I often think that “risk management” is a misnomer. You don’t actually manage risk. For all of the claims made by the statisticians, there’s pretty much a polar element to any risk of attack, cyber or otherwise. Either you’ll get attacked or you won’t; I calculate that at 50/50. Mitigate that with the amount of automated software bots designed to scan for vulnerabilities anywhere at all, multiply it by the fact that the longer your organisation is around, the more likely they are to lay into you, and you can see that it’s not even 50/50; it’s when, rather than if, they’re going to launch a cyber-attack.
This is why deploying an appropriate risk management software is vital; it’s not that it manages the risk as such, it manages the impact once the inevitable has happened. And to manage this it needs to asses not whether but when an incident is likely to happen.
And the academic in all of us is likely to find just how this “when” is worked out quite fascinating. There are a number of methodologies, one of them even has an ISO number all to itself.
Mostly they take metrics and analyse them. There will be a risk log, of the obvious risks towards a business, individually configured. There may be event chain methodology, an extended “if this happens then that will follow” flow chart of how your company might end up in trouble. Probability-based models can pinpoint the likelihood of an incident happening at a particular time (but maybe not the disappointment when staff are standing there waiting for a collapse that fails to happen on cue), and established risk maturity models such as RIMM, which takes 25 competency drivers and assesses risk based on that.
A good tool will be easy to use. It will be visual rather than theoretical so that your internal analysts will understand it. It may well be introduced by an expert partner or supplier who can add significant value while your business plays to its own strengths. It will warn you of what’s likely and when, and this will help arm you with strategies to cope with events.
At the end of it, the risk is still the same. 50/50, you’ll either get attacked or you won’t. It’s just that when you do, you’ll be more prepared if you’ve already taken mitigating steps.