Q: How is Inherent Risk Calculated?
A: Inherent Risk is calculated for companies by examining the likelihood of an attack along with the impact that attack would have on the customer based on how they engage that company.
- Likelihood is derived from a variety of sources including (when available) an analysis of industry-specific threats use cases, ongoing threat intelligence feeds*, perimeter scanning of public company infrastructure*, and the attack surface obtained in the Attack Surface Questionnaire.
- Impact is derived from Impact Questionnaire responses that inform how a customer actually uses a third party according to eight asset classes (Applications, Business Process, Data, Devices, Digital Identities, Facilities, Networks, People).
- Industry classification also plays a key role in this process by identifying the applicable threats a company may experience along with the current focus of threat activity from various feeds. In addition, the threat use cases identify four different outcomes that threat actors seek to accomplish and include: Data Loss, Destruction, Disruption, and Fraud.
- Note: These calculations are also used to derive what is referred to as Business Exposure (scored as H/M/L) in the platform as well.
Q: How is Residual Risk Calculated?
A: Residual Risk is calculated by reviewing completed assessment results and mapping those responses to relevant MITRE use cases.
- Completed assessment results are obtained after an assessment has been completed and the individual responses for various controls have been assessed.
- Based on assessment answers, controls can be mapped to the MITRA Att&ck Framework and relevant threat use cases or attack scenarios (see more in Question 10). This also allow us to enumerate the MITRE-based techniques that a threat actor must employ to achieve their attack. Each MITRE-based technique is mapped to the primary and supporting controls in the assessment that could mitigate it along with the assets that are relevant.
Well-performing assessments, by virtue of comprehensively implemented security controls, have the effect of limiting the impact and likelihood of the attack and thus driving the residual risk to a value much lower than the original inherent risk starting point. For poorly-performing assessments, where many or all controls are answered "No", the residual risk remains close to the inherent risk, indicating that the company did little or nothing to mitigate the threats to which they were exposed.
There are two additional notes to consider when CyberGRX assesses risk. First, assessment tiers provide varying levels of fidelity when determining the efficacy of security controls (see more below). Tier 1 assessments provide a granular measure of control effectiveness between 0 and 100, but Tiers 2 and 3 supply only Yes/No/NA answers. A "No" answer is taken at its word and assigned a 0% effectiveness. Answers of "NA" are ignored in the calculations as not relevant. And "Yes" answers are assigned 85% based on statistical analysis of responses and to avoid unsubstantiated credit. Second, it is important to note that even with a perfect assessment, there are finite limits to the length of the questionnaire and ability to enumerate known threat actors. So the residual risk can never be lowered to zero in order to account for all the unknowns that are continually in play.
The inherent and residual risk measures, as a pair, provide high level metrics to determine how well companies have mitigated real-world risks. Moreover, they are useful for comparing assessment performance over time to demonstrate forward, positive progress.
Q: What are the different tiers in the CyberGRX risk platform?
A: The tiering workflow helps to recommend the CyberGRX assessment tier that is best suited to gauge a third party’s risk exposure while making effective use of a customer’s assessment budget. The two main components used to determine tier are:
- Likelihood, and
Most comprehensive self-assessment typically requested on Critical risk
Third Parties. Measures the effectiveness of controls implemented.
Mid-tier self-assessment generally requested on High risk third parties.
Measures the existence of controls.
Lowest-tier self-assessment and is generally requested on low risk Third
Parties. Measures the existence of controls.
Note: All Tier 1 assessments undergo CyberGRX's independent validation review. Tier 2 assessments can be validated upon request.
Q: How is Tiering and Inherent Risk (AIR) calculated?
A: There are a variety of factors that go into the calculation that results in a predictable risk determination:
Industry classifications obtained at ingest time or modified
on the third-party profile
|Impact: Customer Relationship w/ Vendor||
Customer-provided Impact Questionnaire answers that describe how a third party interacts with customer assets (Applications, Business Process, Data, Devices, Digital Identities, Facilities, Networks, People)
Asset scans* on the Third Party’s public facing internet assets based on URL/domain
Attack Surface answers if the third party is already assessed in the exchange
Threat intelligence feeds* – DNS, Malware, Vulnerabilities,
Threat use cases that enumerate attackers, industries, and exploited assets/controls
It is important to note that overall Inherent Risk score is dynamic as Security Intelligence is pulled on an ongoing basis and is continuously updated. Outcomes are recalculated every time you log into the platform. Some examples that may drive changes include:
- Identification of new vulnerabilities or exploitation of new vulnerabilities which have impacted organizations.
- Breaches in the industry and change in security posture of the organization. Because of this you would notice a continuous change in our likelihood score.
- Changes made by customer to the Impact Questionnaire or Industry.
After taking industry classifications into consideration, likelihood and impact are combined into a single inherent risk measure and distribution. This is used as part of the tiering recommendations to help customers spend assessment budgets wisely and identify third parties that deserve special assessment scrutiny, either by using more detailed questions or through control validation to ensure accuracy.
Q: How is Impact calculated?
