ABSTRACT
Cybersecurity assessments are control assessments. They look across policies, procedures, automated mechanisms, and cyber tools to ascertain the effectiveness of a specific cybersecurity control.
A cybersecurity assessment is not a risk assessment. A risk assessment uses impact and likelihood metrics to understand probability and potential damage. As seen in the earlier chapter, we have different types of cyber risk, including inherent, mitigating, and residual. That said, the cybersecurity assessment has a direct relationship to inherent cyber risk. It always lowers it based on the controls that are mitigating the risk to that digital asset. Providing a methodology to understand the effectiveness of the mitigating controls and the impact to inherent cyber risk is what this chapter is about.
We outlined how to create inherent cyber risk scores for each digital asset in the previous chapter. Now we are moving to the next step in the cybersecurity lifecycle. The assessment metrics address key security categories that need to have mechanisms in place to identify, detect, and prevent cybercriminals from exploiting system weaknesses (vulnerabilities), people weaknesses (such as phishing), and threats that are continuously evolving.
Cybersecurity assessments can be used to identify where the controls are not in place or are too weak to be effective. They can spot trends across the entire infrastructure and pin-point were security teams need to apply their skill and attention to increase the effectiveness of the controls.
Lastly, we will make this complex topic digestible for the business by providing information that is understood with useful metrics.
