Explore the Risk Assessment Method

Learning Objectives

After completing this unit, you’ll be able to:

• Describe the Center for Internet Security, Inc.’s (CIS®) role in risk assessment methods.
• Define the CIS Risk Assessment Method (RAM) Version 2.1 terminology.
• Explain the Duty of Care Risk Analysis (DoCRA) principles and practices.

Before You Start

If you completed The Center for Internet Security Critical Security Controls module, then you already know how to manage cybersecurity risks using the Center for Internet Security Inc.’s Critical Security Controls Version 8. And, if you completed the Get Started with Cybersecurity Risk Management trail, then you already know how to analyze, mitigate, oversee, and reduce risk. Now let’s talk about how to use the CIS Risk Assessment Method (RAM) to justify investments in the CIS Controls.

The Center for Internet Security’s Role in Risk Assessment

The Center for Internet Security (CIS) is a nonprofit organization dedicated to enhancing cybersecurity for public and private sector entities. They collaborate with the global information technology (IT) and security communities to safeguard public and private organizations against cyberthreats. As part of this global collaboration, the CIS designed and prioritized the CIS Controls to prevent or detect the most common causes of cybersecurity events and reduce risks across an organization.

In May 2022, the CIS released version 2.1 (v2.1) of the CIS RAM, designed to help enterprises justify investments for implementing the CIS Controls. The CIS RAM helps organizations identify and define their acceptable level of risk, and then manage that risk once the CIS Controls have been implemented.

As a cybersecurity risk manager, you can leverage the CIS RAM to help your organization plan, justify, and assess your implementation of the CIS Controls. Since risks vary from one organization to the next, your organization can use the risk analysis methods the CIS RAM describes to apply sensible and practical CIS Controls to reasonably and defensibly address your organization’s unique risks and resources.

CIS RAM Terminology

Before going further, let’s clarify some CIS RAM terminology. Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring Confidentiality, Integrity, and Availability (CIA) of information. You may also consider other characteristics of information assets in risk assessments—such as velocity, authenticity, accountability, and reliability—if they are valuable and your organization considers them a priority to itself and its customers. 

The CIS RAM defines risk as the Expectancy that a threat will compromise the security of an information asset and the magnitude of resulting harm from that threat. The CIS RAM defines a threat as a potential or foreseeable event that could compromise the security of information assets. 

Risk Assessments and Risk Analysis

Cybersecurity risk managers use risk assessments to evaluate the potential for harm to occur within a scope of information assets, controls, and threats. They analyze risks to estimate the Expectancy that an event will create a degree of impact. They analyze the foreseeability of a threat and the expected effectiveness of Safeguards. 

Cybersecurity risk managers also use risk assessments to create organizational awareness around risk and the threats that attempt to exploit that risk. During a cyber risk assessment, they identify security controls and assess and evaluate whether controls are operating as intended, and whether they have any associated defects or vulnerabilities.

Laws, regulations, and information security standards all consider the need to balance security against an organization’s purpose and its objectives. Risk assessments identify both information assets that may be adversely impacted as the result of a cyberattack, and resulting risks. Organizations use risk assessments to:

• Receive a clear picture of where their assets lie and who owns them.
• Identify potential threats.
• Understand the Expectancy and impact of these threats.
• Implement proactive processes to address and mitigate the impact.

Cybersecurity risk managers may analyze risks during a comprehensive risk assessment or as part of other activities such as change management, vulnerability assessments, system development and acquisition, and policy exceptions. 

Information Security Risk Assessment Standards

The CIS RAM is just one standard you, as a cybersecurity risk manager, can use to assess risk. It’s a comprehensive method that conforms to and supplements established information security risk assessment standards and methods, such as the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) 27005 standard (purchase required), the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-30, and the Information Systems Audit and Control Association’s (ISACA) Risk IT framework (purchase required).

In addition, the CIS RAM supports the cost-benefit analysis definitions for reasonableness used by regulators, litigators, and the legal community in general. Reasonableness is defined as a condition in which a Safeguard will not create a burden to the organization that’s greater than the risk it’s meant to protect against.

