Cybersecurity risk management — Building a risk register (Part I)
Need Help?
The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.
Website: https://www.socfortress.co/
Contact Us: https://www.socfortress.co/contact_form.html
Intro
Cybersecurity risk management is both a technical and strategic process, balancing the organisation's security needs with operational priorities. It helps reduce exposure to threats while allowing business functions to continue operating smoothly and securely. The goal is to understand and reduce cybersecurity risks to a level that aligns with the organisation's risk tolerance.
Building a risk register
Building a risk register is essential for managing and documenting cybersecurity risks systematically.
Steps to Build a Cybersecurity Risk Register
- Identify and Document Risks: For each asset or system, identify threats, vulnerabilities, and the associated risks. Part II in this series will document an use case on how to create a risk register for corporate network infrastructure leveraging the NIST 800–53 security controls. If you’d like to obtain the excel spreadsheet used as risk register’s template for this case, use the contact form above and we’d be glad to provide the file.
2. Evaluate Likelihood and Impact: Use historical data, expert judgement, or industry benchmarks to assign values for likelihood and impact.
3. Risk Treatment Decision: For each risk, determine the treatment plan (accept, mitigate, eliminate, transfer).
4. Assign Ownership and Responsibilities: Assign a risk owner and treatment assignments to ensure accountability.
5. Monitor and Review: Regularly update the risk register as new threats emerge or existing controls are strengthened.
6. Calculate Residual Risk: Reassess each risk post-treatment to determine if it falls within acceptable thresholds, adjusting treatment plans as needed.
Definitions
- Threat: Incident that has the potential to harm a network, system, service or a company overall.
- Vulnerability: Known weakness of a corporate asset (resource) that can be exploited or accidentally exposed, internally or externally.
- Risk: Potential for loss or damage when a vulnerability is exposed. Combines impact (loss or damage) and likelihood (probability of weakness being exploited).
- Risk Owner: A risk owner is a designated individual (often within the organisation's management or security team) who is accountable for monitoring and managing a specific risk. This person oversees the treatment plan, tracks residual risk, and ensures ongoing monitoring of the risk’s status.
- Risk Treatment Assignment: Each risk treatment action should have a designated person or team responsible for executing it. This includes implementing controls, conducting regular reviews, and reporting on the effectiveness of treatments over time.
Impact / Likelihood Matrix
This matrix is a visualisation tool that helps prioritise risks based on their likelihood and impact. Risks are usually categorised on a grid where:
- The Y-axis represents the likelihood of occurrence, from or very unlikely to very likely.
- The X-axis represents the impact if the risk materialises, from Negligible to Severe.
Each risk is plotted on the matrix, enabling an organisation to identify high-priority risks (high impact, high likelihood) that require immediate attention and lower-priority risks that can be monitored less frequently.
Assigning numeric values to both likelihood and impact will yield a risk value for each likelihood/impact combination:
Risk = Impact x LikelihoodRisk Treatment Plan
Once risks are identified, documented, and evaluated, they need to be managed. The risk treatment options include:
- Accept: Acknowledge the risk and decide to take no action, often because the impact is low or it’s not cost-effective to address.
- Mitigate: Take steps to reduce the likelihood or impact of the risk, such as implementing new controls, updating software, or enhancing training.
- Eliminate: Completely remove the risk by eliminating the vulnerability or discontinuing the activity causing the risk. This is usually the most resource-intensive option.
- Transfer: Shift the risk to another party, typically through insurance or outsourcing specific functions to a third party.
Residual Risk
After implementing a risk treatment, there will likely still be some risk left, known as residual risk. This is the risk that remains after all mitigation strategies have been applied and should be assessed to ensure it falls within the organisation's acceptable risk threshold.
Monitoring and Review
Risk management is ongoing, with regular monitoring of:
- Security Controls: Ensure they remain effective, adapting to new threats or vulnerabilities.
- Risk Levels: Track changes in threat landscapes and adjust the risk profile accordingly.
- Incident Response and Recovery Plans: Ensure readiness to respond effectively to incidents.
Risk Communication
A good risk register is the perfect tool for reporting and documentation, since it allows to communicate risk status and management activities to stakeholders, such as executives or relevant teams.
What’s next?
In the next article, we’ll use NIST 800–53 security controls as the baseline to build a risk register for corporate assets under the network and network security categories:
Need Help?
The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.
Website: https://www.socfortress.co/
Contact Us: https://www.socfortress.co/contact_form.html
