GRC Recap

• Governance defines accountability
• Risk informs control decisions
• Compliance ensures standards are met

Why Risk Identification is Important

• Missed risks = missed defences
• Real-world failure: Equifax breach (unpatched vulnerability)
• Good decisions require good awareness

RECAP: What Is Cyber Risk?

Acording to ISO 1000:2018 Risk is the effect of uncertainty on objectives.

Consists of a relevant threat that exploits a vulnerability with the consequence that an asset gets harmed

• It is not just technical
• Includes legal, reputational, financial consequences

RECAP: Cyber Risk Level

• Risk level is the significance of a risk, expressed in terms of the combination of consequences and their likelihood.
  
  

General View of the Risk Environment (Logic Gates)

Cyber Risk Model

• Risk arises when a TA exploits a vulnerability to harm an asset.
• Risk increases with:Asset value; Vulnerability severity; Threat strength
• Threat = Motivation × Capacity
• Likelihood = Threat × Vuln
• Risk = Likelihood × Impact

Risk Management Process

Risk Assessment (RA)

Is is a core part of risk management and includes three key steps:

• Risk Identification -> Mapping relevant risks
• Risk Analysis -> Calculating risk levels
• Risk Evaluation -> Prioritising risks against thresholds and criteria

Risk Assessment Process

• Performed regularly (e.g. annually or as needed)
• Provides a snapshot of current risk levels
• Often done in iterations:
• Broad scan -> deeper analysis of key risks

Risk Identification: Basic Approach

• Basic method involves linking threats, vulnerabilities, and the assets they may impact
• In theory, all possible combinations could be mapped
• In practice, this is not feasible-it's time-consuming and rarely efficient

Risk Identification: Practical Approach

• A more effective strategy is to begin with realistic threat scenarios
  • Ask: “What could go wrong?”, “How might this be misused?”, “Where could unauthorised access occur?”
• Focusing on threats helps reveal the assets most likely to be affected

A full asset inventory isn’t always necessary, but knowing your key assets improves the relevance and focus of risk identification

Activity Scenario-Based Risk Identification in group (10mins)

Several university departments (HR, Admissions, Finance) allow staff to work remotely and access shared files through a cloud-based login system. A staff member recently used their personal laptop - not encrypted, missing security updates - to log in and download documents while connected to public Wi-Fi at a café.

• Basic Approach

  • What assets, vulnerabilities, and threats are involved?

• Practical Approach

  • What could go wrong?
  • Write a one-sentence risk statement:

[Asset] may be compromised due to [vuln] exploited by [threat], leading to [impact].

RA: 1. Risk Identification

1.2 - Identification of Assets

1.3 - Identifying Threats (Threat Modeling: Next Week)

1.4 - Identification of Impacts

1.1: Identifying Assets

Asset: Anything that has value to a person or organisation.

• Asset identification is the first step in risk assessment
• The level of detail matters:
  • Too detailed → unmanageable
  • Too broad → lacks actionable value
• Focus on asset classes instead of individual items where possible
• Use consistent templates with defined attributes to document each asset

Key Attributes for Describing Assets

Only include attributes relevant to the asset type being assessed.

Common Mistakes in Asset Identification

• Being too granular - listing every device or file individually
• Being too vague - e.g. just saying “IT Systems”
• Missing hidden dependencies (e.g. third-party services or APIs)
• Overlooking non-technical assets like staff roles or processes
• Failing to update asset registers regularly

Common Assets

• Physical Assets -servers, routers, USB drives
• Information Assets -databases, documents, credentials
• Software Assets -applications, platforms, APIs
• People Assets -employees, contractors, privileged users
• Service Assets -cloud services, backup solutions

1.2: Identifying Threats

Threat Modelling-Next Week

Threat modelling identifies and describes ways attackers might harm your systems

1.3: Identification of Impacts

• A security incident can breach Confidentiality, Integrity, or Availability (CIA)
• Impacted assets may include:
  • Operational or personal data
  • Systems, networks, applications
  • Business processes and services

Understanding impact is essential for prioritising risks and response actions.

Assessing Impact Severity

When an incident occurs, impacts can include:

• Financial loss (revenue, profit)
• Service disruption or degraded performance
• Breach of legal or regulatory compliance
• Reputational damage
• Recovery and remediation costs
• Legal costs or penalties
• Risk of litigation

Not all impacts apply to every incident. Assess which aspects are relevant and evaluate their overall severity-this can be complex but is critical for effective risk analysis.

