A cyber security risk assessment is an analysis performed to identify and

evaluate potential risks that could compromise a system's security. The goal is
to prioritise these risks based on their potential impact, then establish
measures to manage or mitigate them.
Types of Cyber security Risk Assessments
1. Risk Assessment: This is the broadest type of cyber security risk
assessment. It involves identifying, quantifying, and prioritising the risks
associated with an organisation's digital infrastructure. The process
considers various factors such as the likelihood of a risk occurring, its
potential impact, and the effectiveness of the current security measures.
2. Vulnerability Assessment: This type of assessment focuses on
identifying weaknesses in a system that could be exploited by a potential
attacker. Vulnerability assessments are typically automated, using
software tools to scan systems and networks for known vulnerabilities.
They offer a snapshot of the potential holes in your security at a given
moment.
3. Penetration Testing: Also known as ethical hacking, penetration
testing is a proactive approach to finding security vulnerabilities. In this
method, a cyber security expert, akin to a hacker, attempts to breach a
system’s security using the same techniques as cybercriminals. This
hands-on approach provides a real-world view of your system's
vulnerabilities and how they might be exploited.
4. Red Teaming: Red teaming is an advanced type of penetration testing. A
red team is a group of cyber security experts who simulate full-scale
cyber-attacks on an organisation's network to test its security measures.
This exercise is comprehensive and mimics real-world attacks as closely
as possible, providing a rigorous test of an organisation's cyber security
readiness.
5. Security Audits: A security audit is a systematic, measurable technical
assessment of a system or application. Security audits compare the
current security measures against a set of standards to determine if they
are up to par. The result is a detailed report outlining compliance and
any necessary changes.
 6. Compliance Assessment: This assessment measures an organisation's
adherence to a given set of security standards or regulations. It is crucial
for organisations that handle sensitive data like financial information or
personal health data, which are governed by strict compliance
regulations like GDPR, PCI DSS, or DORA.
Cyber security frameworks are sets of documents describing guidelines,
standards, and best practices designed for cyber security risk management.
The frameworks exist to reduce an organization's exposure to weaknesses and
vulnerabilities that hackers and other cyber criminals may exploit.
Risk frameworks focus on identifying, assessing, and managing potential risks
and vulnerabilities within an organization. They help prioritize resources and
efforts based on the likelihood and impact of potential threats. Risk
frameworks are essential because they promote a proactive approach to
security, allowing organizations to stay ahead of emerging threats and adjust
their defences accordingly.

Pros: Flexible, prioritizes risk management, adaptable to changing threats

Cons: Less prescriptive, may require additional expertise to implement

The most common frameworks include:

1. ISO 27001 – The leading international standard for protecting and managing
information security within an organization. This framework includes a
combination of policies and procedures which revolve around three objectives;
1. confidentiality (only authorized entities are granted access to sensitive
information), 2. integrity (only enabling authorized users to modify sensitive
information) and 3. availability (sensitive information is accessible to
authorized entities only)

2. PIPEDA – Canada’s primary federal law enacted by the Parliament of Canada

for safeguarding data. This act regulates how private sector organizations
collect, use, and disclose personal information in for-profit or commercial
activities in Canada. Information must be protected from unauthorized access,
use, disclosure, copy, and/or modification. Failure to do so may result in a
$100,000 CAD penalty.

3. SOC 2 Type 2 – The globally recognized Service Organization Control (SOC)

audit evaluates and reports on how cloud-based service providers manage
sensitive information. SOC 2 Type 2 evaluates service providers based on five
key organizational controls: 1. security (how protected information systems
are), 2. availability (information is readily available for authorized use), 3.
processing integrity (data processing is complete, valid, accurate, timely, and
authorized), 4. confidentiality (information is kept secure), 5. privacy (PII is
securely collected, processed, stored, and disposed of).

4. HIPAA – The Health Insurance Portability and Accountability Act was created
to protect patient’s personal information in the United States. Organizations
that are compliant with HIPAA agree to safeguard PHI from unwarranted
disclosure and give patients rights to access their documentation

Importance of security assessment

Helps to identify vulnerabilities -you can identify vulnerabilities in your system
and take steps to mitigate them before they can be exploited by attackers
Helps to check compliance assessments-Many regulations, such as HIPAA,
FISMA, GDPR, and PCI DSS, require regular security assessments. By conducting
regular assessments, you can ensure that your organization remains compliant
with these regulations and avoid costly fines and penalties
Helps to prioritise and mitigate risks
Regular IT security assessments are an essential component of maintaining the
security of your organization’s digital assets. These assessments are designed
to identify vulnerabilities and weaknesses in your IT infrastructure, as well as
to evaluate your organization’s overall security posture.
IT security assessments typically involve a comprehensive evaluation of your
organization’s IT systems, including hardware, software, and network
infrastructure. The assessment may also include an evaluation of your
organization’s security policies and procedures, as well as an assessment of
your employees’ knowledge and adherence to these policies.

