cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Elemental
Newcomer II

Cyber Security Risk Matrix

Hi all

My organisation has a fairly standard ISO 31000 / qualitative (consequence / likelihood) based RISK MATRIX.

The risk matrix does not include anything about cybersecurity. I know risks impact the C, I and A and they can be linked back to other risk dimensions such as 'reputation and media' or 'legal' or 'assets' or WHS" etc, however, we would like a RISK MATRIX that includes cybersecurity.

I was wondering if anyone knows of a NIST Cyber Security Framework RISK MATRIX?

I found the ISO 27005 Risk Matrix. 

Are there any other cybersecurity risk matrix anyone can recommend?

My intention here is 1 of 2 things:

1.) Update our existing Risk Matrix to include a 'Cybersecurity' category; or

2.) Have a separate Risk Matrix for Cyber Security.

Thank you for your assistance

Luke

5 Replies
Steve-Wilme
Advocate II

Many organisation use a 5 by 5 matrix, so that they can plot a heat map later and only look at likelihood and impact.  You can put qualitative labels against each row and column and specify a range of probabilies or financial impacts.  Commercial organisations tend to turn impacts into monetary amounts.  So reputational impact would be treated as future lost customers/sales.  The money invested building a brand is a sunk cost.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Elemental
Newcomer II

Hi Steve

 

Thank you for the reply. I am currently using a 5 x 5 risk matrix. The matrix includes different risk dimensions such as 'reputation and media', 'health and safety', 'operational assets' etc and includes consequence and likelihood.

 

The matrix also includes 'low, medium, high, very high, extreme' risk levels.

 

None of this mentions cybersecurity. I was hoping someone might have a cybersecurity specific risk matrix or an example of how they have included a 'cybersecurity risk dimension' in their existing business risk matrix.

 

Specifically, NIST CSF or ISO 27005 (or a similar standard).

 

Thanks

 

Luke

Steve-Wilme
Advocate II

Perhaps InfoSec / CyberSec isn't understood as a business risk in your organisation.  It can be dismissed on some organisations as a technical thing that is someone owned by the IT department.  There's also a tendency amongst some risk professionals not to want to engage as they fear highly technical explanation of risks that they won't understand.  It doesn't help acceptance into a risk management community of practice to have that perception.  Going from zero to a highly mature way of incorporating cybersec risks isn't likely to be something that you can introduce in a single step, so you may need to think through where you're trying to get to then introduce a number of small incremental changes that take the organisation in a good direction.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
tmekelburg1
Community Champion

Like Steve is saying, the cyber risk should fit into your existing model. An example would be, if your HVAC system gets owned and the temp is increased or decreased it could be looked at as a health and safety risk category.

Our organization doesn't even care if we track what kind of risk category it's in, (e.g., reputation and media, health and safety, operational assets) because we don't believe it's important information to have. What we care about are the likelihood, impact, and how can we mitigate the risk to an acceptable level before we move forward. We have other metrics we track as well but those are the most important to us.

I would start with NIST SP 800-30r1 and 800-39 as a place to reference if you want to use NIST.
Elemental
Newcomer II

Thank you both for the replies. We have a 5 x 5 matrix and we use specific risk dimensions / categories.

 

Some people introduce a specific 'Cybersecurity' category while other people include 'Cyber Security Incidents' within the existing 'WHS, Legal, Reputational' type categories.

 

My preference would be the latter as that leaves the matrix as purely a business risk but introduces the concept of cyber breaches / incident severity into the mix.

 

I have seen these over the years (but of course cannot find one when I need it).

 

If anyone has a good example  they could share that would be appreciated

 

Cheers

Luke