1. Cybersecurity

1.3. Risk, asset, vulnerability

1.3.1        Risk

Before defining the terms of threat, event, incident and attack, we consider it necessary to define at least a general definition of the term “risk”, which is directly related to the subsequently defined terms.

The Cyber​​security Glossary defines risk as: “(1) Danger, possibility of damage, loss, failure. (2) The effect of uncertainty on the achievement of objectives. (3) The possibility that a particular threat exploits the vulnerability of an asset or group of assets and causes damage to the organisation." [1]

Risk can also be defined as the potential for a threat to become real and exploit an asset's vulnerability. According to Article 4 (9) of the NIS, a risk is "any reasonably identifiable circumstance or event that could have a negative impact on the security of networks and information systems." In cyberspace, users, as well as computer systems and applications are at risk, as well as other elements of ICT.

The term “risk” expresses the probability with which an unwanted event can occur. The degree of probability that this event will occur is expressed through risk analysis. Minimum standard values for methods of identification, analysis, evaluation and treatment of risks are defined in ČSN EN 31010.

Valášek et al [2] state that the risk assessment is usually based on three basic issues:

  • What can go wrong (be unwanted)? What can fail?
  • What is the possibility/probability that this will happen?
  • How serious (intensity, size, etc.) can the effects (impacts, consequences) be?

According to Valášek, however, these questions represent only a basic framework that is able to define its own risk. In addition to these three questions, the following supplementary questions are asked, which relate to significant factors influencing the risk characterisation:

Factor

Question

Time

“How long will we be exposed to risk (threat)?”

Instability

“How close are the estimates of the impacts of

a risk event to reality?”

Complexity

“Is it difficult to understand risk?”

Mutual relationships

“How far are the different risks or risk factors

 related?”

Influence

“Is it possible to manage risk?”

Life cycle

“How does risk change over time?”

Cost effectiveness

“How costly are measures in relation to risk?”

For each risk, the degree of significance of the risk is calculated, which can be expressed as follows:

Significance of risk = Impacts of risk * Probability of risk occurrence

“The result of the risk analysis is to determine the significance of the defined risks. Each risk, with respect to the assigned task, has different impacts that it can cause. We evaluate the impacts of risk or consequences on a five-point scale, for example, as follows:” 

Points

Probability of risk occurrence

Occurrence description

5

SURE

Risk occurs almost always or with a probability of 90–100%.

4

LIKELY

The risk is likely to occur

3

POSSIBLE

Risk may sometimes occur (e.g. under specific conditions).

2

UNLIKELY

Risk may sometimes occur, but it is unlikely. 

1

Impossible

Risk occurs only in exceptional cases and under specific conditions.

In addition to the impact, individual risks may or may not occur. Therefore, the probability of risk occurrence is determined. Occurrence is again evaluated on a five-point scale as follows: [3]  

Points

Impact of risk

Description of impact

5

CRISIS

The situation will fundamentally reduce or terminate the company's operations (e.g. bankruptcy, loss of life, etc.).

4

SIGNIFICANT

The situation very dangerously affects the internal and external operation of the company (e.g. the occurrence of significant financial losses – 100% over budget, time, the emergence of litigation, injuries, etc.).

3

MEDIUM

The situation will dangerously affect the internal and external operation of the company (e.g. losses will occur, but the company is able to continue to operate, financial losses will occur up to 30% of the budget, etc.).

2

INSIGNIFICANT

The situation limits the internal operation of the company (e.g. there will be time delays of up to 30 days).

1

NEGLIGIBLE

Although the situation negatively limits the operation of the company, it does not cause losses greater than 5%.

In addition to the above, other circumstances must be taken into account in the risk assessment, which are:

§  the very nature (type) of the risk or threat,

§  asset vulnerability,

§  probability that the risk will turn into a security event or incident.

Risk analysis is very difficult and requires knowledge of assets, threats and, in particular, some experience in this area is needed. Based on the risk analysis, measures can be identified to minimise or eliminate the risks.

