Formula for Calculating Cyber Risk

As I have been writing about lately, we are experiencing a new level of cyber-attack sophistication and effectiveness. 2020 has seen not only very effective ransomware attacks, but also equally effective supply chain and DNS vulnerability attacks. Regulators and security personnel were shocked and somewhat at a loss on how to combat these threats other than by strengthening information security program and controls requirements. They are pressing down hard, and financial institutions such as wealth management firms are at the spear tip of their efforts.

To understand the cyber-risk that faces them, financial institutions need conduct risk assessments. Risk assessments can be limited in scope or can include the entire organization, but they all include many common steps and determinations. I still adhere to the processes outlined in NIST 800-30 2002. These include threat analysis, vulnerability assessment, probability of occurrence analysis, impact determination and controls analysis. Combining these factors allows you to assign a risk exposure rating. The formula is: risk = (threat x vulnerability x probability of occurrence x impact)/controls in place. But how do you actually apply this formula to the results of the various steps of the risk assessment?

One way, of course, is to just calculate it by feel. What I mean by that is looking at the threats, vulnerabilities, probabilities of occurrence and likelihood of impact information you have come up with, and balancing that against the controls that are already in place at the organization. Then, either unilaterally or in discussion among the group, you determine if the residual risk you are facing is high, medium or low. This is really the way most organizations determine their risk levels.

NIST has a few tools to help you with determining some of these steps. For probability of occurrence (likelihood determination), they advise considering three governing factors:

  • Threat-source motivation and capability.
  • Nature of the vulnerability.
  • Existence and effectiveness of current controls.

They also have a likelihood table to help you decide:

Likelihood Level Likelihood Definition
High The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.
Medium The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.
Low The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.

 

For impact, they have produced another table that helps you rate the magnitude of impact:

Magnitude of Impact Impact Definition
High Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury.
Medium Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury.
Low Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest.

 

Then, for the actual risk determination step, they have produced a risk level matrix and risk scale:

Threat Likelihood Impact
Low (10) Medium (50) High (100) Low (10) Medium (50) High (100) Low (10) Medium (50) High (100)
High (1.0) Low

10 x 1 = 10

Medium

50 x 1.0 = 50

High

100 x 1.0 = 100

Medium (0.5) Low

10 x 0.5 = 5

Medium

50 x 0.5 = 25

High

100 x 0.5 = 50

Low (0.1) Low

10 x 0.1 = 1

Medium

50 x 0.1 = 5

High

100 x 0.1 = 10

 

The risk scale for this matrix is: High (>50 to 100); Medium (>10to 50); Low (1 to 10).

The risk level scale table is:

Risk Level Risk Description and Necessary Actions
High If an observation or finding is evaluated as a high risk, there is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible.
Medium If an observation is rated as medium risk, corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time.
Low If an observation is described as low risk, the system’s DAA must determine whether corrective actions are still required or decide to accept the risk.

 

Although NIST 800-30 2002 has been retired, I still find their risk assessment methodology useful. The tables and matrix shown above help me in making my risk determinations without resorting entirely to feelings. Perhaps they will be useful to you as well when you are faced with the thorny problem of assigning cyber-risk levels. They will at least give you some justification for making the decisions that you do.