Few companies today can get by without an online presence. And just as you wouldn’t leave a physical storefront or office unlocked, businesses also need to ensure that their online services are secure from intruders. But if you're not an expert yourself, but involved in any part of the cybersecurity lifecycle, you're likely finding yourself asking the question: What is cyber risk?
The goal of cyber security is to guard systems and networks with sensitive and business-critical information from disruption, leaks, and any other type of harm. Cyber risk is the business risk to an organization that stems directly from the cybersecurity flaws and vulnerabilities that leave assets and sensitive data exposed to attackers.
Probably the most important characteristic of modern cyber security is the concept that it goes far beyond any one specific department, team lead, or product. Instead, cyber security today is a key cultural component that must be built into businesses from the executive level on down. And it’s crucial that it not rely on fallible human processes—the weakest link in your cyber security chain—but instead, be simplified and automated to the greatest extent possible.
Two further challenges that companies face today are geographical distribution—meaning your users, team members, and others may be located all over the globe—and also the increasing reliance on third-party services such as cloud providers and SaaS vendors, over which IT departments may have minimal control.
For all these reasons, today’s organizations need a broader array of knowledge than ever to help identify and manage cyber risk and take necessary measures to remediate or bypass vulnerabilities. And that knowledge begins with a comprehensive understanding of cyber security and risk management terminology.
General cyber security terminology
Any data, hardware, or system, whether physical or virtual, owned and controlled by an organization.
Gathering information and creating systematic lists and details of all IT assets, which could include systems, network, data, cloud and on-premises systems, and more. It is impossible for any business to provide protection for systems and networks they are not aware of. Automating asset inventory is a crucial first step in creating a stronger, more mature cyber security program by enabling administrators to compare assets and version numbers to databases of known vulnerabilities.
The total of all potential points of entry where an attacker might be able to gain unauthorized access. Comprehensive risk assessment must include both physical and virtual attack surface hardware such as servers and endpoints; networking devices such as routers, plus IoT, operational, and other technology (OT) devices, along with all analogous cloud-based infrastructure, adding to the complexity of securing the environment. The attack surface also includes all potential access routes, including USB and other physical ports along with internet access and application vulnerabilities. One goal of risk management is to minimize the attack surface, often with tools that help provide visibility.
Any individual, group, or organization conducting an attack on a computer, network, or computerized system with the aim of compromising that system is considered an attacker. This term is preferred to “hacker” due to the fact that in some circles, “hacker” is actually considered a compliment. Attackers may be solo operators or—increasingly—nation-state actors (governments) or large, well-funded advanced persistent threat (APT) groups capable of launching a barrage of sophisticated attacks simultaneously.
All resources within a system or network must be secured, with access granted only to known users, devices, and systems. The process of verifying authority to access a resource is known as authentication. This was traditionally done through a password, but today multifactor authentication is preferred, using a combination of methods, such as a secret code sent to a verified phone number. Authentication is the first of five key data security services that protect your enterprise against threats.
Although all resources within a system or network are secured, not all resources are equally sensitive. For example, a public web page needs a lower level of security than a list of medical test results. Authorization is the process of determining which type of access an authenticated user, device, or system has to a given resource. Authorization levels may include restricted, read-only, write access, and full system administrator access.
The accepted three-pillar model of data security dictates that business data must be stored in a way that preserves its confidentiality, integrity, and availability (this is sometimes known as the CIA model). Availability means that data is accessible whenever it is needed for business purposes. Calculating the severity of a vulnerability sometimes incorporates its impact on these three factors. As distributed multi-cloud systems become more complex, maintaining availability can become a challenge.
Within the CIA (confidentiality, integrity, availability) model that underpins many organizations’ information security prioritization, confidentiality means that information is only provided to authorized parties. This term is often used interchangeably with encryption; however, confidentiality can be viewed as a goal while encryption is a tool to achieve it. Confidentiality requires a fundamental shift toward carefully organizing, storing, and tagging data according to who should be able to access it and why. This may incorporate approaches such as least privilege.
This refers to an organization’s ability to protect or defend itself against unauthorized access (breach) through cyber attacks. Cyber security is accomplished not through a single tool. Rather it is achieved through a range of technologies, processes, and practices to defend computers, networks, and data both of the business and of its employees, users, and other third parties from any type of threat or unauthorized access that could harm the business or others (e.g., the leakage of sensitive information or shutdown of critical systems). A business’s overall cyber security posture can be tracked as a critical KPI, comprising a key factor in risk prioritization.
