5. The Approach to Cybersecurity: Cyber Risk Management 107 (i.e., the vulnerability exists but not the threat). Both the presence of the threat and the existence of the vulnerability are necessary for risk to occur. After an organization has examined threats and vulnerabilities to identify risks, the next step is to determine their severity so they can be prioritized. Risk severity depends on two factors: the likelihood of the event occurring and its impact if it does occur. Risk severity can be written as the formula: Risk Severity = Likelihood x Impact There are two approaches to analyzing risk severity and both are helpful. A qualitative risk assessment uses coarse-grained categories and a quantitative risk assessment uses fine-grained numerical values.. 5.3.4.1 Qualitative Risk Assessment A qualitative risk assessment creates scales for likelihood and impact. Scales can be custom defined to suit an organization’s needs, but a typical scale ranges from 1 (low) to 5 (high). A risk’s likelihood and impact is rated on the scale. The ratings are an estimate based on professional opinion and expertise. It is advisable to assign scores collaboratively in a group setting to help ensure that all the relevant factors are being considered. Once the two values are assigned, they are multiplied together to determine the risk severity. Groups are also defined for levels of risk severity, and may range from low (green), to medium (yellow), to high (red) (see Figure 5.4). Figure 5.4 A qualitative risk assessment chart for grading risk severity. For example, a small business has an ecommerce website (a cyber asset) that is their main source of revenue. They have identified several risks to the website including distributed denial of service (DDoS) attacks that would make their website inaccessible. Based on their research of threat actors and their motivations, they believe a DDoS attack is unlike-
RkJQdWJsaXNoZXIy MTM4ODY=