Regular IT security assessments can help enhance customer trust in your

business. Customers trust businesses that take their data security seriously and
are committed to protecting their personal information. By conducting regular
security assessments, you can identify vulnerabilities in your systems and take
steps to fix them before they can be exploited by hackers. This can help
prevent data breaches and other security incidents that could damage your
reputation and erode customer trust

Conducting regular IT security assessments is essential to ensure the continuity

of your business operations. Cyber attacks and data breaches can cause
significant disruptions to your business, resulting in lost revenue, damaged
reputation, and legal liabilities. By implementing robust security measures and
conducting regular assessments, you can minimize the impact of these threats
and ensure the continuity of your business.
One of the key benefits of regular IT security assessments is the ability to
identify potential vulnerabilities and risks in your IT infrastructure. By
conducting a thorough analysis of your systems and applications, you can
identify weak spots that hackers could exploit and take proactive measures to
address them. This includes implementing security patches, upgrading
software, and improving access controls.
Another important aspect of ensuring business continuity is disaster recovery
planning. Regular IT security assessments can help you identify potential risks
and vulnerabilities in your disaster recovery plan and take corrective actions to
minimize the impact of disruptions. This includes testing your backup and
recovery procedures, ensuring redundancy in critical systems, and establishing
communication protocols for emergency situations.
Risk management is the process of discovering and assessing the risks to an
organization’s operations and determining how those risks can be controlled or
mitigated. This process involves discovering and understanding answers to
some key questions:
1. Where is the risk to my information assets (risk identification)?
2. How severe is the risk to my information assets (risk assessment)?
3. How much risk is acceptable to my organization (risk appetite)?
4. What do I need to do to bring my current level of risk down to an acceptable
level (risk
control)?

risk identification: The recognition, enumeration, and documentation of risks

to an
organization’s information assets.
risk assessment: A determination of the extent to which an organization’s
information assets
are exposed to risk.
Assessing the relative risk for each vulnerability is accomplished via a process
called risk
assessment. Risk assessment assigns a risk rating or score to each specific
vulnerability. While
this number does not mean anything in absolute terms, it enables you to gauge
the relative
risk associated with each vulnerable information asset, and it facilitates the
creation of comparative ratings later in the risk control process.

Risk is
The likelihood that the threats to an asset will result in an adverse impact
Multiplied by
The consequences (or level of impact) on the value of an asset as a results of
a successful attack.
Less
The percentage of risk mitigated by current controls
Plus
The degree of uncertainty of current knowledge of the threat/asset
environment

likelihood: The probability that a specific vulnerability within an

organization will be the target of an attack

.
Likelihood is the overall rating—a numerical value on a defined scale—of the
probability that a
specific vulnerability will be exploited. NIST’s “Special Publication 800-30
Rev. 1, Guide for
Conducting Risk Assessments,” recommends that vulnerabilities be assigned a
likelihood rating
between 0.1 (low) and 1.0 (high). For example, the likelihood of an employee
or system being
struck by a meteorite while indoors would be rated 0.1, while the likelihood of
receiving at least
one e-mail that contains a virus or worm in the next year would be rated 1.0.
You could also
choose to use a number between 1 and 100, but not 0, because vulnerabilities
with a 0 likelihood
should have already been removed from the asset/vulnerability list. Whatever
rating system you
employ for assigning likelihood, use professionalism, experience, and judgment
to determine the
rating—and use it consistently.

Assessing Potential Impact on Asset Value (Consequences)

Once the probability of an attack by a threat has been evaluated, the
organization will typically
look at the possible impact or consequences of a successful attack. A feared
consequence is the
loss of asset value.

Percentage of Risk Mitigated by Current Controls

If a vulnerability is fully managed by an existing control, it can be set aside. If it
is partially
controlled, estimate what percentage of the vulnerability has been controlled.
Uncertainty

It is not possible to know everything about every vulnerability, such as how

likely an attack
against an asset is, or how great an impact a successful attack would have on
the organization. The degree to which a current control can reduce risk is also
subject to estimation
error. A factor that accounts for uncertainty must always be added to the
equations; it consists of an estimate made by the manager using good
judgment and experience.

Documenting the Results of Risk Assessment

The goal of the risk management process so far has been to identify
information assets and their vulnerabilities and to rank them according to
the need for protection.

Steps involved in risk identification

Question Outline the steps in risk identification ?

Here are some signs that your business

might be vulnerable to cyber security
attacks:
Technical Vulnerabilities:

1. Outdated software and systems:

Using outdated operating systems,
browsers, or software can expose your
business to known vulnerabilities.
2. Unpatched vulnerabilities: Failing to
apply security patches and updates
can leave your systems open to
exploitation.
3. Weak passwords: Using default or
easily guessable passwords can be
easily exploited by hackers.
4. Insecure network configurations:
Misconfigured firewalls, routers, or
switches can provide unauthorized
access.
5. Lack of encryption: Unencrypted
data, both in transit and at rest, can be
intercepted and stolen.