When an attacker discovers a vulnerability and uses it to gain unauthorized access, this is known as an exploit. Software vendors regularly release patches which must be installed on all systems running the vulnerable application to protect the organization. However, because of the complexity of patching in a large enterprise, the organization often remains vulnerable long after a patch is available. An exploit based on a previously unknown vulnerability is sometimes known as a “zero-day” exploit.
Any event that has or could have an adverse effect on a computer or network (physical or virtual/cloud-based) or on any information stored, processed or transmitted through that computer or network. An incident generally demands a suitable response action to ensure that there are no harmful consequences for the business. For instance, if there is an attempt to gain unauthorized access or exfiltrate sensitive information, then cyber security measures should be verified or even enhanced to ensure that vulnerabilities and potential weaknesses are remediated.
The CIA (confidentiality, integrity, availability) model of information security places special emphasis on the integrity of data, meaning that data has not been tampered with, compromised, or allowed to degrade in any way. Organizations must take steps to preserve data integrity not only when it is being stored, but also when it is in transit. As with confidentiality, encryption is an important way of maintaining data integrity, alongside backup and disaster recovery procedures as part of a complete approach to risk management.
In the least privilege model, adopted by many modern businesses as part of their overall cloud cyber security, users are given access only to resources that are essential for business tasks. Access is also granted with the lowest possible authorization level. For example, a call-center agent who needs to see customer data may be given read-only access but no permission to write new data (write permission) or to delete the data (administrator permission). This approach minimizes harm by ensuring that only skilled individuals who are qualified to modify data have authorization to do so. In addition, if a vulnerability exists in a particular system, this approach ensures that the fewest possible individuals have access to that system. Least privilege refers not only to human access but also to information systems, applications, APIs, and devices that are authorized to operate within the business’s environment. This model minimizes the attack surface by reducing the number of vectors an attacker can attempt to exploit.
Each asset identified during the asset identification step of risk management will have its own security requirements describing that asset’s criticality to the organization and its mission in terms of confidentiality, integrity, and availability. For instance, a database of patients’ medical information must remain confidential and available so that physicians can access the information when needed. Security requirements may also be defined by applicable regulatory standards such as GDPR, HIPAA, and PCI DSS. Defining security requirements lets the organization strategically prioritize risk treatment and response decisions in later phases of risk management.
Refers to the individuals, groups, and organizations operating to damage, steal, or disrupt an organization’s applications or data along with the strategies that accomplish these goals. For instance, individual attackers, industrial spies, and state-sponsored attack groups are all threat actors. Common cyber security threat vectors include malware such as viruses and worms; distributed denial of service (DDoS), which overwhelms and shuts down servers and networks, and social engineering, which uses psychology to trick users into providing access, as in phishing attacks. Today’s threats often use a combination of strategies, such as a social engineering ploy which tricks users into installing and running malware - such as through “scareware” which convinces users their system is already infected and that the attacker’s software will solve the problem.
A vulnerability is a flaw present in an application which could potentially allow unauthorized access to features and functions of the application, to the server on which the application is run, or to the data used by the application. Vulnerabilities may be introduced inadvertently through unsafe coding practices (such as insufficient validation of user input, letting users send codes that let them take over the application or server) or intentionally in the form of temporary development features (such as hard-coded passwords) that are left behind when the application is moved into production. While each known vulnerability is assigned a severity and risk ranking (CVSS) score, this is just a starting point and each organization’s risk management program must take multiple factors into consideration when prioritizing remediation.
What is cyber risk? Key terms and concepts
Acceptable use agreement
The acceptable use agreement, access agreement, or simply user agreement, ensures that all employees and others, such as third-party contractors, are aware of rules they must follow when using organization systems and networks. Acceptable use might include rules about responsible use of resources, networks, and data and prohibition of non-business related use.
In IT and security terms, access means that an individual or system is able to use a particular resource, either physically or virtually. Access is subject to authorization; unauthorized access constitutes a security incident. Access must be controlled so that individuals and systems cannot make unauthorized use of resources (such as by reading confidential data or modifying it).
Cyber attacks generally take the form of a standard attack method. Intentional attack methods may include malware, phishing, and DDoS. Less often considered are accidental attack methods such as misconfiguration, which could all lead to data leakage and reputational damage.
