From Haunted Systems to Fortified Defenses: A NIST Inspired Risk Assessment Primer

By: Keyaan Williams

October is a popular month for horror movies, and while risk executives and corporate leaders are not running from Mike Meyers, Freddy Kruger, or the zombie apocalypse, the organizations they serve must remain aware of the real threats they face. This ensures that organizations choose responses to these threats that sustain the business and allow the mission to continue in the face of potential and real hazards. 

The effort to eliminate or reduce threats and vulnerabilities and coordinate cybersecurity and data privacy operations requires significant time, energy, and resources. Corporate leaders and the people who support them must understand the hazards they face broadly as well as the unique concerns that apply to specific industry segments and organizations. These concerns require situational awareness to understand who the relevant threat actors are and address the likelihood that motivated threat actors have the ability and desire to harm the organization. The key to producing this understanding is risk assessment.  

Risk assessment is one of the fundamental components of an organizational risk management program. An effective assessment allows organizations to accurately identify and measure the risk they face so that they can respond properly with the resources they have available. The information produced by an effective assessment highlight what to prioritize and informs the best response required to achieve desirable risk management outcomes. For example, an assessment will identify internal and external vulnerabilities, the impact that given threats may have on the organization, and the likelihood that those threats might materialize, which helps prioritize risk response.  

In an ideal situation, risk management must be an enterprise-wide activity that is not limited to a single person or function. Risk management should occur at all levels of the organization. Guidance for Managing Information Security Risk from the National Institute of Standards and Technology (NIST) in Special Publication 800-39 suggests that a three-tier hierarchy is the best model for risk management that supports all parts of an organization. The hierarchy places corporate leadership at the top of the pyramid to provide governance and oversight for risk management decisions. Business leaders are in the middle of the pyramid to ensure strategic risk decisions are enforced on the technology systems within their controls. Those systems rest at the bottom of the pyramid and receive support from IT, security, and privacy to ensure effective controls are in place to manage risk and achieve the strategic outcomes established by corporate leadership.  

Organizations can use risk assessments at the top two tiers of the pyramid to evaluate systemic risks associated with corporate governance and activities. There are also opportunities to examine risks facing key business processes, enterprise architecture, capital planning, and everything else that relates to an enterprise-wide risk management practice. The foundation of the pyramid, tier three, focuses on technology like IT, OT, and the cloud. Organizations can use risk assessment to support implementation of the risk management framework, drive security categorization, control selection, implementation, and control monitoring.  

Adaptation of NIST SP 800-39 FIGURE 2: MULTITIERED ORGANIZATION-WIDE RISK MANAGEMENT

While assessments can be performed at all levels of the hierarchy, the people conducting the assessment and the purpose of the assessment differ between industries and companies. They also differ within the same organization based on the scope of the assessment and the risk frame that influences the effort. The three-tier risk model ensures the leaders at levels one and two understand broad threats facing the organization and the amount of risk that is acceptable in pursuit of business objectives. Risk assessment at these levels also influences evaluation of the risk appetite statement and the extent to which the organization is operating within acceptable boundaries. The insights at the top of the hierarchy drive the budgets allocated to controls and other risk responses that reduce data and system risk to an acceptable level. The decisions at level one and level two influence the work of technology, security, and privacy leaders to protect corporate systems and data at level three. Together, all three levels work to thwart the efforts of motivated actors who seek to compromise or disrupt the organization. 

In the enterprise context, risk assessment exists to inform risk-based decisions. However, assessments are not precise instruments of measurement. The true risk that exists will depend upon many variables. Performance of the assessment, the results produced, and corporate perceptions about those results work together to shape the decisions ultimately made about how to respond to risk. The subjectivity of data (or lack thereof), the quality of data, and trustworthiness of the data influence decisions driven by the assessment results. For example, incorrect assumptions about the capabilities and motivation of a threat actor can lead to the wrong decision about how to respond to the threat. Thus, the quality of threat information and threat intelligence is imperative. As are the quality of other resources and information that support the assessment process and the analysis of data.  

Decisions driven by the assessment become more valuable and effective as data moves from subjective and untrustworthy to precise and trustworthy. An appropriate methodology must be selected for each assessment. Risk management frameworks from organizations like COSO, ISO, and NIST define the result of the assessment by the level of risk identified. This is often represented in a table that represents the degree of harm possible, represented by business impact, and the likelihood of harm occurring in a level of risk determination chart or in a heat map. The intersection of business impact and likelihood helps prioritize different response activities based on the findings of the assessment. The methodology selected and the tools and techniques applied in the process often depend upon the context of the assessment, its purpose, the environment that supports the technology. IT environments, OT environments, and cloud environments all have unique risks that affect the outcome of the assessment. In addition, resources available to support the assessment and the skillset of the team performing the assessment are important have an impact on the results.  

Cautionary notes in the Guide for Conducting Risk Assessments (NIST SP 800-30 Revision 1) highlight other concerns related to varying outcomes from risk assessment based on: 

• The formality, rigor, or level of detail that characterizes the assessment. 
• The methodologies, tools, and techniques used to conduct the assessment. 
• The format and content of assessment results and any associated reporting mechanisms. 

Risk assessment is critical because the outcome of the assessment drives how the organization is going to respond to risk. Organizations that establish risk boundaries in a formal risk appetite statement are more likely to have consistent responses to the findings of an assessment. The organizational risk frame and the results of the assessment, working in conjunction with established risk profiles, ensure execution of action plans that maintain risk within acceptable, pre-determined boundaries. Executed properly, the risk management program, the assessment, and the responses produced allow an organization to face all hazards confidently and courageously.