Q: What is Inherent Risk?
A: Inherent risk describes risk when all cybersecurity controls fail or are missing. It provides a worst case scenario view.
Inherent risk analysis answers questions like the following:
- What general risk does this third party pose?
- If this third party has a cyber incident, how bad could it be?
- How is inherent risk distributed across my ecosystem of companies?
- Which third parties pose the greatest and least inherent risk ranked relative to one another?
Q: How is Inherent Risk Calculated?
A: Inherent Risk is calculated for companies by examining the likelihood of an attack along with the impact that attack would have on the customer based on how they engage that company.
- Impact is derived from Impact Questionnaire responses that inform how a customer actually uses a third party according to eight asset classes (Applications, Business Process, Data, Devices, Digital Identities, Facilities, Networks, People).
- Likelihood is derived from a variety of sources including (when available) an analysis of industry-specific attack scenarios, company specific threat intelligence, perimeter scanning of public company infrastructure, and the attack surface obtained in the Attack Surface Questionnaire.
- MITRE plays a key role in this process by identifying the steps through which an attack may occur. It is important to note that Overall Inherent Risk considers only questionnaire controls mapped to MITRE Techniques that identify the steps an actor could takes to accomplish their maleficence. These mappings are available by referencing the MITRE Framework.
Q: How is Impact calculated?
A: Impact is derived from the Impact Questionnaire responses that inform how a customer actually uses a third party according to eight asset classes (Applications, Business Process, Data, Devices, Digital Identities, Facilities, Networks, People). This information is obtained when the customer fills out a third-party profile during bulk company inspection. Companies with Significant interaction against many of their customer’s assets have greater impact than those that have Least or Minimal interaction. Impact is based on the Impact Questionnaire answers, which range from 0/Least to 3/Significant. The impact score is the sum of all 8 Impact Questionnaire answers along an exponential scale so higher scopes (e.g. Significant) count for much more than lower ones (e.g. Least).
Industry classification plays a key role in this process by identifying the applicable threats a company may experience along with the current focus of threat activity from various feeds.
Q: How is Likelihood calculated?
A: Likelihood considers the probability that attackers will target particular third parties based on the company itself and the known threat landscape. The likelihood score is derived from a variety of sources including an analysis of threats use cases to specific industries, ongoing threat intelligence feeds, perimeter scanning of public company infrastructure, and the attack surface obtained in the Attack Surface Questionnaire, when available.
It is important to note that overall Inherent Risk score is dynamic as input data refresh on an ongoing basis.
Upon pulling the data, likelihood and impact are combined into a single inherent risk measure. This is plotted and lands in a band as shown in risk matrix above. The tiering recommendation is designed to help customers spend assessment budgets wisely and identify third parties that deserve special assessment scrutiny, either by using more detailed questions or through control validation to ensure accuracy.
Q: What is Residual Risk?
A: Residual risk describes risk when cybersecurity controls are in place and is what remains of inherent risk after the controls assessment answers tell us what was mitigated.
Residual risk analysis answers questions like the following:
- What specific risk does this third party pose?
- What types of cyber incidents are likely to affect this third party?
- How is residual risk distributed within this individual third party?
- How is residual risk distributed across my ecosystem of companies?
- Which third parties pose the greatest and least residual risk for specific controls, types of cyber incidents, etc.?
Q: How is Residual Risk Calculated?
A: Residual Risk is calculated by applying the results obtained after an assessment has been completed and the individual responses for various controls have been assessed. The attack scenarios enumerate the MITRE-based techniques that a threat actor must employ to achieve their attack. Each of these techniques, in turn, is mapped to the primary and supporting controls in the assessment that could mitigate it along with the assets that are relevant. Well-performing assessments, by virtue of comprehensively implemented security controls, have the effect of limiting the impact and likelihood of the attack and thus driving the residual risk to a value much lower than the original inherent risk starting point. For poorly-performing assessments, where many or all controls are answered "No", the residual risk remains close to the inherent risk, indicating that the company did little or nothing to mitigate the threats to which they were exposed is calculated by applying the completed assessment results and mapping those responses to relevant MITRE use cases.
There are two additional notes to consider when risk is assessed. First, assessment tiers provide varying levels of fidelity when determining the efficacy of security controls (see more below). Tier 1 assessments provide a granular measure of control effectiveness between 0 and 100, but Tier 2 supply only Yes/No/NA answers. A "No" answer is taken at its word and assigned a 0% effectiveness. Answers of "NA" are ignored in the calculations as not relevant. And "Yes" answers are assigned 85% based on statistical analysis of responses and to avoid unsubstantiated credit. Second, it is important to note that even with a perfect assessment, there are finite limits to the length of the questionnaire and ability to enumerate known threat actors. So the residual risk can never be lowered to zero in order to account for all the unknowns that are continually in play.
Q: What is Risk Reduction?
The inherent and residual risk measures, as a pair, provide high level metrics to determine how well companies have mitigated real-world risks. Moreover, they are useful for comparing assessment performance over time to demonstrate forward, positive progress.
The percentage of reduction highlights how controls mitigate risk and assists in evaluating if additional controls are necessary. For cases where overall inherent risk is less than 5, then that third party will be labelled as Insufficient Inherent Risk.
Risk Reduction Range | Risk Reduction Label |
Greater than or equal 90% |
Excellent |
Greater than or equal 80% |
Very Good |
Greater than or equal 70% |
Good |
Greater than or equal 60% |
Fair |
Greater than or equal 50% |
Poor |
Less than 50% |
Very Poor |
In order to operationalize, consider the following when evaluating risk reduction:
- Avoidance:
- Definition: Eliminating the risk by not engaging in activities that carry it.
- Example: A company might avoid entering a market with high political instability to prevent potential losses.
- Reduction:
- Definition: Mitigating the risk by taking steps to lessen its impact or likelihood.
- Example: Implementing security measures, such as firewalls and antivirus software, to reduce the risk of cyberattacks.
-
Transfer:
- Definition: Shifting the risk to a third party, typically through insurance or outsourcing.
- Example: Purchasing liability insurance to transfer the financial risk of potential lawsuits.
-
Acceptance:
- Definition: Acknowledging the risk and deciding to bear the potential consequences without taking specific actions to address it.
- Example: A small business might accept the risk of minor equipment failures due to the low cost of repair and low probability of occurrence.
-
Sharing:
- Definition: Distributing the risk among multiple parties to minimize its impact on any single entity.
- Example: Forming a partnership where risks and rewards are shared, such as joint ventures in business projects.
Each strategy offers a different approach to managing risk, allowing organizations to choose the most appropriate method based on their specific context and risk appetite.
Comments
0 comments
Please sign in to leave a comment.