPACT & SCORE
These terms are probably those most readers are familiar with when it comes to Risk Analysis. During the Risk Analysis phase, the likelihood and impact of the risk are going to be analyzed. This is also the activity where the risk is getting a score.
The score is commonly known as a product of the Likelihood x Impact. The most common technique and method used to analyze the likelihood and impact of a risk is to use qualitative risk analysis.
Qualitative risk analysis is a subjective method. But some other methods and techniques can be used as well or in combination with qualitative risk analysis. I will explain the three most commonly used methods below.
- Qualitative risk analysis – is based on subjective opinions, experience, and intuition. The technique is mainly conducted by using a scale or rank. Such as example 1 – 4 or a scale of low, medium, or high.
Most commonly a numerical scale is used, with a prescribed number for the likelihood and impact, that is found on a matrix. This is also known (for some) as the “heatmap”. The further up the risk lands in the right upper corner of the matrix, the higher the risk is considered.
A qualitative risk analysis can be conducted in most scenarios and organizations. This is also the most common technique used. The benefit of the technique is that is easy to understand and pretty straightforward and can be less time-consuming.
I would also say that if qualitative risk analysis is sufficient for the risk assessed there is no need to conduct or use other methods. Keep it simple. Do not overcomplicate things, it defeats the purpose.
- Quantitative risk analysis – is based on objective metrics, such as quantifiable data and metrics. This technique can, for example, and will mainly, be based on monetary calculations.
Quantitative risk analysis techniques are using calculations of for example net present value, replacement cost, production loss, and so forth. It shall though be kept in mind that quantitative risk analysis is highly dependent on the correctness and accuracy of the data and information.
With this I mean, if the data and information are not correct or accurate that is used in the calculations the results will not provide an accurate and realistic analysis. If estimated figures and metrics are used, it shall be made clear that the result of the analysis is based on “assumptions”. Or so-called “guesstimate”.
Estimations and extrapolation of metrics can be used to predict outcomes but there is a risk to this as well. As the result lacks accuracy and correctness, this must be taken into the calculation as well. Ask yourself beforehand using this technique if the calculations are estimations and “What are the error rate and risk of using inaccurate data and metrics in the calculation related to the risk?”.
Choose this technique wisely and in those scenarios when it is applicable. Make sure to explain if the metrics used are based on assumptions. The benefits of using a quantitative risk analysis technique are that it eliminates subjectivity, i.e. opinions and intuition.
- Semi-quantitative, or hybrid risk analysis – is a combination of both quantitative and quantitative risk analysis. This technique is using, for example, qualitative input (subjective) combined with quantitative metrics (objective).
The usage of this technique can come into play when a qualitative risk analysis technique is determined to be insufficient or when there is a need to reduce bias with the help of a quantitative technique.
Personally, I prefer to use a quantitative risk analysis technique because it reduces subjectivity. But I have encountered that in many cases accurate and correct data/information is not available. In these cases, I tend to fall back to see if a hybrid approach can be used. The numerical metrics will be assumptions and estimates, and of course, explained and made clear, combined with subjective input.
If a hybrid technique is not possible to be used, then the fallback is to go with a purely qualitative method to analyze the risk. And this is ok. In most cases, this is how organizations do it. Most organizations use a qualitative risk analysis technique. Quantitative techniques are on the rise for cyber risk but those techniques are, as this article is written (August 2022), still less common.
I recommend choosing the most adequate risk analysis technique. In the best of the worlds, a singular technique should be used in the organization, this is not though always applicable. Risk is context specific. And quantitative metrics for example are not always available in every situation. Do not overcomplicate things, be pragmatic. Being pragmatic will outperform complicated things.
When the risk has been analyzed to prior activities in the Risk Analysis phase it is time to rate the risk. This is not something that I consider as something mandatory, but it provides a better overview of the risk in relation to other risks.
If the risk register, where all the risks related to security (Cyber security, Information security, and IT security) are recorded, does not have a rating and the number of risks starts to grow it can become challenging to understand their interrelationship. Why a certain risk has a higher rating compared to another?
The rating and prioritization of risk are not static though. As risks are dynamic the rating and prioritization shall also be something that is revisited regularly.
If for example, a certain business process in the organization starts to have a high portion of low-rated risks, the rating attribute will be helpful to better understand the overall impact level. Several low risks might together make up for a higher total impact for that given business process.
Low risks shall not be neglected due to that they end up in the lower segment of the risk analysis or heatmap. Revisit the risks regularly. This is also something that I will speak more about when we look into the Risk Monitoring & Reporting phase.
When risks are described, be as specific as possible. Strive to keep the risk easy to understand.
The same principle goes for the creation of a risk Scenario. Be as specific as possible and keep the scenario easy to understand.
Choose the risk analysis method that is most appropriate, do not overcomplicate this exercise. If a quantitative risk analysis method is used and the data is considered inaccurate, explain this, and make this clear to the receiver of the message of the risk analysis.
Rate each risk and do not neglect low risks only because they end up in the lower portion of the risk analysis. The aggregation of several low risks might have a higher or comparable impact as a medium or high risk.
Risk management as a discipline is not rocket science. A stringent risk assessment process that defines how certain activities in each phase shall be conducted is very powerful. Strive to create that stringent process in your risk management framework.
I am working with organizations where certain risks go through the risk assessment process in ~15 minutes without stressing or putting quality aside. When I say certain risks, this does not mean that every risk takes 15 minutes. In other cases, it can take hours due to the complexity of the risk and the interrelationship of the impact, threats, and vulnerabilities that appear along the road.
In those cases, when more time is needed, there might need to be a need to “jump out” from the Risk assessment process and go into another discipline to better understand the risk. A tool that I often find useful, when needed and applicable, is threat modeling. This is a fantastic tool that is very helpful and supportive of the risk assessment process. Threat modeling is a separate subject for its own article, so I will leave you with a cliffhanger.
If you get stuck in the risk assessment process, zoom out and see if there are other processes, disciplines, or methods in your arsenal or in the team that can help you out. Like the one example, I put out above regarding Threat modeling.
Keep things simple. Advance as you progress. Doing something instead of nothing, when it comes to Risk Management, is an instant win. Security risks are dynamic and change over time. Do not see the risk management discipline, risk assessment process, or phases as something that is done once. It is not a check-in-the-box thing. The ultimate goal is to foster a risk-aware culture, in the organization and the employees. This is something that takes time. But the sooner you get the ball rolling the shorter the pathway to the goal becomes. Progress with patience and with the end goal to create something sustainable.