Sofema Aviation Services (SAS) www.sassofia.com considers the process to perform a Cyber Risk Assessment.
Introduction Role & Purpose of Cybersecurity Risk Assessments
Cyber Risk Assessments are integral to information risk management and form a subset of the organization’s high-level overall business risk management strategy.
Cybersecurity Risk Assessments are a critical component of risk management strategy intended to provide understanding, analysis control, and mitigation of all instances of cyber risk. Cyber risks are categorized from zero, low, medium, to high-risks.
Hacking, Malware, as well as multiple other risks (for example Natural Disasters), pose potential security risks and should be addressed:
Rational for Performing a Cyber Risk Assessment
- Ability to identify potential threats and vulnerabilities
o Opportunity to mitigate potential rather than “real” scenarios
o Potential to prevent or reduce the incidence of security breaches
o Avoid reputational damage
o Data breaches can create a huge financial burden for the organization - The potential benefit of avoiding unnecessary expenditure (rectifying cyber exposures)
Types of Cyber Risk
Cyber risk could be described as the likelihood of experiencing negative events related to any of the following areas:
- Disruptions to sensitive data,
- Financial Abuse or Impropriety,
- Interruptions to Business Process or Operations,
- An event exposing a data breach. (illegal access to secure data)
Cyber Risks Examples include:
- Cyberattacks
- Ransomware
- Malware
- Data leaks
- Phishing
Cyber Risks and Vulnerabilities:
- A vulnerability is a weakness that results in unauthorized access.
- Cyber risk is the probability of a vulnerability being exploited.
Basic Organizational Factors to use When Developing Policies:
- Reputational damage
- Feasibility of mitigating actions
- Regulations driving legal and organizational obligations
- Effectiveness of existing controls
- Safety & Reliability Exposure
- Organizational attitude towards risk (Tolerance & Weighting)
Performing an assessment of Risk (Vulnerability) – Ask & Answer the Following:
- What is the threat?
- How vulnerable is the system to the identified threat?
- Is there any additional exposure for example financial impact or reputational damage?
- What is the risk I am reducing?
- Is this the highest priority security risk?
- Am I reducing the risk in the most cost-effective way?
Calculate Cyber Risk using the following:
- Cyber risk = Threat x Vulnerability x Information Value
Basic Cyber Questions (Configure for your Situation)
- What cyber attacks, cyber threats, or security incidents could impact affect the ability of the business to function?
- Can all threat sources be identified?
o What is the level of the potential impact of each identified threat?
o What is the likelihood of exploitation?
o What is the impact if those vulnerabilities are exploited? - Have we identified our organization’s primary technology assets?
- What effect would a data breach have on our business related to each of the following:
o Malware,
o Human Error,
o Cyberattack. - What is the effective level of risk my organization is comfortable taking?
o How is this managed & communicated
How to Perform a Cyber Risk Assessment
Initial Assessment Considerations including special requirements or constraints: (Primary focus should be on Business-Critical Systems)
- Purpose of the assessment
- Scope of the assessment
The next step is to consider the data used by your organisation its value and the infrastructure it supports – use the following to support the evaluation process:
- What data do we collect and or share with our third-party partners?
- How are we protecting and documenting this data?
- What Data Storage Procedures are followed?
- How many access points are associated with the data? (Internal & External)
Develop your own organizational criteria for measuring the value of a particular asset – typically a combination of:
- Asset value,
- Legal Commitments & Obligations standing and business importance,
- Classification of the Perceived Risk.
Additional Measures you can draw on include:
- Potential Reputational Damage
- Value of our Data to a Competitor
- Financial or potential legal penalties related to the exposure of the information?
- Cost to Replace lost Data
- Business Continuity Impact
Information to factor into the assessment (validate & verify for each asset)
- Software / Hardware
- Data & Interface
- Active End-users & Support personal
- Role Purpose & Criticality
- Functional requirements
- IT-related aspects – Policies / Architecture / Storage & Comms
- Network topology (Communication Methodology)
- Security – Technical / Physical & Environment
Analyze Exposure and Implement Mitigations
- Ensure controls are in place and are effective in minimizing any identified vulnerability.
- Controls can be considered as:
Technical
o Hardware,
o Software,
o Encryption,
o Two-factor authentication,
o Continuous data vulnerability assessment.
Non-Technical
o Security policies,
o Physical mechanisms (locks & keycard access).
Controls Classification
Preventative
o Encryption,
o Antivirus,
o Continuous monitoring.
Reactive Controls
o Reactive – Identify when an attack has occurred from continuous data validity & analysis
Developing a Risk Cost / Annum Assessment
Calculate the Likelihood and Financial Impact of Various Scenarios on a Per-Year Basis (cost of data loss versus likely occurrence for example 100,000 Euro / could happen once in 10 Years = exposure of 10,000 Euro / Year
Risks Prioritization Measured Against Prevention / Information Value
Using Risk level as the basis for a determinant to drive mitigation proposals for the leadership team.
- High – corrective measures to be developed as soon as possible.
- Medium – correct measures developed within a reasonable period of time.
- Low – decide whether to accept the risk or mitigate.
Producing a Cyber Risk Assessment Report
A Cyber Risk Assessment Report is an essential tool when developing policies and making decisions related to budget, policies and procedures.
The Cyber Risk Report will support the development of a risk assessment policy defining the steps to be taken to provide the necessary oversight and monitoring on a continuous basis.
Method
For each identified threat describe:
- The risk
- Identified vulnerabilities
- Financial Value
- Assessed likelihood and Severity of potential occurrence
- Control recommendations.
Next Steps
Follow this link to our Library to find & Download related documents for Free.
Sofema Aviation Services (www.sassofia.com) & Sofema Online (www.sofemaonline.com) is now taking reservations for the following course: EASA Compliant Organizational Cyber Security Responsibilities – 1 Day
Please email team@sassofia.com for details.
Tags:
aviation, Risk Management, Cyber Security, SAS blogs, Aviation Cyber Security, Cyber Risks, Cyber Security Management System, European Operations, Cyber Attacks, Cyber Security Management Process, Cyber security threats, Aviation Domains, Cyber Risk Assessment