NIST Releases New Guidance for Assessing Risk

CybersecurityGovernanceNISTRisk Management
Written By Jason Shoup

On September 1, the National Institute of Standards and Technology (NIST) released a new report that outlines the need for determining risk priorities and outlines options for properly treating risk. NISTIR8286B; Prioritizing Cybersecurity Risk for Enterprise Risk Management describes how risk priority and response information should be added to a cybersecurity risk register (CSRR).

The uptick in cybersecurity incidents demonstrates the importance of aligning cybersecurity risk management (CSRM) with overall enterprise risk management (ERM), which calls for understanding the key risks in an organization. For optimal results, all participants in an enterprise should use consistent methods to prioritize, respond to risk, and communicate results.

Identifying Risk

One of the most important tools for risk managers is the cybersecurity risk register (CSRR):

Notional Cybersecurity Risk Register Template

According to NIST’s guidance, “The CSRR is used to record and communicate various cybersecurity risk considerations that support the ERM process.” Senior leaders within an organization are responsible for defining the ERM scope, context, and strategy, as well as establishing the risk appetite and risk tolerance of the enterprise.

The CSRR provides a summary of a given set of risk scenarios, however it is not possible to record all the relevant information within the CSRR. Therefore, each risk in the CSRR should link to a corresponding risk details record (RDR).

In some cases, both the CSRR and the RDR are instantiated in digital records within a risk management tool, such as a GRC product. The goal, per NIST, is to “aggregate the relevant information that is known about various risks in light of enterprise governance direction and known compliance requirements to better inform decision makers.”

After calculating the risk exposure of each risk, the next step is determining their relative priority. It is important to remember that “the highest priority risks will not always be those with the greatest exposure value.” Priority is not a reflection of the chronological order in which risk should be mitigated because that determination must factor in risk response. Those in the organization who are accountable for cybersecurity oversight, such as the Chief Information Security Officer (CISO), establish priorities for cybersecurity risks, while executives should have the final authority over how risk will be managed in the context of other enterprise risks.

Factors such as financial loss, reputation, and shareholder sentiment will influence priority and should be included in the enterprise risk strategy. NIST says that an organization’s specific goals and direction at any given time should also be considered. For example, if a corporate entity was preparing for a merger, cybersecurity risks may take extra precedence because, “discovery of a cybersecurity risk can affect the valuation of an enterprise and subsequent negotiations.”

Prioritizing Risk

There are a few foundational definitions that are necessary to properly prioritizing risk at each stage:

  • Risk aggregation is defined as the “combination of a number of risks into one risk to develop a more complete understanding of the overall risk.”

  • Risk criteria are “terms of reference against which the significance of a risk is evaluated, such as organizational objectives, internal/external context, and mandatory requirements (e.g., standards, laws, policies).

  • Risk optimization is “a risk-related process to minimize negative and maximize positive consequences and their respective probabilities; risk optimization depends on risk criteria, including costs and legal requirements.”

The processes to aggregate, prioritize, and optimize risk is different at each level of an organization, depending on the risk criteria guiding that level. Methods for optimizing risk are typically at the discretion of enterprise leaders. Each method must include a process for how to respond to risks when funding is limited. Examples include:

  • Fiscal optimization: Risk managers rank risks in order from most impactful to least, tallying the costs of risk response until funding is exhausted.

  • Algorithmic optimization: As the name suggests, this is a mechanical approach. A mathematical formula is used to calculate the aggregate cost benefit to the organization.

  • Operational optimization: This involves selecting risks that are most valuable based upon leadership preferences, mission objectives, stakeholder sentiment, and other subjective criteria.

  • Forced ranking optimization: Prioritize risks to best use available resources to achieve the maximum benefit given specific negative and positive consequences. Factors should be defined by senior stakeholders because they are based on business drivers.

Each organization level has its own priorities, and each organization has its own prioritization factors. That is why bi-directional communication is so critical. Senior leaders, who are responsible for balancing all types of enterprise risks, must be able to convey strategy and direction to lower levels. At the same time, system and business level managers need to keep leadership informed.

Excerpt from a Notional Cybersecurity Risk Register

A certain risk may be elevated in priority based on the risk appetite and tolerance established by senior leadership. For example, Risk 3 (a natural disaster disrupting communications circuits impeding customer access) may be elevated if senior leaders have designated availability as a key mission objective or a critical event is occurring—during which communications outage would have serious reputational effects even if the direct financial impact is low.

Risks, both positive and negative, should be included on the same CSRR. This helps with the prioritization process and ensures senior managers are aware of all the uncertainties that may bring benefit or harm.

Treating Risk

The next step is determining the appropriate actions to take to ensure risk treatment. Risk response should result in risk levels at or below the risk appetite and tolerance directives. The enterprise risk strategy should describe the levels of authority regarding who may approve responses. There are four response types for negative cybersecurity risks. A risk owner may apply multiple response methods.

  • Accept: This applies to low level cybersecurity risks. While no additional risk response is needed, the risk should always be monitored.

  • Transfer: Higher level risks that fall outside of tolerance levels. This risk can be reduced by sharing a portion of the consequences with another party. An example of this would be cybersecurity insurance or outsourcing risky activity, like card transaction payments.

  • Mitigate: Apply actions, such as security controls, that reduce the threats, vulnerabilities and impacts of a risk to an acceptable level. This could involve reducing the likelihood of a threat materializing or limiting the loss by decreasing damage and liability.

  • Avoid: Apply responses to ensure that the risk does not occur. If there is no cost-effective way to reduce the risk, this may be the best option, even at the cost of lost opportunity.

The most common risk response method is mitigation, which is generally applied through various technical, managerial, and operational controls. Types of controls include:

  • Preventative: Reduce or eliminate specific instances of a vulnerability.

    • Example: Network architects ensure physical or logical separation among network enclaves to help isolate suspicious or malicious activities to the smallest area possible.

  • Deterrent: Reduce the likelihood of a threat event by dissuading a threat actor.

    • Example: A warning banner that notifies a system user—before they attempt to authenticate—that the system is closely monitored and that illicit activities may result in criminal prosecution. The banner’s key purpose is to dissuade unauthorized actions.

  • Detective: Provide warning of a successful or attempted threat event.

    • Example: An intrusion detection system (IDS) alerts an operator in the Security Operations Center (SOC) upon noticing that a network user has just downloaded an unapproved software product.

  • Corrective: Reduce exposure by offsetting the impact of consequences after a risk event.

    • Example: An antivirus product quarantines a suspicious file that matches the signature of malicious software.

  • Compensating: Apply one or more cybersecurity controls to adjust for a weakness in another control.

    • Example: Alarms on a server room door audibly notify nearby personnel when an emergency exit push bar has been used, thereby compensating for a physical access control that has been bypassed.

Example Risk Responses in the CSRR

Once the CSRR is completed, it is important that the information be communicated clearly and effectively so that cybersecurity risk management considerations can be made and incorporated into the broader enterprise risk management strategy.

Jason Shoup
Previous

DOJ Announces National Cryptocurrency Enforcement Team
Next

Senate Introduces Ransomware Notification Mandate