Cybersecurity & risk management
The risk management feature enables you to manage risks associated with your assets, with the goal of minimizing the impact of potential incidents. The system calculates the risk level for each managed asset based on the asset's vulnerabilities, and threats that target the vulnerabilities.
Risk management objects
Vulnerabilities and threats are represented by objects of the Vulnerability type and the Threat type, respectively.
Start by using the ready-to-use sets of cybersecurity vulnerabilities and threats available in the Risk management object folder on the Objects page.
Assets are represented by objects of any type that include the following object properties:
- Confidentiality - the required asset's confidentiality level, represented as a decimal value from 1 to 4, where 4 indicates the highest confidentiality. For more information, see the CIA triad.
- Integrity - the required integrity level (from 1 to 4).
- Availability - the required availability level (from 1 to 4).
- Risk level - the calculated risk level of the asset, expressed on the Low - Medium - High - Critical scale.
- Asset cybersecurity category - classification of the asset as primary or supporting. For details, see the Supporting asset section below.
- Total asset value - an auxiliary value used during the calculation of the Risk level property.
Object relations
Relations between threats, vulnerabilities and assets are represented through object relations, as illustrated in the chart below:
The Targets / Is targeted by relation type includes the Threat occurrence likelihood field, which describes the likelihood on the Low - Medium - High - Critical scale. Similarly, the Probability of vulnerability being exploited field is used for the Probability of vulnerability being exploited relation type. You need to define these relations and their values for each managed asset.
The Threatens / Is threatened by relation between threats and assets is created and maintained automatically based on the other relations. Its Risk level field is also calculated automatically.
Risk level calculation
For each asset, the following object property values are automatically calculated:
[Total asset value] = AVG( Confidentiality * Integrity * Availability )
[Risk level] = MAX( [Total asset value] * Threat.[Threat occurrence likelihood] * Vulnerability.[Probability of vulnerability being exploited] )
The MAX function calculates the maximum value across all threats and vulnerabilities related to the asset.
The resulting Risk level value is then mapped to the Low - Medium - High - Critical linear scale.
Supporting assets
If an asset depends on or is composed of other assets, you can model the structure using object relations of the Provides cybersec parameters type.
Primary assets depends on their supporting assets. You only need to provide cybersecurity parameters for primary assets. Each cybersecurity parameter (Confidentiality, Integrity, and Availability object property values) of supporting assets is automatically calculated as the maximum value of that parameter among their associated primary assets. For example, the SERVER2 supporting asset in the chart above will receive the highest parameter values from the APPLICATION1 and APPLICATION2 primary assets.
Use the Asset cybersecurity category object property to easily filter asset objects. The property value doesn't affect any calculations.
Leverage other object relation types to promote cybersecurity parameters from primary to supporting assets by enabling the Administration - Asset Management - Object relation types - (select the type) - Edit - Determines parameters of cybersecurity option.
Configuration
-
Go to Administration - Asset Management - Object templates and use the Add properties command to add properties from the Risk management property category (see Risk management objects) to all object templates representing risk management assets.
-
Go to Objects, select the Risk management object folder, and review the threat and vulnerability objects. You can freely customize the default set: remove objects you don't need and add new ones. Also, check the relations between objects, including the Threat occurrence likelihood field values on the Object - Relations tab.
-
For each (primary) asset object, enter values of the Confidentiality, Integrity, and Availability properties, and create relations to vulnerability objects, including the Probability of vulnerability being exploited values.
Use the risk management data queries to review the field values of threat and vulnerability relations.
Risk evaluation
The risk management data model isautomatically recalculated whenever you modify an object or relation.
Use the Objects - Table mode or Power BI report template to view the resulting Risk level value for each asset.