RISK VECTOR ® is a freely distributed risk assessment methodology developed by Cyber Threat Institute to help small and large enterprises manage physical and cybersecurity risks.
Instructions: Using a blank RISK VECTOR matrix sheet below, list all organizational assets (router, firewall, mail server, etc) under the RISK column, then rate each VECTOR on a scale of 1-10 (i.e., 1-2 very low, 3-4 low, 5-6 medium, 7-8 high, 9-10 very high). The total Risk “Score” is an average of all VECTOR elements. The assessment team should be composed of a mixture of knowledgeable IT and non-IT members from various departments to include engineering, physical security, IT, accounting, etc.
Vulnerability: Attributes, characteristics, design flaws, or components of an asset, business process or function, that make it susceptible or exposed to exploitation or damage from a cyber attack, kinetic attack, or natural disaster. Soft targets (i.e., unprotected systems or assets with widely known flaws) increases an asset's vulnerability whereas hard targets (i.e., robustly constructed systems or assets with added counter-measures) decrease an assets vulnerability.
Ease-of-Execution: Level of expertise, advanced training, special tools and equipment required to successfully accomplish a cyber or kinetic attack. A high Ease-of-Execution score implies that an adversary or disaster event requires little effort or minimal force to defeat the asset (e.g., non-configured devices with default passwords). Whereas a low Ease-of-Execution score implies that an adversary requires a high level of hacking skill and advanced knowledge of systems/network architecture to defeat the asset's design characteristics and existing security measures (e.g., a sophisticated cyber attack utilizing multiple zero-day exploits).
Consequence: Injuries, loss of life, loss of production, loss of economic value or brand reputation as a result of a successful cyber attack, kinetic attack, or natural disaster.
Threat-Probability: Event or adversary with the potential to disrupt systems such as nation-states, mercenary hackers, terrorists, hacktivists, blackhats, or natural disasters. To determine the threat probability of adversarial groups, study their capabilities and history of attack methods to determine credibility of threat along with potential attack vectors / scenarios. For threats from natural disasters, examine historical hurricane, flood and seismic data for frequency and trends. The Threat-Probability score is the likelihood that an adversary or disaster event will impact systems. The assessment team can choose multiple threat scenarios for each asset, or can decide on the most likely threat scenario. If multiple scenarios are used, then factor in all scenarios to determine the average Threat-Probability score.
Operational-Importance: Degree to which the mission or an organization is impaired by a successful cyber attack, kinetic attack, or natural disaster. Critical assets or key business processes may halt enterprise-wide operations whereas lesser assets my only have a localized impact. Redundant, duplicate, and back-up systems all reduce Operational-Importance. Assets that score high for Operation-Importance should be recognized by management as the organization's most critical assets and should be afforded special protections and counter-measures to guarantee the asset's continued availability, integrity, and confidentiality during an attack or natural disaster. A raw rank order using only Operational-Importance can be used by management to identify assets within the organization that are absolutely critical to operations. The top 5% to 20% of total assets can be categorized by management as critical assets.
Resiliency-Gap: Resiliency-Gap is the lack of resiliency, the lack of redundancy, and the lack of planning/preparedness by an organization that would allow it to recover, reorganize and reconstitute itself to continue operations after a significant cyber breach or natural disaster. Resiliency-Gap increases an organization's overall risk. When an asset is considered to have a low degree of Resiliency its considered to be high risk and yields a high Resiliency-Gap score. Likewise, when an assets is considered to have a high degree of Resiliency it yields a low Resiliency-Gap score.
Risk Management Options: All judgments resulting from this RISK VECTOR assessment should be safeguarded by management and shared only on a need-to-know basis. Assessment results should be reviewed periodically and reassessments should occur prior to and after major system upgrades to identify unmitigated or residual risks within the system. Once RISK VECTOR is complete, management can choose to: 1) control risks with counter-measures using technology, devices, new policies or training; 2) accept risk if the probability of occurrence or potential impact is relatively low; 3) transfer risk to other regions of an organization with less risk or transfer risk to third parties, such as insurance companies or contractors with special capabilities; 4) avoid risk by minimizing or closing certain operations or tasks where risks or security implementation costs are too great to justify operations. Finally, when making making risk mitigation decisions, management should conduct cost-benefit and trade-off analysis while keeping in mind the following simple advice: “Do not risk more than you can afford to lose,” and “Do not risk a lot to save a little.”