A risk model is a mathematical representation of risk. Strong risk models account for both positive and negative risks. Positive risks are opportunities for organizations to gain, while negative risks are potential for financial loss.
A risk model can be a collection of a wide range of risks that allow an organization to determine aggregate risk levels for the organization. Risk modeling allows organizations to use data to produce analytics that can help with risk-based decisions. In the past, organizations used risk modeling to primarily assess financial and other organizational risks. While risk can be represented and calculated in a variety of ways, risk models that allow risk to be represented in aggregate financial terms are most easily understood by organizational decision makers.
Cybersecurity risk modeling is relatively new. However, as organizations try to minimize cybersecurity incidents and loss, cybersecurity risk modeling has become common. With regard to cybersecurity risks, typical data used in risk modeling include vulnerability scans, audit data, system inventories, security policies, and controls. They can also include plans of actions and milestones (POAM) for risks that are currently being mitigated. A good risk model would also capture information on risk acceptance, transference, control, monitoring, avoidance, and mitigation to allow organizational leaders to determine if known risks are being handled appropriately.
In addition to these data sets, rich data sets obtained from the National Vulnerability Database (NVD) such as Common Vulnerabilities and Exposures (CVE), Common Weakness Enumeration (CWE), Common Vulnerability Scoring System (CVSS), and other similar data sets can be helpful for organizational decision making. Such data sets can help bridge information gaps between various data sets and provide decision makers with additional insights. Sometimes data sets may not have complete information; for example, the vulnerability scan data may not have specific inventory data. Thus, combining the vulnerability scan data, the inventory list, and an enrichment data source, can "bridge the gap" to identify specific devices in the inventory that are vulnerable.
CVE data holds publicly known vulnerability information; it correlates the vulnerability to a CVE number. Thus, it allows the industry to have an identifier for specific vulnerabilities. CVSS provides a score for the risk level of CVE vulnerabilities. CWE provides information about the CVE and provides additional fields such as applicable platforms, common consequences, likelihood of exploitation, and potential mitigations. Organizations can then use these data sets and enrichment data to determine the probability of risk occurrence as well as its severity level. Furthermore, the organization can integrate risk intelligence and business intelligence to identify specific business unit and process risks. Thus, risk models are valuable tools for modern organizations.