Human-Centric Vulnerabilities:

1. Untrained employees: Lack of

cybersecurity awareness and training
can lead to phishing, social
engineering, and other attacks.
2. Insider threats: Disgruntled or
careless employees can intentionally
or unintentionally compromise
security.
3. Poor password hygiene: Employees
using weak or reused passwords can
compromise entire systems.

Network and System Vulnerabilities:

1. Unmonitored networks: Lack of

monitoring and logging can make it
difficult to detect and respond to
incidents.
2. Unsecured IoT devices: Connected
devices, such as cameras and printers,
can provide unauthorized access.
3. Open ports and services:
Unnecessary open ports and services
can be exploited by hackers.
4. Lack of segmentation: Flat network
architectures can allow attackers to
move laterally.

Compliance and Governance

Vulnerabilities:

1. Non-compliance with regulations:

Failing to meet industry standards and
regulations can lead to fines and
reputational damage.
2. Lack of incident response plan: Not
having a plan in place can lead to
delayed response and increased
damage.
3. Inadequate access controls: Failure
to limit access to sensitive data and
systems.

Other Signs:
1. Frequent malware infections:
Repeated malware infections can
indicate a larger security issue.
2. Unexplained system changes:
Unexplained changes to system
configurations or files.
3. Suspicious network activity: Unusual
network traffic patterns or
unauthorized access attempts.
4. Reports from customers or partners:
Complaints or warnings from
customers or partners about potential
security issues.

What to do:

1. Conduct regular security audits and

risk assessments.
2. Implement a robust cybersecurity
framework.
3. Train employees on cybersecurity
best practices.
4. Invest in security technologies, such
as firewalls, antivirus software, and
intrusion detection systems.
5. Establish incident response and
disaster recovery plans.
Benefits of risk analysis

1.loss prevention-minimize financial loss from unseen events

2. Risk identification: Uncovers potential risks, enabling proactive mitigation.

3. Risk prioritization: Focuses resources on high-impact risks.

4. Risk mitigation: Develops effective controls to reduce risk

likelihood/severity.

5. Reduced uncertainty: Provides a clearer understanding of potential risks.

6. Ensures Compliance with regulations and standards.

The risk analysis process involves identifying, assessing, and prioritizing potential risks to minimize or
mitigate their impact. Here's a step-by-step guide:

Step 1: Risk Identification

1. Define scope and objectives

2. Gather information (data, documents, expert opinions)

3. Identify potential risk sources (threats, vulnerabilities, consequences)

4. Categorize risks (strategic, operational, financial, compliance)

Step 2: Risk Assessment

1. Evaluate likelihood (probability) and impact (consequence)

2. Use qualitative (High/Medium/Low) or quantitative (numeric) scales

3. Consider risk factors (velocity, persistence, detectability)

4. Document risk assessment results

Step 3: Risk Prioritization

1. Rank risks based on likelihood and impact

2. Use risk matrices (heat maps) or scoring systems

3. Consider risk tolerance and appetite

4. Identify high-priority risks for mitigation

Step 4: Risk Mitigation

1. Develop risk mitigation strategies (avoid, transfer, mitigate, accept)

2. Implement controls (policies, procedures, technology)

3. Assign risk ownership and responsibilities

4. Monitor and review mitigation effectiveness

Types of risks

1. Data breach risk

2. Network security risk

3. Malware risk

4. Phishing risk

5. Ransomware risk

6. Cyber espionage risk

CYBER SECURITY TOOLS

Firewalls

Anti-virus

Public key infrastructure (PKI) governs the issuance of digital certificates to

protect sensitive data, provide unique digital identities for users, devices and
applications and secure end-to-end communications.

Managed detection and response (MDR) is a cybersecurity service that

combines technology with human expertise to rapidly identify and limit the
impact of threats by performing threat hunting, monitoring, and response. The
main benefit of MDR is that it quickly helps in limiting the impact of threats
without the need for additional staffing, which can be costly.

Organizations using an MDR solution can immediately reduce their time-to-

detect (and therefore, time to respond) from the typical 277 days to as little as
a few minutes — thereby dramatically reducing the impact of an event.

Organizations can also:

  Improve security posture and become more resilient to potential attack
by optimizing security configuration and eliminating rogue systems.

 Identify and stop hidden, sophisticated threats through continuous

managed threat hunting.

 Respond to threats more effectively and restore endpoints to a known

good status through guided response and managed remediation.

 Redirect staff from reactive and repetitive incident response work

toward more strategic projects.

Penetration testing

Staff Training