This script is used fin the video available online on YouTube here:
Context information:
I’m a senior cybersecurity risk analyst. I’m working for an IT and cybersecurity consulting firm in Montreal (Quebec, Canada). I was hired by a customer to assist them with their cybersecurity governance, risk management and compliance activities.
Initial data provided:
Here is what you need to know about the target organization we will be using to perform a cybersecurity risk assessment: The Integrated Health and Social Services University Network for West-Central Montreal (CIUSSS West-Central Montreal) is committed to providing healthcare recipients with timely access to a seamless continuum of care that focuses on individuals’ particular needs. As well, consider the reports and other documents provided as attachments about the organization that will be used in the risk assessment.
(remember to add annual reports and other information available online about the information)
Estimate the Risk appetite:
Estimate the Risk appetite for the Integrated Health and Social Services University Network for West-Central Montreal (CIUSSS West-Central Montreal). On a scale of 0 to 1, estimate a quantitative Risk Appetite value. Provide a detailed justification of the Risk appetite. Proceed to save this Risk appetite value to use in later risk assessments and calculations for this organization.
Consider the following information:
- Highly Risk Averse or a very low Risk appetite = 0.1
- Risk Averse or a low Risk appetite = 0.3
- Risk neutrality or a Risk Neutral Risk appetite = 0.5
- Risk Seeking or a high Risk appetite = 0.7
- Highly Risk Seeking or a very high Risk appetite = 0.9
Summary scenario generation query:
Using the information provided about the organization, the results generated in the previous queries, as well as your accumulated knowledge, create 20 cybersecurity risk scenario for the Integrated Health and Social Services University Network for West-Central Montreal (CIUSSS West-Central Montreal).
Intermediate query:
Consider the following cybersecurity risk scenario Ransomware Attack on Healthcare Systems: Malware encrypts critical patient data and systems, demanding ransom to restore access at the organization Integrated Health and Social Services University Network for West-Central Montreal (CIUSSS West-Central Montreal).
Detailed scenario generation query:
Create a detailed description of summarily described cybersecurity risk scenario.
Consider the following cybersecurity risk scenario Ransomware Attack on Healthcare Systems: Malware encrypts critical patient data and systems, demanding ransom to restore access at the organization Integrated Health and Social Services University Network for West-Central Montreal (CIUSSS West-Central Montreal).
Using the information generated in the previous intermediate query, expand the cybersecurity risk scenario into a detailed cybersecurity risk scenario. In your answer provide the following details:
- The Scenario Name,
- a List of the stakeholders involved,
- some Background information out the scenario,
- a detailed Description of the scenario or the incident leading to the undesired outcome,
- a bullet list of sequence of events leading to the scenario,
- a description of the Consequences,
- some Historical data, and
- proposed Mitigation measures, internal controls, and prevention mechanisms.
Provide the following metrics and measures:
- On a scale of 0 to 1. the Probability that the threat will be present.
- On a scale of 0 to 1, include the Probability of exploitation.
- On a scale of 0 to 1, include the Estimated expected damages.
- On a scale of 0 to 1, include the Maximal damages.
- On a scale of 0 to 1, include the Level of organizational resilience.
- On a scale of 0 to 1, include the Expected utility.
All these previous metrics need to be on a scale of 0 to 1. Then, calculate the CVSS version 3.1 score of the vulnerabilities. Use the CVSS scale of 0 to 10. Use the information you already generated in the previous queries to calculate the CVSS score. However, if information is missing, make your best estimation of the required specific details about the vulnerability, including its attack vector, complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, availability impact, and more. Provide the details metrics used in the CVSS calculation. Present the CVSS score on the CVSS scale of 0 to 10 and indicate the severity level on the following scale:
- None = 0
- Low = 0.1 to 3.9
- Medium = 4.0 to 6.9
- High = 7.0 to 8.9
- Critical = 9.0 to 10.0
Present a detailed list of proposed Mitigation measures, internal controls and prevention mechanisms that can be used. Include a detailed budgetary estimate in Canadian dollars ($) for the costs of implementing the proposed Mitigation measures, internal controls, and prevention mechanisms. Indicate the impact reduction and probability reduction on a scale of 0 to 1 for the proposed Mitigation measures, internal controls, and prevention mechanisms.
Proceed to save all these values to use in later calculations.
Calculate the KRI:
Consider the following cybersecurity risk scenario Ransomware Attack on Healthcare Systems: Malware encrypts critical patient data and systems, demanding ransom to restore access at the organization Integrated Health and Social Services University Network for West-Central Montreal (CIUSSS West-Central Montreal).
Using the results generated and presented from the previous queries, calculate the Key Risk Indicators (KRI) for the cybersecurity risk scenario. Use the formulas that are provided below:
Estimated risk = ((Probability that the threat will be present) x (Probability of exploitation) x (CVSS Score) x (Expected utility) x ((Estimated expected damages) + (Maximal damages) divided by 2)) divided by (the Level of organizational resilience).
- Calculate the Estimated risk
- Include detailed information about the calculations made to produce these results.
- Show in your answer the formula that was used.
- Save this value to use in later calculations.
Tolerated risk = ((Probability that the threat will be present) x (Probability of exploitation) x (CVSS Score) x (Expected utility) x ((Risk appetite)) divided by (the Level of organizational resilience).
- Calculate the Tolerated risk
- Include detailed information about the calculations made to produce these results.
- Show in your answer the formula that was used.
- Save this value to use in later calculations.
Mitigated risk = ((Estimated risk) x ((impact reduction for the proposed Mitigation measures, internal controls, and prevention mechanisms) x (probability reduction for the proposed Mitigation measures, internal controls, and prevention mechanisms))).
- Calculate the Mitigated risk
- Include detailed information about the calculations made to produce these results.
- Show in your answer the formula that was used.
- Save this value to use in later calculations.
Residual risk = ((Estimated risk) – (Mitigated risk))
- Calculate the Residual risk
- Include detailed information about the calculations made to produce these results.
- Show in your answer the formula that was used.
- Save this value to use in later calculations.
Explain and justify the results and KRI:
Using the results generated and presented from the previous queries, and the Key Risk Indicators (KRI) for the cybersecurity risk scenario Ransomware Attack on Healthcare Systems: Malware encrypts critical patient data and systems, demanding ransom to restore access at the organization Integrated Health and Social Services University Network for West-Central Montreal (CIUSSS West-Central Montreal), answer the following questions:
- Compare the Residual risk to the Tolerated risk.
- Explain of the results.
- In the case where the Residual risk is higher than the Tolerated risk: make some recommendations for the organizations on what could be done to remediate the risks further.
- In the case where the Residual risk is lower than the Tolerated risk: then make some recommendations for the organizations on what could be done to avoid unnecessary spending while keeping the risk levels acceptable.
Create a table of the results:
Create a table of the results that can be exported to Excel with the following row:
- Probability that the threat will be present
- Probability of exploitation
- CVSS Score
- Expected utility
- Estimated expected damages
- Maximal damages
- Level of organizational resilience
- Risk appetite
- impact reduction for the proposed Mitigation measures, internal controls, and prevention mechanisms
- probability reduction for the proposed Mitigation measures, internal controls, and prevention mechanisms
- Budgetary estimate of the proposed mitigation measures
- Estimated risk
- Tolerated risk
- Mitigated risk
- Residual risk