Also known as an audit log, this term was borrowed from the accounting world to describe the detailed accountability, tracing, and tracking of transactions—in this case, events involved in accessing and transferring data. An audit trail may include a number of types of chronological logs and records, including application logs, database logs, OS logs, and network logs. By tracking, piecing together, and analyzing this information, organizations can respond more quickly and comprehensively to security incidents, meet compliance requirements, and in some cases, even provide proof in the event of litigation over damages.
Business impact analysis
Understanding the business impact of a potential cyber security incident involves assessing the negative effect a given incident or category of incident might have on service delivery, as well as establishing strategic recovery-related objectives. This is a critical early step of risk management and planning.
Following a cyber security incident, disaster recovery refers to the organization’s resilience in restoring business operations as quickly as possible, prioritizing mission-critical systems and infrastructure. A disaster may be human-caused, such as a cyber attack, or accidental, such as an earthquake or power outage. Comprehensive disaster recovery planning will take a variety of scenarios into consideration, including “bare-metal” recovery plans in which the original hardware is no longer available, either temporarily or permanently.
Any observable occurrence within a system or a network. Events themselves are not cause for alarm; they are part of standard operations, such as a web page request. However, best practices dictate that events should be logged and monitored for patterns—such as unusually high demand—that could indicate a security incident in progress, such as a breach, which might allow unauthorized access to the organization’s assets.
A major component of risk management is understanding how an organization measures up to objective industry benchmarks. It is sometimes also referred to as a cyber security gap assessment. Common cyber security assessment frameworks used for gap analysis include ISO-27001 and NIST 800-53. Gap analysis can give an organization a good view of its overall cyber security posture and also allow expansion into new verticals while instilling customer confidence.
The consequences of an incident to the organization, including financial loss (through ransom and regulatory fines), reputational damage, and hidden costs in operational disruption—redirecting resources to mitigate the potential harm of the incident.
Risk management is impossible without first understanding the potential financial impact of various types of cyber security incidents on the business. While risk assessment evaluates the different types of risks and their probabilities, impact analysis assigns each potential incident a monetary value based on the big picture of the entire organization. It takes into consideration direct repercussions such as cost to replace and restore damaged systems as well as indirect repercussions such as staff overtime and longer-term reputational damage. This data is then used as part of an intelligent risk management process to decide which risks to avoid, reduce, transfer, or accept.
With a known vulnerability, this term refers to the probability of the vulnerability being exploited to attack the resource or asset in question. The likelihood is based on a combination of factors such as how easy or difficult the vulnerability is to exploit and the potential reward for an attacker of doing so. This figure, in turn, is often used in risk calculations based on the product of the likelihood of an exploit and its potential business impact (such as in dollar figures).
Any factor that threatens the three primary aspects of the organization’s IT operations: confidentiality, integrity, or availability. A DDoS attack, for instance, may impact availability, while a data leak may impact confidentiality. Some risks have a very low probability of actually taking place; others have a far higher likelihood. Risk management means assessing, prioritizing, and strategizing around the overwhelming number of potential cyber risks an organization may face at any given time.
Risk acceptance refers to situations when an organization has come to the considered decision that a certain risk factor cannot or should not be remediated. Not all risks can be given equal priority, and it is not always possible to remediate 100% of risks, particularly in cases where attempting to remediate a risk could lead to actual harm to the business’s activities. For example, applying a fix may break integrations with legacy systems or simply require more funds and employee resources than it could possibly save over the short or long term. Risk acceptance should be documented in some way within cyber security policy, such as within the risk register, and potentially revisited from time to time.
Risk analysis is performed as part of risk assessment, drilling down and creating scenarios outlining the potential sequence of events and impact of each type of risk on each of the organization’s assets.
This mid-level step follows asset inventory. Once all assets have been identified, risk assessment identifies the various risk categories that could impact each asset. Then, risk analysis is performed for each asset to create specific risk scenarios.
Risk avoidance is one way to limit a business’s risk posture by making the strategic decision to avoid taking certain risks that do not offer significant benefit to the organization. For example, while a website operator may wish to collect as much visitor information as possible, if there is no clear business purpose to collecting this information—and a risk that this information could be leaked if the site is breached—then it may be better to avoid collecting that information in the first place. If it is possible to achieve the same business function while eliminating a source of risk, this can improve the cyber security posture of the organization as a whole.
