Risk assessment frameworks and strategies for decision-making
Identity security risk management can help you prioritize risk and create actionable plans, not just for effective incident prevention, but also rapid incident response. By understanding potential business consequences of a successful identity-related attack, you can prioritize resources and increase your cyber resilience.
Security leaders who bring together technical and business perspectives on risk are better able to gain buy-in and budget for their initiatives. They employ risk management frameworks and models that account for business impact and speak the language of the business to shed light on risk and support investment decisions.
In this blog, you’ll learn how you can apply risk management approaches to assess identity security risk, as well as strategies to communicate your risk exposure and close the gap.
Let’s start with the standard equation for risk, and then we’ll dig into each of the components.
Risk = likelihood X impact
Evaluating the likelihood of an identity security attack occurring involves understanding the types of identity threat vectors and attack techniques that are on the rise, as well as your susceptibility to those attacks.
Research shows that 80% of companies have experienced at least one identity-related attack. So, it’s pretty safe to assume that you may experience an identity incident in the next year. If you know your IT environment has had identity misconfigurations, orphaned accounts, and identity sprawl, you are more risk to experience one.
Measuring the impact of a potential cyber incident involves considering the tangible consequences and quantifiable risks (e.g., financial losses, operational disruptions, reputational damage, and regulatory penalties).
This type of risk management approach requires a clear understanding of how incidents could ripple through an organization, from the initial point of breach through the full identity attack chain, impacting not just one system, but multiple connected systems. Once the attack agent gains a foothold, they seek to elevate access and extend their reach to additional systems. Let’s say a privileged user is the victim of a ransomware attack and their credentials are stolen.
If those credentials unlock access to several critical systems such as billing systems, financial systems, people management systems or customer systems—if the effective access of that privileged user is high—the scope of the impact can dramatically increase your risk and put those systems at risk, resulting in business disruption.
Risk assessment strategies to understand exposure and likelihood
Assessments are an important part of risk management to show duty of care. A “duty of care” is the legal responsibility that business leaders—including security leaders—have to do all they can not to cause harm to others. If found negligent, you can be held accountable for any harm or damage caused.
As part of risk management, established frameworks help you observe, document, and measure your identity risk exposure. They include specific controls for identity security as well as a standardized set of tested guidelines and principles for continuous improvement. Many of these frameworks and models share controls for identity security practices such as authentication, access control, monitoring, reporting, and more.
By using these frameworks, you can assess how your current state of identity security aligns to each category and practice group, so you can identify gaps. Then you can implement policies, processes, and procedures to mitigate them.
During an assessment, proper risk management includes documenting evidence of your identity security controls, policies, and practices, as well as any investment decisions you decide to make based on the information. This provides context and increases transparency for anyone reviewing the risk assessment – business leaders, risk committees, auditors, security, and IT teams – to keep everyone aligned.
Systems and frameworks for identity security risk management
A GRC risk assessment is a systematic process for identifying, analyzing, and evaluating an organization's potential risks—financial, legal, and cyber. On the 401 Access Denied podcast, virtual CISO and risk expert Gideon Radmussen explained:
“GRC makes sure we’re doing the basics. It’s a system of record for reporting, and repeatable process and routine tasks. It gives you specific instructions on what needs to be done, so the team can focus forward on cyber threat intelligence and threat hunting. If we have a good GRC program with a system of record, that’s a way to influence change.”
Some risk management tools that can be used in a GRC assessment include SWOT analysis, risk registers, and frameworks like National Institute of Standards and Technology Center Cybersecurity Framework (NIST CSF), ISO 27001, CIS, and COBIT.
Each of them includes requirements for managing identity-related risk:
NIST CSF 2.0
NIST Cybersecurity Framework 2.0, published in February 2024, outlines 100+ controls organizations should implement to comprehensively manage and safeguard user identities, primarily focusing on implementing strong access controls, multi-factor authentication, continuous monitoring, and robust incident response protocols to prevent unauthorized access and mitigate identity-related security risk.
Each of the identity security controls is applied to NIST’s core functions:
1. Identify:
- Inventory all user accounts and associated privileges across systems.
- Classify data sensitivity and identify critical assets requiring enhanced access controls.
- Map user roles and responsibilities to access levels.
2. Protect:
- Enforce strong password policies and implement multi-factor authentication (MFA).
- Utilize least privilege access controls, granting only necessary permissions to users.
- Implement robust identity governance processes to manage user lifecycle effectively.
- Encrypt sensitive data at rest and in transit.
3. Detect:
- Continuously monitor for suspicious user activity, including unusual login attempts, access anomalies, and privileged access usage.
- Implement advanced analytics to identify potential identity-based threats.
- Utilize user behavior analytics (UBA) to detect anomalies in user patterns.
4. Respond:
- Develop incident response plans specifically for identity-related breaches, including account lockouts, password resets, and access revocation procedures.
- Conduct timely investigations of suspicious activity and potential compromises.
- Implement remediation actions based on identified threats.
5. Recover:
- Maintain backup copies of identity data to enable rapid restoration in case of a breach.
- Develop procedures for restoring access to critical systems and data after an identity-related incident.
ISO 27001
The ISO 27001 framework ensures a systematic and structured approach to safeguarding sensitive information and also serves as a valuable certification to demonstrate proactive risk management. Within ISO 27001 controls, identity and access management plays critical functions, providing a solid foundation for audit readiness.
For more detail on the NIST Cyber Risk Framework (CSF) compared with ISO, check out the blog:
NIST vs. ISO: Understanding the difference
CIS Risk Assessment Method (RAM)
The Center for Internet Security (CIS) recently released the CIS Risk Assessment Method (RAM) v2.0, an information security risk assessment method to help enterprises justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls).