A: Impact is derived from the Impact Questionnaire responses that inform how a customer actually uses a third party according to eight asset classes (Applications, Business Process, Data, Devices, Digital Identities, Facilities, Networks, People). This information is obtained when the customer fills out a third-party profile during bulk company inspection. Companies with Significant interaction against many of their customer’s assets have greater impact than those that have Least or Minimal interaction. Impact is based on the Impact Questionnaire answers, which range from 0/Least to 3/Significant. The impact score is the sum of all 8 Impact Questionnaire answers along an exponential scale so higher scopes (e.g. Significant) count for much more than lower ones (e.g. Least).
Industry classification plays a key role in this process by identifying the applicable threats a company may experience along with the current focus of threat activity from various feeds.
Q: How is Likelihood calculated?
A: Likelihood considers the probability that attackers will target particular third parties based on the company itself and the known threat landscape. The likelihood score is derived from a variety of sources including an analysis of threats use cases to specific industries, ongoing threat intelligence feeds, perimeter scanning of public company infrastructure, and the attack surface obtained in the Attack Surface Questionnaire, when available.
Q: How is the overall business risk calculated and how is it represented in the Platform?
A: The overall business exposure is derived by combining the likelihood and impact in a 2D surface and examining a series of ellipses that expand from the lower-left corner (low likelihood and impact) toward the upper-right corner (high likelihood and impact).
Third parties with HIGH exposure (orange) are recommended for Tier 1 assessments. Similarly, MEDIUM exposure (blue) recommends Tier 2 and LOW exposure (green) recommends Tier 3.
It is encouraged to inspect vendors individually, review Impact Questionnaire answers, and come to independent conclusions regarding the assessment tier to use, leverage CyberGRX’s prioritized vendor recommendation and balance needs against time and budgets.
Risk Outcome Line Graph Calculation
Contains 3 components (Inherent Risk Score, Predictive Risk Score, and Residual Risk Score) across 4 Risk Outcomes - Data Loss, Destructive Attack, Disruptive Attack, and Fraud, as well as an Overall score. Results for the Residual Risk scores are obtained AFTER an assessment is completed and the individual responses for various controls have been assessed by a TP.
The Risk Outcome Category Scores (Data Loss, Destruction, Disruption, and Fraud) for both inherent and residual risk are obtained by only looking at the subset of threats that apply to the given category. To get the "overall" risks, we use all four of them without distinction. Thus, the individual risk outcomes will always be less than the overall risk because they include a smaller set of threats.
Q: What are Gaps?
A: Gaps indicate potential vulnerabilities discovered during CyberGRX's analysis of applicable threat scenarios, tactics, outcomes, and targeted industries collected from years of observed Cybersecurity events. Gaps are influenced by asset scoping (e.g. Data, Applications, Networks, Facilities, etc.) to better identify threats that target areas where a customer actively engages their third parties to provide specific services.
Q: How are Gaps calculated?
A: Gaps are ranked recommendations by CyberGRX to help provide customers and TP’s visibility into managing their risk remediation program. They are prioritized by High (H), Medium (M) and Low (L) and are derived based on:
- Assessment answers.
- T1: all sub-controls and Metrics are gap candidates
- T2: sub-controls that are NO (High gaps)
- T3: Controls that are NO (high gaps)
- Attack scenarios or use cases driven by MITRE ATT&CK
- 8 Impact Questionnaire questions
Attack scenarios or use cases are derived based on:
- Industry the TP belongs to and,
- Common threats that pertain across all industries (often phishing type attacks or scripted exploits that are too generic to target specific types of companies)
High gaps are typically most useful when considering what to remediate first. They are controls that are instrumental to many attacks and that were answered poorly in the assessment. Given that many companies have limited budgets, these are good candidates to address first.
All of the above criteria are continuously measured and presented in the CyberGRX’s automated risk exchange platform to prioritize risk "gaps" for customers and partners.
Leveraging MITRE ATT&CK Techniques used for CyberGRX GAP calculation
CyberGRX analytics identifies the applicable threats and builds an interconnected graph of the MITRE techniques that have been laid out in each threat’s kill chain. Some use cases are short, such as when an insider applies only a few techniques to achieve a very targeted goal. Others are much longer and may reflect dozens of techniques employed over time by a persistent nation state adversary. When all applicable threats are combined in this way, the graph structure will begin to highlight important MITRE techniques that are central to the overall threat landscape
Every technique from the MITRE ATT&CK framework has been mapped to the primary sub-controls in the CyberGRX assessment that are instrumental in preventing its success. These primary sub-controls, in turn, are each mapped to supporting sub-controls that assist in their individual efficacy. The scores from the assessment are applied to the techniques in the graph, with primary sub-controls being valued more heavily than supporting sub-controls. Read more information on Attack scenario analytics leveraging MITRE ATT&CK framework.
Q: What is the impact on Gaps if only Tier 2 or Tier 3 assessments are completed?
A: Tier 2 and Tier 3 assessments require "Yes or No" options and don't provide a clear indication of how well a mitigating [sub-]control is actually implemented. Thus, failure to implement one at all (aka No) arguably creates a high risk/impact. The Yes option will default to low risk as they may still pose a risk and monitoring on the [sub-]control is recommended. Omitting a particular control (Yes) as a risk entirely is bad because it assumes that "yes" is equivalent to "we do it really well". A Tier 1 assessment can be assessed to provide a complete picture by measuring the effectivity.