Assessing Impact Severity

• Not all incidents affect systems in the same way
• Impact varies by type (e.g. legal, financial, reputational) and severity
• Some impacts may be minor; others can be business-critical

Later in this lecture, we’ll explore how impacts can be measured-either qualitatively (e.g. high/medium/low) or quantitatively (e.g. cost, downtime).

RA: 2. Risk Analysis

RA: 2. Risk Analysis

• Practical risk analysis usually considers two factors to determine the level of each risk
  • Likelihood (frequency/probability) of each type of incident.
  • Impact resulting from each type of incident
    

1. Qualitative Analysis
2. Relative Analysis (will not be discussed today)
3. Quantitative Analysis

Qualitative Risk Analysis

Uses experience and expert judgement to assess risk. Described using categorical values (e.g., low, medium, high). Fast and effective where precise data is lacking (numerical precision isn't feasible). Typical attributes include: Likelihood of occurrence (e.g., Rare → Certain). Impact severity (e.g., Insignificant → Disastrous).

Qualitative Likelihood Scale

Organisations can customise the scale based on their threat landscape.

Qualitative Impact Scale

This scale can be tailored to align with your organisation’s environment and risk tolerance.

Heat Map of Qualitative Risk Analysis

(e.g. Likely + Impact = 4 + 4 = 8 → High Risk)

Quantitative Risk Analysis

Assigns numerical values to both likelihood and impact. Supports more precise risk comparisons and cost-benefit analysis. Risk is usually calculated as: RQuant = PQuant × VQuant We’re trying to turn a qualitative rating into a number that reflects how often something might happen in a year.

Quantitative Likelihood Estimation ()

To use likelihood in risk calculations, we convert it into an estimated frequency per year.

• Step 1: Choose a Reference Frequency
  • Let Level 5 (“Certain”) be the baseline, occurring times per year
• Step 2: Apply a Logarithmic Scale
  • Each lower level is less frequent than the one above,
  • Exponent = ordinal qualitative likelihood -5, e.g. 5-5, 4-5, 3-5, etc.
• Step 3: Use the Formula

Example to measure

If Level 3 = “Possible” and :

This method allows consistent and scalable frequency estimates for risk calculations.

Likelihood Conversion Table (Qualitative to Quantitative) (let's complete it)

Why Use a Logarithmic Scale?

• Risk isn't evenly spaced - Rare events are much rarer than frequent ones
• Reflects real-world frequency - Some risks happen weekly, others once in decades
• Each level shifts by a factor of 10 - simple, scalable, and intuitive

This conversion mirrors how risks naturally vary - making risk estimation both realistic and structured.

Quantitative Impact Estimation

• Uses a logarithmic scale to convert qualitative impact into monetary terms

• Highest impact level (Level 5) is assigned a reference value, e.g.

• Lower levels are scaled down by powers of 10:

This model ensures impact estimates are consistent, scalable, and aligned with business size.

Quantitative Risk Calculation

Once we’ve estimated likelihood and impact quantitatively:

This gives the expected annual loss in monetary terms and helps compare and prioritise risks.

The values reflect relative severity, not how often loss actually occurs.
High risk scores support investment decisions and control priorities.

Important Considerations:

• If is bankruptcy and is once per week,
  → It doesn’t mean the company will go bankrupt every week.

• Severe incidents often lead to one-time loss followed by recovery or stronger controls.

• In such cases, the expected loss = impact,
  and the likelihood shows how soon it could happen.

Key Point:

Shows the relative severity across risks - not literal recurrence.

Use the result to prioritise risks and allocate appropriate resources.

Risk Treatment: Overview (For Reference Only)

After risk analysis, we choose how to respond to unacceptable risks:

• Reduce -apply security controls (e.g. ISO 27002, NIST CSF)
• Share -transfer to third party or insure (e.g. cyber insurance)
• Retain -accept the risk if cost of treatment is too high
• Avoid -stop the risky activity entirely

Controls should be considered if:
ROI = Risk Reduction − Cost is positive

Residual risk remains after treatment and must be:
understood, monitored, and justified.

Risk management is continuous - not a one-time action.

Lab/Activities

• View you weekly lab from here

• (Last 10-30 mins) Assessment-1 release, pleaase review your assessment from here