While risk management refers to the overall approach of identifying risks to the organization and dealing with them, risk control refers to all the processes an organization actually puts in place to detect, prevent, and manage risks once they have been identified, using a range of strategies including risk avoidance, risk reduction, or risk acceptance. Decisions regarding these processes should be made after careful consideration of data surrounding each type of risk.
This is a crucial early step in a comprehensive security vulnerability assessment, in parallel with asset inventory, which involves identifying macro factors—such as malware, ransomware, natural disasters, or staff shortages—that could keep the organization from achieving its objectives. A number of methods are used to determine potential risks, such as speaking to employees and other stakeholders about similar past projects.
Given that avoiding risk altogether is virtually impossible, risk reduction aims to minimize the harms that could ensue due to a particular risk. For example, if a business needs to handle sensitive medical data, a risk reduction approach would demand that the organization encrypts this information at all times (including in transit), implements a least-privilege policy, and follows strict authorization and authentication rules. In these ways, even if a breach were to occur, the likelihood that attackers would gain access to any useful information or be able to take control of systems or data is minimized as much as possible. In another example, if a business notes a rise in distributed denial of service (DDoS) or ransomware attacks within its industry or in general, it can implement measures such as third-party platforms to reduce the risk of impact on the business and its customers.
Part of building a comprehensive cyber risk management program, the risk register is a table that stores information on every potential cyber risk the organization could face. For each type of incident listed—for instance, “data leak through use of employee device”—its probability and potential consequences to the business are also listed, along with results of impact analysis describing the cost to the business should the incident occur and a brief summary of the mitigation plan. In the event of risk acceptance, this should be noted in the risk register as well.
This step can be seen as the final mile of the risk management process since it involves remediating any vulnerabilities identified in earlier steps to close gaps wherever possible. The decision to remediate is based on considerations such as whether a fix is available and whether the severity of the vulnerability warrants the effort involved in patching—a severe vulnerability will justify greater effort, while a minor vulnerability may perhaps only justify an easy fix.
Once a risk has been identified as part of the risk assessment process, the organization must determine how to respond. Options include acceptance (e.g., for a low risk with a limited potential business impact), avoidance, mitigation, transfer, or remediation of the risk (e.g., for a major risk—a severe vulnerability with a high likelihood of exploit).
Risk transference is the process of outsourcing management of a particular identified risk to a third party. When a risk is identified, an organization faces one of several possibilities: remediate, mitigate, accept, or transfer the risk. Risk transference may be an attractive option if the organization—for instance, a small- or medium-sized business (SMB)—does not have enough IT resources in-house to maintain an expanding and broadly distributed cloud footprint. They could outsource that maintenance risk to a specialized third-party business. Another common example is the risk inherent in handling customers’ payment card data. Since the financial industry is so heavily regulated through PCI DSS and other standards, many organizations choose to outsource payment processing to a PCI-DSS certified third-party vendor. Risk transference (or risk transfer) is part of a comprehensive enterprise risk security management (ESRM) framework.
Strategically selecting from available response options for each identified level of risk, usually in collaboration with management. Risk treatment takes into consideration cost-benefit analysis, comparing the broader business impact of the risk compared to the time and effort involved in each possible risk response option.
Service level agreements (SLA)
A contract that identifies baseline levels of service and performance, explicitly identifying the service to be provided and establishing quantifiable metrics in areas like availability (uptime—a common standard is “four-nines” or 99.99% availability), service quality and performance through standard benchmarks, and response time, along with options for redress if the SLA is not met. SLAs may be defined externally, from third-party vendors and service providers, or internally, to ensure IT department accountability. SLAs provide valuable insight into risk from various sources as well as potential negative impacts of a security incident on business activities.
Sometimes known as a threat actor, this is an individual, group, or collective with the potential to do harm to the business. A threat agent may be a single person acting on their own for a variety of motives, a rival business, a group operating on behalf of a foreign government (known as a nation-state actor), or a variety of other categories. Threat agents who act on this potential are known as attackers.
Next steps in cyber risk management
Understanding the terminology behind cyber risk is a valuable first step. But knowing what you’re up against isn’t enough; you also need to apply the principles covered here to strengthen your overall cyber risk posture. The Vulcan Cyber® risk management platform automates challenging processes and provides end-to-end visibility so you can take full ownership of your risk. Book a demo today.