Should we stop doing systematic cyber security risk analysis?

Cyber risks are not a long list of tragic scenarios that could befall your business. On the contrary, it is a sound practice that integrates uncertainty into the corporate culture. Managing risk means learning to seize opportunities that would not exist in a totally secure and predictable world.

Information security should be managed as a business risk. However, are cybersecurity risks just a list of worst-case scenarios?

Security threats and vulnerabilities are constantly evolving. Cybercriminal groups adapt quickly: their procedures, techniques and tools evolve quickly and catch businesses off guard.

For example, in response to multi-factor authentication measures, new forms of social engineering attacks have emerged. Organisations have to deal with not only sophisticated vulnerabilities, but also cybercriminal groups such as LAPSUS$. Their modus operandi is simply based on recruiting employees with privileged access (technical support, development, etc.).

Information security can be approached as a set of scenarios that are difficult to quantify and whose occurrence is very uncertain. That’s why we manage them as risks.

Systematic risk assessment

Systematic security risk analysis is ambitious. They aim to list the risk scenarios of an organisation starting from top to the bottom. For example, with the EBIOS, MEHARI or OCTAVE methods, you will identify several strategic scenarios, then break them down into numerous operational scenarios. We bring everyone together (CISO, CIO, Senior Leadership Team) for many hours. We ask ourselves questions such as: who and what could undermine the company’s mission, and why?

I facilitated numerous risks workshops. My experience suggests that these approaches to enumerate, detail, formalise, and obtain a shared vision of the security risk become endless discussions. Do you know what happens while you gather all the brainpower of your business for days? Answer: Cybercriminal groups made up of young adults are progressing very quickly. They use simple and agile methods. Cybercriminals have no time to waste. They reason through small offensive iterations and specific objectives. And you might be the next target!

From my experience, systematic cyber security risk analysis workshops are a waste of valuable time for most organisations.

Objective-centric risk management

First, cybersecurity risk analysis should be a practice that is integrated into your projects early on. Rather than operating in a silo, it should be part of your business: developments, new solutions, infrastructure changes, acquisitions, product launches or digital transformation.

Understand the context of information

In order to identify organization’s cyber risks, I recommend starting with a clear understanding of the objectives, rather than imagining all the threat-based scenarios. The first step is to identify the company’s value chain (or the objectives of a project). To do this, organise short and concise workshops with key people in charge of the company’s activities (finance, human resources, production, delivery, etc.). During these workshops, listen to the owners of the company’s critical processes and data. How do they work? What data do they use and why? However, avoid generating too much anxiety by imagining improbable catastrophic scenarios.

Once you have an inventory of the data and applications being used, you can understand their strategic importance. Ask the following questions: What do you do if your data is publicly disclosed, made inaccessible, or changed without permission? Listening to the responses will give you an idea of the data classification.

Targeted risk analysis

The next step is to ask the IT teams where this data is stored and processed. Ask a simple question: what security measures are in place to protect them? Are there controls (preventive, detective, corrective) or safeguards (physical, human, organizational and technological)?

On the one hand, you understand the applications that support strategic processes or manipulate critical data for the company. On the other hand, you know their current level of protection. This way, you can easily define security risk scenarios. How? It’s very simple: focus on the data or applications that seem the least protected. In reality, what could happen to them?

You can rely on a high level process map. For each step, you identify possible human and technological threats.

In summary, objective-centric security risk management is common sense. Consider first the teams who are responsible for the critical functions of your organisation, rather than picturing the worst in a world filled with cyber risks and threats.

Reducing risks must first serve the value chain and the organisation’s objectives. Multiplying scenarios with infinite combinations is not helpful in this context.

Is risk something negative?

According to the ISO 31000 standard, risk is defined as “the effect of uncertainty on objectives”. Uncertainty, generated by doubt and complexity, is intrinsic to information security.

So, yes, we must continue to conduct security risk analysis! But never losing sight of the objectives and what we really want to protect.

By listening and educating, you will naturally understand risk appetite of the teams, another essential component of risk management. After all, risk is not just something bad to avoid at all cost.