Identify Cybersecurity Risks and Business Impacts

Learning Objectives

After completing this unit, you’ll be able to:

Describe how to identify cybersecurity risks.
Explain how to identify the organization's cybersecurity risk tolerance and use a risk rating methodology.
Describe how to prioritize cybersecurity gaps for remediation.

Identify Cyber Risks in a Business Context

Sometimes trying to identify risks can feel like staring into a crystal ball. But in fact, the first step in risk management is identifying information assets that can be affected by a cyber attack. As you sleuth out risk, you collect data to understand the threats that face the organization’s hardware, software, customer data, intellectual property, and users.

When analyzing risk, it helps to follow a sequence of events to identify the risk in all its forms and from all angles. You can use threat analysis to understand a given threat. For example, an attacker may perform espionage for a nation state that wants to steal sensitive background investigation information about your employees. Or in another case, a hacktivist who disagrees with your organization’s advocacy campaigns may deface your website. What vulnerabilities exist in your environment that attackers are likely to take advantage of, and what impact would it have if the system was breached? Going through this exercise lets you prioritize risk based on the biggest threats.

It’s key to consider cybersecurity risks within a business context. Risk is made up of two dimensions: likelihood and impact. Likelihood means the probability that the risk happens. Impact is how the risk can affect the business, either in terms of financial, operational, or reputational loss. In addition, risk managers also assess how strong the controls (or safeguards/countermeasures) that are in place help reduce either likelihood or impact. To learn more about the impact of reputational loss, and the importance of technology and trust in business, check out Digital Trust in the Software Development Lifecycle.

Managing risks can feel a lot like juggling multiple balls in the air at once. When considering risks, the ultimate goal is to decide whether mitigating the risk makes sense to the business bottom line and how risk mitigations should be prioritized. When analyzing risks to make this determination, organizations either develop their own methodology, or leverage risk assessment tools available from vendors who specialize in cybersecurity risk analysis. Let’s learn next how you as a cybersecurity risk manager help the organization evaluate what level of risk it can accept.

Understand Risk Tolerance and Use a Risk Rating Methodology

Life and cybersecurity are both about managing risk. As the cybersecurity risk manager, it’s your job to help leadership evaluate what level of risk the organization is comfortable with, otherwise known as the organization’s risk tolerance. In doing so you help the organization think through its most valuable IT assets to decide how to devote limited time, staff, and financial resources to improving its cybersecurity posture.

Annie works on the cybersecurity team at a hospital. She is responsible for protecting the organization against a variety of threats to the security of the hospital’s information systems. One potential threat is that an attacker may launch a ransomware attack on the hospital’s computer network, preventing staff from logging in to the machines they use to manage patient data. She is also concerned about phishing attacks that can compromise a doctor’s login credentials and destroy or alter patient medical data. She also considers the risk of a malicious actor exploiting a vulnerability on a smart medical device to tamper with the device’s functionality. This attack can easily end in mortality. Although to date no patients have been injured as a result of a cybersecurity incident, if a medical device contains a vulnerability, it could allow unauthorized users to issue commands to a device, potentially leading to patient harm.

Image of electronic patient data at a hospital, and an attacker trying to gain access to the information.

There are a variety of risk assessment methodologies available. For this example let’s focus on one. Annie uses a framework that looks at probability and impact. A range of general IT risk assessment methodologies use these components. She quantifies her assessment by assigning a score. She can use a scale such as high-medium-low or 1–100. The score makes it easier to prioritize risks and determine which to address first. When using a qualitative process such as rating a risk as high/medium/low, Annie can determine the likelihood, impact, and overall score by looking at quantitative indicators such as the number of similar companies that have faced a given risk, or qualitative indicators such as conversations with system owners and threat intelligence analysts.

Risk	Likelihood	Impact	Overall Score
A ransomware attack limits staff ability to access patient data on the network	Medium	High	Medium
A phishing attack compromises a doctor’s login credentials, letting an attacker steal confidential patient information	High	High	High
An attacker exploits a vulnerability on a medical device to tamper with functionality	Low	High	Medium

After examining the data and speaking with the relevant stakeholders, Annie determines that the overall score for the phishing risk is high. Annie decides to address this as a top priority. She will also work with system owners to remediate the other risks, but because this risk has a high likelihood and high impact, she addresses it first.

When identifying risks, Annie keeps in mind the laws, regulations, and policies and standards that apply to her industry, such as the Health Insurance Portability and Accountability Act (HIPAA) mandate to protect patient data. Failure to comply with applicable standards exposes her organization to legal and regulatory risk so she needs to pay close attention.

Identify Gaps and Prioritize for Remediation

There’s a joke about risk managers that goes: “We’ve considered every potential risk except the risks of avoiding all risks.” All digital businesses operate with some cyber risk. Once you understand what risks are relevant to your organization’s security, the next step is to identify a baseline for the current risk posture.

In Annie’s case, what protections are currently in place to prevent a phishing attack on a doctor’s email account? How do these differ from the ideal security state? She then works with the system owners and hospital leadership to identify short- and long-term goals in line with the overall risk tolerance and security strategy. She suggests the system owner considers implementing email filtering technology, and hires a third-party vendor to run phishing simulation training with the staff. By going through this exercise she helps the hospital identify a path to the desired state of risk exposure, where the risk of a successful phishing attack compromising patient data is extremely low.

Knowledge Check

Ready to review what you’ve learned? The knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, select the appropriate word from the options provided in the dropdown within the paragraph. When you finish selecting all the words, click Submit to check your work. To start over, click Reset.

Great work. Now, how do you ultimately decide what protections to put in place? How can the organization maintain awareness of its security posture? How do you balance all of the given risks across an IT environment? We dive further into each of these questions in the next unit, Protecting the Organization by Managing Cybersecurity Risk.