Verve's Biweekly Newsletter

Subscribe to stay in the loop with the latest OT cyber security best practices.

Fill out form below

WHITE PAPER

Calculated Approach to Cybersecurity Risk

Calculated Impact and Risk Ratings for Enhanced Vulnerability Prioritization

Abstract

This white paper introduces a calculated approach to cybersecurity risk assessment by addressing the limitations of current practices in determining the impact and risk associated with Common Vulnerabilities Exposures (CVEs). Traditional methods often rely on generalized information, leading to inaccurate prioritization of assets and vulnerabilities. Verve presents a novel methodology incorporating Calculated Impact Rating (CIR) and Calculated Risk Ratings (CRR) to precisely evaluate the impact and risk of CVEs on an organization’s assets. This approach, coupled with the Exploit Prediction Scoring System, offers a more tailored and accurate assessment of cybersecurity threats.

Table of Contents

Introduction

To address the limitations of traditional risk assessment models in Operational Technology (OT), Verve has developed an innovative approach to calculating risk. This methodology combines Calculated Impact Ratings (CIR) and Calculated Risk Ratings (CRR) and offers OT professionals a tailored solution to accurately gauge the potential impact of Common Vulnerabilities and Exposures (CVEs) on their specific assets and systems. This advancement enables more effective vulnerability management, ensuring better resource allocation and reduced exposure to cyber threats.

Discover Verve's 360-Degree Approach to Risk

Learn More

Calculated Impact Ratings (CIR)

The Calculated Impact Rating (CIR) is a metric designed to accurately quantify the potential consequences of a vulnerability based on specific attributes of an organization’s assets. Unlike conventional methodologies that provide generalized impact scores, the CIR is built with a comprehensive set of factors in mind, including:

  • Potential Losses: Estimates the potential financial, operational, and reputational losses in the event of a successful exploitation on a particular asset. Regardless of security in-place, CIR aims to understand how an exploited asset could devastate the organization.
  • Asset Location: Evaluates the geographical location of the asset within the organization’s infrastructure. Assets at critical sites or locations with high yield production will have a higher influence on the CIR.
  • Network Segmentation: Considers the network segment to which the asset belongs. Assets in heavily utilized networks can greatly influence the overall CIR calculation.
  • Asset Type and Functionality: Assesses the type and function of the asset within the organization’s operations. Assets with varying levels of importance or functionality will distinctively contribute to the CIR calculation.

Verve has developed an innovative solution to conducting Operational Technology (OT) cybersecurity risk assessments. By introducing Calculated Impact Ratings (CIR) and Calculated Risk Ratings (CRR), organizations can now accurately assess the potential consequences of CVEs on their specific assets and systems.

This advanced approach to calculating impact ratings ensures that the assets are assessed in a nuanced and contextual manner while allowing manual edits, reflecting the unique attributes of the organization’s assets, their locations, and their network. 

Calculated Risk Ratings (CRR)

The Calculated Risk Rating (CRR) augments the traditional risk assessment process by providing a precise evaluation of the potential risk associated with a vulnerability for the next thirty days. Traditionally, risk is measured as impact times likelihood. CRR combines the Calculated Impact Rating (CIR) with the Exploit Prediction Scoring System (EPSS) to offer a comprehensive risk assessment approach. 

  • Calculated Impact Rating Integration: The CRR incorporates the CIR to determine the possible consequences of a vulnerability. This integration ensures that the calculated risk aligns with the potential impacts. Traditional impact 
  • Exploit Prediction Scoring System (EPSS): The EPSS model was developed in 2019 by FIRST and predicts the likelihood of a vulnerability being exploited. EPSS differs from the Common Vulnerability Scoring System (CVSS) by adjusting the probability of a vulnerability being exploited within the next thirty days based on historical trends, current threat intelligence, and the presence of existing exploits to determine the likelihood of the vulnerability being exploited. 

Methodology

The methodology for determining Calculated Impact Ratings (CIR) and Calculated Risk Ratings (CRR) involves a multi-step process: 

  1. Asset Profiling: Organizations identify and profile their assets, considering criticality, functionality, and dependencies. 
  2. Vulnerability Assessment: Vulnerabilities are identified and evaluated based on standardized criteria and technical attributes provided by the Verve Security Center. 
  3. Calculating CIR: The CIR is calculated for each asset by considering the asset’s location, network, and type. Additional values can be added depending on the customer’s environment such as specific assets outside of mentioned parameters that may raise its criticality level.  
  4. Calculating CRR: The CRR is derived by combining the CIR with the output of the Exploit Prediction Scoring System (EPSS). 
  5. Prioritization and Mitigation: Vulnerabilities are prioritized based on their CRR, allowing organizations to focus on addressing the most critical threats on the most critical assets first. 

Benefits and Applications

The introduction of Calculated Impact Ratings (CIR) and Calculated Risk Ratings (CRR) offers numerous benefits to organizations:

  • Tailored Prioritization: Enables organizations to prioritize vulnerabilities based on their unique assets and operations, leading to more effective allocation of resources.
  • Accurate Risk Assessment: Provides a more accurate representation of the potential consequences and likelihood of exploitation for each asset and vulnerability.
  • Informed Decision-Making: Empowers stakeholders to make informed decisions about cybersecurity strategies, investments, and risk mitigation efforts.
  • Reduced Exposure: By focusing on vulnerabilities with higher CRR, organizations can reduce their exposure to potential cyber threats.

Conclusion

The traditional one-size-fits-all approach to cybersecurity risk assessment is no longer sufficient in today’s dynamic threat landscape. Verve’s Calculated Impact Ratings (CIR) and Calculated Risk Ratings (CRR) offer a more tailored solution that addresses the shortcomings of current practices. By considering an asset’s criticality, location, network segment, type, and functionality, coupled with the insights from the Exploit Prediction Scoring System (EPSS), organizations can now prioritize vulnerabilities with greater precision and reduce their overall cyber risk exposure.

This approach marks a significant step forward in protecting OT assets, enabling organizations to proactively safeguard their digital assets and maintain operational continuity in the face of evolving cyber threats.

FROM CONCEPT TO REALITY

Wonder how CIR and CRR translate to real-world success? Our case study shows you how.Read Now