CIS RAM provides a risk management approach to “draw a line” to determine your organization’s threshold for acceptable risk, with risks below the line adhering to “due care,” and risks above the line requiring requiting additional work.
Control Objectives for Information and Related Technology (COBIT) risk management framework
COBIT is a risk management framework that provides a structured approach to governing and managing information technology risks. COBIT DSS05.04 is a control objective in the COBIT framework that focuses on managing user identity and logical access.
Risk scoring with Identity Security Posture Management (ISPM)
An emerging category, Identity Security Posture Management (ISPM) gives you detailed understanding of your identity security posture. ISPM runs a set of checks against known identity-based risks in your on-premise and cloud environments. It will check for common gaps such as unvaulted admin accounts, privileged access without MFA enabled, stale accounts, orphaned accounts, or excessive, standing permissions.
To support risk management, ISPM provides a risk score that helps you determine the probability or likelihood that an attack against you will be successful. Based on this data you can better communicate your identity risk exposure your leadership team and together you can make an informed decision as to whether you’re willing to accept that risk or make changes in your identity security controls and practices to address it.
For more on ISPM, read: Using Identity Security Posture Management to measure and demonstrate risk reduction
Measuring risk in terms of business impact
The U.S. Securities and Exchange Commission (SEC) in July 2023 mandated that material cybersecurity incidents must file disclosures on Form 8-K within four business days of determining an incident's materiality.
For identity security risk assessments, that begs the question: What represents a material risk?
The Information Systems Audit and Control Association (ISACA) explains it this way: Historically, auditors have determined materiality with quantitative assessments of financial transactions to determine whether disruptions would have a sizable impact on an enterprise’s balance sheet, revenue, net income, or asset valuation.
The organization must determine whether a reasonable investor would find the impact meaningful to their investment decisions. If financial changes caused by cyber incidents exceed certain thresholds, the risk is considered material.
Next, let’s look at a risk management approach to measure the materiality of identity security risk.
Cyber risk quantification attaches a financial value to risk based on statistical modeling
Cyber risk quantification (CRQ) is gaining popularity as an approach to planning cybersecurity investments. With CRQ you can measure the risk of specific cyberattack scenarios and evaluate the impact of implementing different security controls to reduce it.
FAIR, which stands for "Factor Analysis of Information Risk," is a model used for cyber risk quantification, allowing organizations to assess and measure their cybersecurity risks in monetary terms by breaking down risk into its component parts: "Loss Event Frequency" (how often a loss event might occur) and "Loss Magnitude" (the potential financial impact of that loss event), enabling better decision-making based on a quantitative understanding of risk. Unlike some other risk assessment methods that rely on qualitative ratings, FAIR translates cyber risk into a dollar value.
Who does what? Identity security risk management is a team sport
To understand both likelihood and impact, risk management involves participation from many corners of the organization and requires that people work together to gather, check, evaluate, and act on risk information. Below are the common players:
- Risk officer – Provides guidance on how the organization can meet GRC requirements and prerequisites. It helps to set the risk threshold that the organization is willing to accept.
- CISO – Provides visibility and recommendations to the executive team to explain the organization’s current identity security risk exposure and help them make informed decisions to accept that risk or invest in risk mitigation activities and solutions. Continually measures and reports back to the business on progress toward identity security risk reduction.
- BISO – Similar to the CISO, but specific to a line of business. The Business Information Security Officer (BISO) is an important conduit to business teams to gather necessary information about business processes that impact identity security risk, and ensure people understand and follow security and risk management best practices.
- Security specialists – Recommends and implements specific identity security controls to reduce risk. Monitors and confirms these controls are working as expected. This type of Quality Assurance is a best practice in risk management to have the team check itself.
- IT operations – Provides essential input into the security risk management process by gathering data on permissions and entitlements as well as privileged user behavior and account usage. Makes sure data is up to date, accurate, and complete.
Sometimes, the decision is to accept or transfer risk, rather than address it
Risk management is a balancing act.
“There are times when the combination of people, process, and technology is expensive, and so businesses may decide to defer and take that risk,” Gideon Radmussen notes. “I think as long as we’re communicating that effectively, that’s fine.”
If an organization is willing to accept risk so they can carry on with business priorities or reduce security budget, cyber insurance is a strategy to transfer that risk. The key is ensuring that you have enough cyber insurance to match your risk exposure. Risk assessments like the ones above can help you determine if you have enough insurance or may need to get more.
Insurance companies also use risk assessments like these when determining the price and details of your insurance policy. They want evidence of identity security to understand and measure your risk. In the last Delinea research study of 300+ decision-makers, over 40% of respondents said their insurance companies require least privilege access controls/authorization.
To help you prepare, Delinea has aggregated questionnaires from leading insurance companies and highlights frequent questions they ask as part of their risk management submission process. This guide—Insights into Enhanced Cybersecurity Insurance Requirements—examines increasingly stringent insurer requirements for identity security, including multi-factor authentication (MFA), password management, access control, privilege elevation, session management, least privilege, and zero trust policies.
Get help with risk management strategies, benchmarks, and security controls
As you develop your identity security risk management strategy, we’ve here to help.
Delinea customers can leverage advanced capabilities and reports within the Delinea Platform to score and measure risk, demonstrate evidence to risk evaluators and communicate measurable progress. Because platforms give you a line of sight across the identity lifecycle for all types of identities, you can achieve a more accurate and up-to-date view of your risk exposure and take immediate action to reduce it through proactive risk management. Learn more about Delinea Platform here.
