Question

You are a cybersecurity consultant and just met with the CISO’s team. During this meeting on the cybersecurity readiness of the company, CISO showed you risk matrices that have more colors than the rainbow. Later, during your interviews, you found out that most of the cybersecurity staff is pretty grim and thinks that a breach will lead to a very big loss and bankrupt the company.

Now it is your time to gather your thoughts to write a report for the CEO. You get your Summer Berry Panna Cotta Frappuccino from Starbucks and start formulating some of the key points you’d like to raise. These include: Reason to move away from risk matrices, alternative methods to assess risk, a plan to deal with resistance to using quantitative risk assessment while explaining why there is such a resistance, and activities of a risk management workshop where you get the cybersecurity staff ready for quantitative analysis.

This question covers almost everything the books discusses. Take your time and discuss in depth.

Answer 1

Reasons to move away from risk matrices:

The risk matrix is used to categorize the risks and show their impact on the system. Each risk is given a score and they are ranked as per the score. The matrices are used to show the potential risks of the system. However, the problem is that some of those risks might never occur in the system. This is because it is hard to find out the exact value for non-linear type of risks. In those cases, one has to use their instincts and experiences.

These matrices also have low resolution and hence they look almost alike. If they give equal weight to impact and probability of an incident in common situations, it can create problems regarding how to choose the right approach.

Alternative methods to assess risk:

1. What-if approach can be used to recognize the potential threats in the system. These types of questions help in understanding what can actually go wrong and when. It is similar to brainstorming tasks and requires knowledge of the subject.

2. A checklist of threats can be used to identify them in the current system. This type of work also depends on the checklist's quality and user's experience.

3. Hazard operability study is also useful to know about the potential threats. It also requires leadership and is time consuming as well. This is because it requires in depth knowledge of operations, work areas, and processes.

Plan to deal with resistance to quantitative risk assessment:

To deal with such resistance, the overall activity of quantitative assessment can be divided into three parts such as assessment, management, and communication. The plan also includes identification, prioritization, and categorization of software and hardware. This can help in achieving key objectives of reliability business concepts.

It is also required to assess the key controls related to security in different applications. It helps in preventing the defects and other weaknesses.

Activities of a risk management workshop:

In the beginning the objectives are defined and activities in this stage are:

• Risk prioritization
• Action plan assignment for different risks
• Communication with stakeholders
• Working with varying viewpoints
• Understanding control activities

In the next stage, following activities are performed:

• Risk mapping onto heatmaps
• Creation of risk registers
• Finding errors in manual reports
• Communicating the findings