Cyber Security Risk Assessment Workshop

Atlas Analytics Cyber Risk Analysis and Assessment

1: Introduction:

Welcome to this pre-reading for attendees of Atlas Analytics’ “NCSC Cyber Security Risk Assessment Workshop”, an accredited, professional learning experience that follows stages of the National Cyber Security Centre’s (NCSC) basic risk assessment and management method. This is a practical, interactive risk assessment workshop for anyone with an interest in cyber security. You may be new to the topic or have some awareness. You need to better understand what cyber security risk is and how to communicate its potential impact on business operations. You aspire to produce a range of insights, products, and decisions as part of their duties to support risk analysis and assessment to support best-practice cyber security. Your learning will be put to the test during demanding but enjoyable group exercises that will challenge you to produce robust assessments, which your peers will constructively critique in a professional, collaborative environment.

2: Objectives:

By the end of this workshop, you will be able to:

  • Understand and correctly use common risk terminology as per “Risk Management & Governance” in the Cyber Body of Knowledge (CyBOK);

  • Complete a Risk Register with a minimum of three cyber security risks fully documented and with controls suggested.

3: What is Cyber Security?

The UK's NCSC defines cyber security's core function as being "To protect the devices we all use (smartphones, laptops, tablets and computers), and the services we access - both online and at work - from theft or damage." It is further concerned with "Preventing unauthorised access to the vast amounts of personal information we store on these devices, and online."

4: What is Risk?

NCSC approves of several definitions of risk, one of them being from the Treasury Orange Book; “Risk is the effect of uncertainty on objectives. Risk is usually expressed in terms of causes, potential events, and their consequence”. Another is from the NCSC glossary: “Possible future outcomes that we can describe in terms of their chances of occurrence, and the impact they would have if realised.”

5: About The CyBOK

The Cyber Security Body of Knowledge (CyBOK), launched by the National Cyber Security Centre, codifies key cyber security concepts based on established literature. Rather than duplicating all existing materials, CyBOK maps out foundational knowledge to support the development of educational programmes at various levels.

CyBOK says: “The CyBOK has 19 Knowledge Areas (KAs). Each KA assumes a baseline agreement on the overall vocabulary, goals, and approaches to cyber security. Although its owners have necessarily divided the CyBOK into a number of discrete KAs, it is clear that there are many inter-relationships among them. Those with professional responsibility for one area must typically have at least a moderate grasp of the adjacent topics; someone responsible for architecting a secure system must understand many.”

Action: Consider the CyBOK diagram and decide where your experience and expertise lie. Also, where do you want to gain experience and expertise in the future? Be ready to introduce yourself at workshop by explaining which areas you have experience of or interest in.

6: Security Concepts and Relationships

The Security Concepts and Relationships image below is made by ISACA. You can see that risk is intrinsically linked to other factors like assets, vulnerabilities, threat agents, and more. Therefore, robust, relevant risk assessment cannot be conducted if you do not have a sufficient knowledge of them. This workshop will ensure you are able to consider them with sufficient guidance provided.

Action: Consider the Security Concepts and Relationships diagram and decide where your experience and expertise lie. Are there areas that you do not have experience or knowledge of? Also, where do you want to gain experience and expertise in the future? Be ready to share insights at the workshop.

7: Risk Assessment Processes: NIST and ISO/IEC

The images below show two other risk assessment processes: NIST SP-800-30, and ISO/IEC 27005. We will not be following these processes during the workshop, but they are included for awareness, and the red box on each indicates the steps from each that are comparable to the NCSC process.

8: Risk Assessment Processes

NCSC Basic Risk Assessment and Management Method The image below shows the NCSC approach, and the red box indicates that steps that we will cover on the course (with information provided on steps 10 and 11 also.

9: Next Steps

That is the end of the pre-reading, and we look forward to working with you during the course. Before then, it will be helpful to keep a watchful eye on reputable news outlets for stories relating to cyber security, in case they are useful for discussions and the benefit of others on the course.