Using Scenarios in Cyber Risk Quantification
Practical cybersecurity risk analysis begins with developing cyber risk scenarios, describing situations or actions that could result in undesired organizational consequences. These cyber risk scenarios are critical to the cyber risk quantification process, as they represent specific threats or hazards to which the organization may be susceptible and which may result in substantial losses or damages. The effectiveness of the cyber risk quantification process depends on the degree to which these cyber risk scenarios effectively represent known or perceived organizational concerns—the things that keep cybersecurity professionals “up at night.”
Constructing practical cyber risk scenarios is challenging. Many cyber risk quantification methodologies encourage the development of risk scenarios that focus on a specific and targeted asset. For example, in a ransomware attack scenario, the narrative may emphasize the exfiltration or encryption of particular datasets, such as personal health information or intellectual property. While a targeted asset is undoubtedly a critical detail in a risk scenario, it can limit organizational impact analysis by potentially overlooking the asset in the context of its operational significance. The exfiltration of personal health information is indeed a violation of data confidentiality. Still, using this asset in organizational processes—such as delivering medical services to patients—defines a broader range of potential operational disruptions that can result in devastating first-party and third-party losses.
A more effective way to construct cyber risk scenarios that are useful in cyber risk quantification is to use an operational focus. When building risk scenarios, an operational focus considers all of the assets that contribute to an operational mission’s success. For example, consider a manufacturing process for building automobiles. This process includes essential personnel who operate machinery and perform quality control, technologies that automate and oversee the welding and painting processes, information and data that direct operational technologies and inform quality control and a manufacturing facility. If any of these assets—people, technology, information, or facilities—are disrupted, the potential exists that the operational process will not operate as expected.
The Axio360 Cyber Risk Quantification Method encourages users to adopt an operational view, considering all threats to assets vital to operational processes. An operational mindset constructs a robust cyber risk scenario that assumes a range of disruptions to assets that typically have cyber exposure (such as data and technologies) and other assets critical to the mission. For example, in the manufacturing scenario, an attack on the physical security system that prevents entry to the facility could disrupt the manufacturing process by impeding the use of the facility and preventing people from performing their responsibilities.
Thus, to improve the utility of the cyber risk quantification process, there are a few key objectives to keep in mind when identifying cyber risk:
- Identify the key or critical operational processes essential to supporting the organizational mission.
- Identify the assets the process relies upon for each operational strategy to achieve its mission. Consider the
- people that perform the process.
- information and data used by the process.
- technologies that automate and control the process.
- facilities or physical places performing the process.
- Consider focusing on cyber risk scenarios that could disrupt, interrupt, or disable the process from achieving its mission, which likely involves an attack on one or more critical assets. For example, a denial-of-service attack on a production system may result in the unavailability of the technology needed to support the process.
- Keep in mind that while cyber-attacks most often target data and technologies (such as systems and networks), it is plausible that these attacks could render facilities unusable (as noted above in the manufacturing scenario) or impede people’s ability to perform their responsibilities. In many cases, as cyber risk scenarios are developed, an attack likely cascades impacts to multiple assets simultaneously. For example, an attack on a cloud-hosted application may turn off the use of an application system (technology) and its data simultaneously.
- The Threat Objectives in the Axio360 Cyber Risk Quantification platform are easily adapted to this approach. As cyber risk scenarios are constructed, consider how a specific Threat Objective—such as data destruction or alteration—can impact the viability of each critical operational process that has been identified. Since each operational process likely has specific data dependencies, robust and unique scenarios using this Threat Objective may be created for each critical operational process.