Organisations need to overcome the natural urge to respond to a threat and instead pragmatically assess the business risk. Utilising the Cyber Kill Chain, we’ve created a communication framework that allows you to understand whether a cyber threat is a business risk that needs attention.

Looking at every single threat and compiling a list of every vulnerability is time-consuming and futile because the number of possible threats is endless. Imagine a patient at a doctor’s surgery, the patient is unwell and asks the doctor for a diagnosis, the doctor then compiles a list of every disease known and goes down the list checking off what the patient does or doesn’t have. This method of diagnosing a patient would be inefficient and incredibly arduous; the same goes for cyber security. We need to do it in reverse.

It is about asking and answering the most important questions.

A prioritised list of risks based on two key elements – is the event probable? And if it did happen, what effect would it have on your organisation? – needs to be established. Spreading resources across every possible threat, means that severe cases won’t be investigated thoroughly, ultimately, leaving your organisation vulnerable to attack.

It is the business that needs to answer these questions; identifying and prioritising critical assets, and understanding what information is most valuable to the business. Business risk is unique to every organisation, and can only be pragmatically assessed through defining the level of risk against the probability and likelihood that it would happen to your organisation. Cyber security is not just an IT problem, it’s an enterprise-wide, business issue, that should be handled in the same way that other business risks are handled.

Secrutiny’s Cyber Risk vs Business Risk Framework

One of the most powerful tools we have developed to help our customers better understand their organisation’s cyber risk, and demonstrate to their executive what is being done to mitigate the business risk, is our Cyber Risk vs Business Risk Framework.

It uses a classic hierarchy model to map the industry-standard Kill Chain (describing the structure of an attack) against areas of the business that are at greatest risk of exploitation via tools, tactics and procedures commonly deployed by malicious actors.

Cyber Risk vs Business Risk Framework.

Cyber Risk vs Business Risk Framework.

With this framework, it is possible to:

  1. Determine remediation priorities.
  2. Engage with the business to govern risk.
  3. Define Incident Response playbooks and Service Level Agreements.
  4. Inform stage of attack.
  5. Identify gaps in visibility and control.
  6. Operate a security service informing business risk.

The communication framework can also be used to determine the stage of attack in Incident Response. In all breaches, the threat actor must affect some, or all, of the levels of the kill chain, manipulating the categories of risk to achieve their target. For example, the existence of malware does not imply that a breach has occurred. In most cases, it is simply an infection that can indicate a potential incident or probable risk.

What makes this so valuable is it highlights that the further up the Kill Chain a malicious actor can go, the greater the business risk to the organisation. The simplicity of the Cyber Risk vs Business Risk Hierarchy belies its value – it allows you to apply context. With context, you gain visibility because you know where and how risks will materialise. And once you’ve got visibility – you can then gain control.

You’ve Identified Visibility and Context on Risk, Now It’s Time to Take Control

Now you know your risks, you can begin to determine prevention measures to both minimise the impact and better protect your organisation.

To quantify and manage these risks, you need to be forensic in your approach. We’ve mapped out the seven key focus areas designed to help you change the cyber security conversation from one that’s distracted by threat to one that’s focused on business risk.

Read Them Now