A7
A7

Using risk assessment

What is the aim?

To help countries use the information in their capacity and risk assessment reports, to guide the design and content of a national cyber strategy.

Why do it?

In the Stock Taking and Analysis phase, countries should bring together evidence they collected, compare it and confirm it is valid. They should interpret that information, identifying key themes and issues that will inform the strategy. This is also a good point at which to set risk-tolerance levels.

What are typical outputs?

An agreed set of evidence-based facts and assumptions that justify the identification and prioritization of critical sectors, processes and risks. E.g., “We assume economic expansion will remain a top national priority; vulnerabilities in the Financial Services sector represent the greatest cyber risk to this priority; and the greatest threat to the Financial Services is organized cybercrime targeting our national banks.” A second output could be a baseline assessment of the effectiveness of current risk mitigation measures in priority areas.

How is it delivered?

Workshops, facilitated discussions, and exercises. How easily can a country do it themselves? Many countries can follow a process for validating risk reports and establishing priorities. External assistance can help: provide reassurance that things have not been missed; bring in external experience; break down departmental boundaries; and take a multi-stakeholder approach. What good practice guidance is available? The best source is people who have done this before. See also, material in guides by: ENISA; OECD; GCSCC (CMM); and MITRE (NCSDI).

  • Collect information and evidence from the very start (Activity 1).
  • Facts and assumptions about the prioritization of risks and sectors should be communicated to senior government and political leaders; key industry representatives (especially from the prioritized critical sectors); and civil society organizations for review and concurrence.
  • Consider digital risk priorities in the context of other national risks, which are fundamentally political decisions.
  • In this phase and activity it is important to take a multi-stakeholder approach. Use it to get buy-in.
  • Seek information and assistance from others who have done this before or in other countries.

Duration

1-3 months. Duration can be reduced if risk validation is conducted through periodic reviews during the development of the risk assessment.

Several years ago, the MITRE Corporation assisted in the development of an African nation’s national cyber strategy.

Assistance began with MITRE facilitating a comprehensive review of several key national capacity-building areas that are foundational to designing a national cyber strategy, including identifying key partnerships; the capacity to develop a cyber workforce; cyberspace governance mechanisms; and risk management approaches. These assessments helped identify the benefits that the country hoped to achieve through a cyber strategy, including socio-economic benefit and greater resiliency. Additionally, the country sought to build secure ICT infrastructure to attract more knowledge-based businesses to the country.

Risk management assessments were conducted with MITRE’s assistance that involved identifying ICT threats and vulnerabilities that could impact strategic goals and objectives.

Findings from the risk assessments were included in the drafting of the strategy justifying the country’s strategic approaches within government, as well as with the private sector and citizens. The development of this strategy included public, private, and academic stakeholders and established implementation governance that mandated a continuing public/private coordination body. MITRE also provided consultation on implementation priorities and methods. The commitment of public and private stakeholders and external assistance in limited, but key areas such as risk management, resulted in a comprehensive, feasible, and affordable national cyber strategy.