How to Build a Cyber Risk Assessment Matrix

When conducting a cyber risk assessment, you need to quantify the risk levels of various scenarios taking place. An organization must first define and identify its assets, then prioritize those assets, and only then conduct an assessment.


There are various tools an organization can use to conduct a risk assessment, which can also aid with quantifying and visualizing the data.


One of those tools is a Risk Assessment Matrix that produces a risk score through the combination of two parameters:


  1. The impact of this risk scenario taking place

  2. The probability and frequency of this risk scenario occurring


An organization’s assets have inherent risks which are built-in risks just by the nature of how those assets function. Lowering those risks can be achieved by placing controls and safeguards in place to protect the organization from those risks materializing to their full capacity. The outcome of these actions will be a new score called Residual Risk.


The new residual risk score will be a function of how much we have lowered the impact and probability of that risk materializing, hence what is called the Control Effectiveness. This control effectiveness acts as a weight and will impact how low the residual risk is.


A more advanced approach can attribute the effectiveness to the impact or probability independently, which would help lead to a more accurate residual risk score, though this practice is often left for more mature security practices.


Visualizing the above is not a simple task. This is why we’ve spent years developing the Centraleyes platform dashboards with state-of-the-art heatmaps and reporting functions.


Below is an example of a heatmap in which we visualize a cyber risk assessment matrix. This allows users to interactively identify risks by intuitively clicking on various areas of the heatmap or on specific risks represented by a single point on the map. This tool is a very effective way for users to prioritize the highest risks in their organizations.



Other forms of the matrix data can be viewed in automated filters like the grouping below, where the risks are split automatically into 4 tiers: Critical, High, Medium and Low, further assisting in the prioritization and management process.




Risk Matrix Frameworks


The NIST SP 800-53 framework, alongside many other cyber risk frameworks, can be used as a set of best practices and controls to help the organization protect sensitive data, like PII (Personal identifiable Information) and PHI (Protected Health Information).


Using an assessment around these controls can help quantify the impact and probability of a data breach. These control sets also help create a baseline for what the readiness of an organization is for a cyber breach and how to prioritize remediation tasks of open gaps.


One of the advantages to having a cyber risk matrix as part of your organizational assessment is that you move from a tactical approach to a much more strategic one. An example of this will be around how you are able to create efficiencies on the following items:

  • Ability to benchmark and track progress overtime through self-assessment

  • Cost savings - by prioritizing the most strategic and urgent items.

  • Time saving - through a methodical approach you create efficiencies around assessing and collecting repetitive information.

  • Identify weak points and threats faster, and lower your overall risk.

  • Meeting compliance - as an ongoing and continuous risk assessment is now a requirement in many of the regulatory standards. This includes privacy acts, certifications and industry standards.

  • Removing the subjective risk approach by creating a scientific and repeatable assessment methodology. This approach removes that gut feeling that is often used as a primary factor in your decision-making process. You now rely on data and trends, as well as information coming from outside the organization to help make smart decisions about where to focus new protection solutions or areas to remediate.



The Sources of Data


The sources of data that feed the cyber risk matrix can come from a variety of places, both qualitative and quantitative. In cyber security in particular, it is important to try and create, independent and objective point of view on the validation of controls. To do so, you need to combine the following sources of data:


  • Questionnaires and surveys

  • Data feeds, logs from tools and network telemetry

  • External sources of thread intelligence, vulnerability data


These sources of data, when combined together can provide a very unique point of view of your organizational risks. Collecting the data is one important step, by analyzing the data and creating insights is where all the magic happens. The cyber risk matrix is one of those tools that can help you create that very actionable and useful insight.


Using the Centraleyes platform, with its tens of pre-populated frameworks and standards, smart surveys and questionnaires, live data feeds and real-time intelligence from internal and external security sources, to visualize and build a cyber risk assessment matrix will help take your cyber risk management program to the next level and ensure your organization is always ahead of the game.


To learn more about how Centraleyes can help you, click here.