My organisation has a fairly standard ISO 31000 / qualitative (consequence / likelihood) based RISK MATRIX.
The risk matrix does not include anything about cybersecurity. I know risks impact the C, I and A and they can be linked back to other risk dimensions such as 'reputation and media' or 'legal' or 'assets' or WHS" etc, however, we would like a RISK MATRIX that includes cybersecurity.
I was wondering if anyone knows of a NIST Cyber Security Framework RISK MATRIX?
I found the ISO 27005 Risk Matrix.
Are there any other cybersecurity risk matrix anyone can recommend?
My intention here is 1 of 2 things:
1.) Update our existing Risk Matrix to include a 'Cybersecurity' category; or
2.) Have a separate Risk Matrix for Cyber Security.
Thank you for your assistance
Many organisation use a 5 by 5 matrix, so that they can plot a heat map later and only look at likelihood and impact. You can put qualitative labels against each row and column and specify a range of probabilies or financial impacts. Commercial organisations tend to turn impacts into monetary amounts. So reputational impact would be treated as future lost customers/sales. The money invested building a brand is a sunk cost.
Thank you for the reply. I am currently using a 5 x 5 risk matrix. The matrix includes different risk dimensions such as 'reputation and media', 'health and safety', 'operational assets' etc and includes consequence and likelihood.
The matrix also includes 'low, medium, high, very high, extreme' risk levels.
None of this mentions cybersecurity. I was hoping someone might have a cybersecurity specific risk matrix or an example of how they have included a 'cybersecurity risk dimension' in their existing business risk matrix.
Specifically, NIST CSF or ISO 27005 (or a similar standard).
Perhaps InfoSec / CyberSec isn't understood as a business risk in your organisation. It can be dismissed on some organisations as a technical thing that is someone owned by the IT department. There's also a tendency amongst some risk professionals not to want to engage as they fear highly technical explanation of risks that they won't understand. It doesn't help acceptance into a risk management community of practice to have that perception. Going from zero to a highly mature way of incorporating cybersec risks isn't likely to be something that you can introduce in a single step, so you may need to think through where you're trying to get to then introduce a number of small incremental changes that take the organisation in a good direction.
Thank you both for the replies. We have a 5 x 5 matrix and we use specific risk dimensions / categories.
Some people introduce a specific 'Cybersecurity' category while other people include 'Cyber Security Incidents' within the existing 'WHS, Legal, Reputational' type categories.
My preference would be the latter as that leaves the matrix as purely a business risk but introduces the concept of cyber breaches / incident severity into the mix.
I have seen these over the years (but of course cannot find one when I need it).
If anyone has a good example they could share that would be appreciated