1.3.2        Asset

An asset is anything that has a certain value for a person, organisation or state.

An asset can be a tangible object (building, computer system, networks, energy, goods, etc.) or an intangible one (information, knowledge, data, programs, etc.) from the point of view of civil law.

However, an asset can also be a quality (e.g. availability and functionality of the system and data, etc.) or a good name, reputation, etc. People (users, administrators, etc.) and their knowledge and experience are also an asset from the point of view of cybersecurity.

According to Section 2 (f) and (g) of the DoCS, assets are divided into ancillary and primary.

An ancillary asset is a technical asset, employees and suppliers involved in the operation, development, administration or security of the information and communication system.

A primary asset is information or a service processed or provided by an information and communication system.

1.3.3        Vulnerability

Vulnerability refers to the weakness of an asset, software, security, which is exploited by one or more threats.

Vulnerability, as well as a threat, can be caused by a number of factors grounded in human behaviour, technical failure, and possibly force majeure.

In the field of cybersecurity, vulnerabilities are divided into:

  • known vulnerabilities (published)

·      fixed (treated) – a typical case are software vulnerabilities for which the manufacturer has already issued an update

·      unfixed (untreated) – an affected entity (manufacturer, administrator, etc.) knows about the vulnerability, but did not ensure its correction

  • unknown vulnerabilities

·      hidden

·      undiscovered

In the case of unknown vulnerabilities, it is important whether they are discovered by an attacker, a manufacturer, a security analyst, a penetration tester, or a user. Equally important is the motivation of the person who discovers the vulnerability.

Security vulnerabilities are potential security threats. Security vulnerabilities can be eliminated to some extent by consistently updating and patching all software. [4]

The Decree on ​​Cybersecurity in Appendix 3 lists some of the vulnerabilities as an example. According to this decree, the vulnerability is:

1.     insufficient maintenance of the information and communication system,

2.     obsolescence of the information and communication system,

3.     insufficient protection of the outer perimeter,

4.     insufficient security awareness of users and administrators,

5.     inappropriate setting of access rights,

6.     insufficient procedures for identifying and detecting negative security phenomena, cybersecurity events and cybersecurity incidents,

7.     insufficient monitoring of the activities of users and administrators and inability to detect their inappropriate or defective behaviour,

8.     insufficient setting of security rules, inaccurate or ambiguous definition of rights and obligations of users, administrators and security roles,

9.     insufficient protection of assets,

10.  inappropriate security architecture,

11.  insufficient degree of independent control,

12.  inability to detect errors in a timely manner by employees.


[1] JIRÁSEK, Petr, Luděk NOVÁK and Josef POŽÁR. Výkladový slovník kybernetické bezpečnosti. [online]. 3rd updated edition. Prague: AFCEA, 2015. p. 99. Available from: https://nukib.cz/download/aktuality/container-nodeid-665/slovnikkb-cz-en-1505.pdf

[2] VALÁŠEK, Jarmil, František KOVÁŘÍK et al. Krizové řízení při nevojenských krizových situacích. Prague: Ministerstvo vnitra - generální ředitelství Hasičského záchranného sboru ČR, 2008. [online]. [cit. 01/07/2018]. Available from: http://www.hzscr.cz/soubor/modul-c-krizove-rizeni-pri-nevojenskych-krizovych-situacich-pdf.aspx

ISBN 978-80-86640-93-8 p. 73

[3] Analýza rizik. [online]. [cit. 01/07/2018]. Available from: https://www.vlastnicesta.cz/metody/analyza-rizik-risk/

[4] Cf.  JIRÁSEK, Petr, Luděk NOVÁK and Josef POŽÁR. Výkladový slovník kybernetické bezpečnosti. [online]. 3rd updated edition. Prague: AFCEA, 2015. p. 29. Available from: https://nukib.cz/download/aktuality/container-nodeid-665/slovnikkb-cz-en-1505.pdf