CIS RAM Assessment Activities

CIS RAM risk assessments involve the following activities. 

• Develop the Risk Assessment Criteria and Risk Acceptance Criteria: Establish and define the criteria for evaluating and accepting risk.
• Model the Risks: Evaluate current implementations of the CIS Safeguards that prevent or detect foreseeable threats.
• Evaluate the Risks: Estimate the Expectancy and impact of security breaches to arrive at the risk score, then determine whether identified risks are acceptable.
• Recommend CIS Safeguards: Propose additional CIS Safeguards that reduce unacceptable risks.
• Evaluate Recommended CIS Safeguards: Analyze the recommended CIS Safeguards to ensure they mitigate risks to an acceptable level without creating an undue burden.

Now that you’ve learned the activities involved in assessing risk using the CIS RAM, let’s next turn to the principles and practices that underly the method.

CIS RAM Principles and Practices

The CIS RAM uses the Duty of Care Risk Analysis (DoCRA) Standard as its foundation. Duty of Care is defined as the responsibility to ensure that no harm comes to others while conducting activities, offering goods or services, or performing any acts that could forseeably harm others. Legal authorities, regulators, and information security professionals are familiar with the risk evaluation mechanisms in The DoCRA Standard, which creates a “universal translator” for these disciplines.

The DoCRA Standard includes three principles and 10 practices that guide risk assessors in developing this universal translator for their organization. As a cybersecurity risk manager, you can use the principles and practices for analyzing risks to address the interests of all parties potentially affected by them.

DoCRA helps your organization determine whether you apply safeguards that appropriately protect others from harm while presenting a reasonable burden to yourself. The DoCRA Standard’s three principles state the characteristics of risk assessments that align to regulatory and legal expectations, while the 10 practices describe features of risk assessments that make the three principles achievable.

Principles

1. You consider the interests of all parties that may be harmed by the risk in the risk analysis.
2. You reduce risks to a level that does not require a remedy to any party.
3. Your safeguards are not more burdensome than the risks they protect against.

Practices

1. You consider the likelihood that threats could create magnitudes of impact in the risk analysis.
2. You state tolerance thresholds in plain language and apply them to each factor in a risk analysis.
3. You concisely state the concerns of interested parties, authorities, and the assessing organization in a qualitative component of the impact and likelihood scores.
4. You derive impact and likelihood scores with a quantitative calculation that permits comparability among all evaluated risks, safeguards, and against Risk Acceptance Criteria.
5. You define impact to ensure that the magnitude of harm to one party is equated with the magnitude of harm to others.
6. You define impacts with an explicit boundary between those magnitudes that are acceptable to all parties and those that are not.
7. You define impacts to address the organization’s Mission or utility to explain why the organization and others engage risk, the organization’s self-interested objectives, and the organization’s Obligations to protect others from harm.
8. You rely on a standard of care to analyze current controls and recommended safeguards during the risk analysis.
9. You engage a subject matter expert to analyze risk, and use evidence to evaluate risks and safeguards.
10. You know that risk assessments cannot evaluate all foreseeable risks. Therefore, you repeat the risk assessments to identify and address more risks over time.

Sum It Up

Now that you understand more about the CIS’s role in risk assessment methods, let’s next turn to how to evaluate risk using Impact and Expectancy.

Resources

• Trailhead: The Center for Internet Security Critical Security Controls 
• Trailhead: Get Started with Cybersecurity Risk Management
• External Site: ISO/IEC: 27005 (purchase required)
• External Site: NIST: SP 800-30
• External Site: ISACA: Risk IT Framework (purchase required)
• PDF: Federal Register Archives: Executive Order 12866
• External Site: JSTOR: The Hand Rule and “United States v. Carroll Towing Co.” Reconsidered
• PDF: The Sedona Conference: The Sedona Conference Commentary on a Reasonable Security Test