Once you have identified the assets of an organisation, the next activity is to undertake a business impact analysis (BIA). BIA is a process that assesses the potential consequence of a risk occurring, such as a security breach. It helps the organisation figure out which important assets could be affected, how severe this would be, and what they would need to do to bring their operations back to business as usual. Risks are associated with assets, and are a function of threat, vulnerability, and impact. Decorative image: Business impact analysis example showing scores and Business impact level costs: eg 0 = none; 1 < £1,000; 2 > £1,000 < £10,000; 3 > £10,000 < £500,000 ;4 > £500,000 < £1 million ;5 > £1 million < £10 million ;6 > £10 million+

Figure 1: Business Impact Analysis

Results from the BIA should be appropriately incorporated into the analysis and strategy development efforts for the IT Disaster Recovery Plan, Business Recovery Plans and the Incident Management Plan [NIST 800-34].

In Figure 1, you can see a table showing measurement of business impact, ascending from '0' to '6' as the cost of the impact increases from '£0' to 'greater than £10 million'.

Figure 2: Risk management approach

ISO 27005 Risk management standard

This published standard describes an approach to risk management, comprised of four stages, as seen in figure 2 diagram. This describes the risk management process. There are four main stages to this process:

Context: This is where information about the organisation is gathered, including the possible risks. This is the context in which a risk could occur.
Risk assessment: In this phase, risks are identified, analysed, and evaluated. This helps you prioritise which risks are most significant, their consequences, and which risks are acceptable and which require mitigation.
Risk treatment: As part of this stage, you should develop strategies to address any risks that require mitigation. This includes reducing the likelihood of a risk or the impact should it occur.
Monitoring and review: Risk management is an ongoing process and should be reviewed regularly to make sure the risk treatment strategies are still useful and any lessons learned are actioned.

You can also see that continuous monitoring and communication with stakeholders is built into the process.

As one of the key international standards, ISO 27005 is applicable to all organisations. More information can be found on the ISO website.

Risk appetite

Risk management doesn’t occur in a vacuum; it’s there to help the business achieve its objectives. So, the risk manager must understand the business and its priorities, together with the resources it uses and the constraints it works within.

Different organisations have different criteria for deciding how much risk they’re prepared to accept. This is known as their risk appetite.

It’s not uncommon for different business units or departments within the same organisation to have different risk appetites.

Key points

Let’s take a look at the key points:

A business impact analysis (BIA) is a process that assesses the potential consequences of a risk occurring, such as a security breach.
The risk management process consists of four main stages: context, risk assessment, risk treatment and review and monitoring.

The MITRE ATT&CK database

The MITRE ATT&CK database models the techniques cyber criminals use to attack your information security, and then supports you in detecting and stopping them. This is a valuable step in dealing with risks and preventing them. Threat intelligence is a vital part of keeping your organisation secure.

MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) is a framework, set of data matrices, and assessment tool developed by MITRE Corporation to help organisations understand their security readiness and uncover vulnerabilities in their defences. https://attack.mitre.org/

For learning to defend, take a look at https://d3fend.mitre.org/. The ATT&CK Navigator is a web-based tool for annotating and exploring ATT&CK matrices. It can be used to visualise defensive coverage, red/blue team planning, the frequency of detected techniques, and more. https://mitre-attack.github.io/attack-navigator/

Business impact and risk management model