7 Steps to Prioritize Cyber Security Threats
Today’s businesses are under constant threat of cyber attacks. The recent WannaCry ransomware attack, which affected major businesses and institutions around the world, showed the importance of prioritizing cyber security threat remediation.
Here are 7 steps on how to prioritize cyber security threat remediation:
Step 1. Involve Business Stakeholders in the Process
Cyber security threat remediation is often left to the “IT people”. Business stakeholders, which include those in the senior management positions and those possessing unique perspectives, experiences and skills that IT may not possess, are invaluable in prioritizing cyber security threat remediation.
A survey conducted by Info-Tech Research Group showed that organizations that were able to engage business stakeholders in cyber threat identification were 79% more successful in identifying all threats compared to organizations where business stakeholders’ participation was minimal. Another Info-Tech survey found that 97% of organizations that involved business stakeholders in the cyber risk assessment process reported success.
It’s beneficial to involve business stakeholders as they can put forward perspectives that IT may have overlooked, and they can bolster IT’s knowledge regarding particular risks and their overall effect on the organization.
Step 2: Identify Cyber Security Threats
In identifying cyber security threats, determine the threat categories, threat scenarios and threat events.
Threat categories are advanced groupings that label threats relating to major IT functions. The following are some of the identified categories:
After identifying the threat categories, identify the threat scenarios or common situations for each category. For instance, in the data risk category, threat scenarios could be data theft, data integrity, data confidentiality and data availability.
Threat events refer to specific vulnerabilities under a particular threat scenario. An example of threat event under data integrity includes data recovery/loss within system.
Step 3: Determine the Threshold for Acceptable and Unacceptable Risk
Establish a threshold that sets what comprises as an acceptable and unacceptable risk for the organization. This threshold should be in a concrete dollar value, and should be based on the ability of the organization to absorb financial losses and its tolerance towards risk. For instance, an organization's threshold could be $100,000. A cyber threat costing below $100,000 is acceptable, while above $100,000 is an unacceptable threat.
Step 4: Create a Financial Impact Assessment Scale
Cyber threat has a corresponding financial consequence. It’s difficult for senior management to make intelligent decisions about cyber security threats if they don’t know what their financial impact will be. For each identified threat event, it’s critical to create a scale to assess the financial impact. Typically, financial risk impacts are assessed on a scale of 1 to 5 or low to extreme. Make sure that that the unacceptable risk threshold is reflected in the scale. Let’s say,
In the financial impact assessment, include project overruns and service outages. For instance, a cyber security project that runs for 20 days, with 8 employees, average cost of $300 per day and a total estimated cost of $48,000, falls under the low impact scale. Another example is a service outage that runs for 4 hours, with $10K loss of revenue per hour and an estimated cost of $40,000, falls under the low impact scale.
Step 5: Create a Probability Scale
For every threat event, create a scale to assess the probability that the event will happen over a given period of time. Make sure that the probability scale has the same number of levels as the financial impact scale. Let’s say,
Step 6: Threat Severity Level Assessment
For all threat events, assess the severity level. To calculate the severity level of each threat event, multiply the financial impact cost with the probability of occurrence. A threat event with a probable financial impact cost of $250K or "high" multiplied with the probability of occurrence which is 10% or "low" generates a $25K or "medium" threat severity level.
Step 7: Determine the Proximity of the Threat Event
Over a period of time, the financial impact and probability of occurrence of a threat event often fluctuate. The relationship between threat severity and time is called threat proximity. These fluctuations are every so often unpredictable. Some threat events are, however, predictable. The risk severity of losing key personnel is constant. The risk severity of data breach leading up to new product launch is confined at a particular point in time. The risk of severity of project overrun after staff layoffs either increases or decreases after a particular point in time.
In determining the proximity of the risk event, focus on “high” and “extreme” threats. Describe the proximity of these high and extreme threats. For instance, for a particular threat event, the threat proximity can be described in this way: “The probability of this threat event will fall when the new budget for the IT department is released.”
So what’s the difference between threat severity and threat proximity? The threat proximity description notifies senior management about the urgency of a cyber threat event and the importance of timely implementation of risk responses, while threat severity notifies senior management about the relative importance of each threat event.
Cyber Security Threat Remediation Equals Cost Effectiveness
Threat identification and prioritizing these threats demand time and money. But the time and money spent on these security risk management tasks can mean the difference between staying on budget and spending too much.
When your organization needs help with assessing and prioritizing cyber security threats, give us a call and we will be happy to help.
Steve E. Driz