We just completed the Cybersecurity Assessment, so now we have our current risk and control maturity levels identified. Can we draw any conclusions about our average risk and control levels? For example, most of our risks are in the Least and Minimal areas, but we do have a few Moderate as well. Can we just average them and conclude that our overall cyber risk levels are minimal?
Towards the end of last year the FFIEC released a Frequently Asked Questions document about the Cybersecurity Assessment Tool, and item #6 directly addressed your question. The Council stated that “…when a majority of activities, products, or services fall within the Moderate Risk Level, management may determine that the institution has a Moderate Inherent Risk Profile.”
This would seem to validate the approach of using the average1 of all risk levels to identify your overall risk level. However, they go on to state that each risk category may pose a different level of risk. “Therefore, in addition to evaluating the number of times an institution selects a specific risk level, management may also consider evaluating whether the specific category poses additional risk that should be factored into the overall assessment of inherent risk.” This would appear to directly contradict the averaging approach, indicating (correctly, in my opinion) that since all risks are NOT equal, you should NOT determine overall risk based on an average.
For example, let’s say that all of your risks in the Technologies and Connection Types category are in the Least and Minimal level except for Unsecured External Connections, which is at the Moderate level. So you have 13 items no higher than minimal, and 1 item moderate. Sounds like an overall minimal level of risk, right? Except a Moderate level of risk for Unsecured External Connections indicates that you have several (6-10) unsecured connections. As any IT auditor will tell you, even 1 unsecured connection can be a serious vulnerability!
So although the FFIEC says that “…you may determine…” you’re at one level if the majority of your responses fall within that level, they go on to say you really shouldn’t really draw that conclusion without additional evaluation.
This is just one of many examples of confusing, conflicting, and occasionally misleading elements in the CAT, and a very good reason to have assistance filling it out (shameless plug).
1 There are 3 primary ways of defining “average”; mean, mode and median. If you’ve assigned 1-5 numeric values to the risk levels, we can define average as “mean”. If we’re assuming average is “mode”, it’s simply the value that occurs most often. This would appear the way the FFIEC is approaching it. Regardless how you define “average”, it leads to the same (inaccurate) conclusion.