3. Map controls against the steps identified in your cyber risk scenarios

^{Map controls against the steps identified in your cyber risk scenarios}

You can map your existing controls against the steps identified in your attack trees. This enables you to assess how likely it is that a control will stop an attack at a particular stage in the attack path. That, in turn, enables you to gauge which controls you should focus on.

Take, for example, the use of anti-malware software to mitigate ransomware. We’ve found that the high-end software is very good – but it’s not perfect. If you’re calculating it’s effective in 50-80% of cases, it’s doing a good job.

When we’re mapping controls, we also consider how widely they’re deployed in an organisation and how well their configuration is maintained.

For each of your existing controls, you should be asking:

How well is the control doing what it was designed to do?
Have we deployed the control across the full part of our estate that it was intended for?
Have we put in place effective processes to maintain and improve the control to ensure it remains fit for purpose?

There are a variety of industry frameworks that help standardise the categorisation of cyber controls and offer a structured approach to assessing security posture.

You can choose to adopt multiple frameworks or use them as a starting point to develop something more tailored to your industry or organisation.

Not sure where to start? There are some widely recognised cyber control frameworks that are a good starting point that you could take a look at:

National Institute of Standards and Technology (NIST) Cybersecurity Framework

National Cyber Security Centre’s (NCSC) Cybersecurity Assessment Framework (CAF)

Information Security Forum (ISF) Standards of Good Practice (SoGP)

ISO 27001

When we’re supporting clients, we calculate the ‘attacker contact rate’ - how often someone is likely to try and hack your organisation. From here, we can estimate the number of attempts needed for a successful breach in each scenario. This provides the basis for calculating an annual risk profile for the scenario and enables us to quantify the risk. To calculate the attacker contact rate, you can use data from previous incident data or information provided by your Security Operations Centre. Alternatively, you can use industry data on the threat landscape to make judgements. For example, you can use a structured natural language approach to document the rate: ‘we perceive at least 1 attack attempt every 1 day’.

Ask yourself:

What cyber industry frameworks do we currently use? Which should we be using?
What is out cyber control framework?
Have we had a cyber maturity assessment conducted within the last year?
Can we get access to incident data?
Where do we have gaps in knowledge of the maturity of our cyber capabilities?
Who can provide information on any gaps in our knowledge?