Categories
IT Security Outsourced IT

Cybersecurity Risk Assessments

What are Cybersecurity Risk Assessments?

There are several tools available for assessing both specific and broad cybersecurity risks. Consider performing risk assessments at the organizational level as well as subscribing to alerts regarding larger-scale threats. The following risk assessment may be used to classify risks to systems in your organization1:

  • Low Risk
    • System processes and/or stores public data
    • System is easily recoverable and reproducible
    • System provides an informational / non-critical service
  • Moderate Risk
    • System processes and/or stores non-public or internal-use data
    • System is internally trusted by other networked systems
    • System provides a normal or important service
  • High Risk
    • System processes and/or stores confidential or restricted data
    • System is highly trusted by networked systems
    • System provides a critical or organization-wide service

The Center for Internet Security (CIS) uses the following color-coded alert level system in order to provide individuals and organizations with timely advisories regarding known vulnerabilities in popular software.2

  • GREEN or LOW indicates a low risk. No unusual activity exists beyond the normal concern for known hacking activities, known viruses, or other malicious activity.
  • BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
  • YELLOW or ELEVATED indicates a significant risk due to increased hacking, virus, or other malicious activity that compromises systems or diminishes service. At this level, there are known vulnerabilities that are being exploited with a moderate level of damage or disruption, or the potential for significant damage or disruption is high.
  • ORANGE or HIGH indicates a high risk of increased hacking, virus, or other malicious cyber activity that targets or compromises core infrastructure, causes multiple service outages, causes multiple system compromises, or compromises critical infrastructure. At this level, vulnerabilities are being exploited with a high level of damage or disruption, or the potential for severe damage or disruption is high.
  • RED or SEVERE indicates a severe risk of hacking, virus, or other malicious activity resulting in widespread outages and/or significantly destructive compromises to systems with no known remedy or debilitates one or more critical infrastructure sectors. At this level, vulnerabilities are being exploited with a severe level or widespread level of damage or disruption of Critical Infrastructure Assets.

CISA uses the National Cyber Incident Scoring System (NCISS) to assess risk from a nationwide perspective, with scores ranging from 0-1003. After an incident is scored, it is assigned one of the following priority levels:

  • Baseline. A baseline priority incident is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The bulk of incidents will likely fall into the baseline priority level with many of them being routine data losses or incidents that may be immediately resolved. However, some incidents may require closer scrutiny as they may have the potential to escalate after additional research is completed. In order to differentiate between these two types of baseline incidents, and seamlessly integrate with the CISS, the NCISS separates baseline incidents into Baseline–Minor (Blue) and Baseline–Negligible (White).
  • Low (Green). A Low priority incident is unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
  • Medium (Yellow). A Medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
  • High (Orange). A High priority incident is likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
  • Severe (Red). A Severe priority incident is likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties.
  • Emergency (Black). An Emergency priority incident poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or the lives of U.S. persons.

1 UIOWA, 2022, “System Risk Analysis”

2 CIS, 2022, “MS-ISAC”

3 CISA, 2022, “CISA National Cyber Incident Scoring System”