Maturity- or Risk-based Cybersecurity? Qualitative or Quantitative? Towards Cyber-risk traceability (Part 1 of 2)

In this two part-article, we explain the differences between a maturity-based and a risk-based approach for cyber-risk management and why the two need to be complemented. We present the concept of cyber-risk traceability as an evolution of a risk-based approach which enables a connection between investment and mitigation of cyber-risk.

This article was co-authored with Jason Ha CISO and Security Risk Specialist at Ethan Group.

In 2024, cyber-risks continued to rank as the number one risk for Australian organisations. This has been a trend in recent years, one which has ‘thrown’ cybersecurity in the mix of risks an organisation has to prepare for. Losses can derive from natural disasters, operational failures, financial mistakes and, now, also cyber-attacks.

Nowadays we take for granted that globally recognised standards such as ISO27001 and the NIST Cyber Security Framework 2.0 emphasise the importance of a risk-based approach in addressing threats of a cybersecurity nature. The ‘audience’ around cybersecurity conversations has dramatically changed, too: from basement discussions on technical controls between information security specialists, to boardroom meetings, where directors work to provide evidence that they are fulfilling their duty of care and diligence also in the cyber-realm.

This has resulted in questions about Risk Traceability – Why are we uplifting these specific capabilities? and How is it going to specifically reduce the risk? Before we tackle that, it is worth exploring what we mean by a risk-based approach.

Elements of risk

A risk-based approach in cybersecurity, albeit not a new concept, has gained increased focus due to the shift in the narrative from defence-in-depth into cyber-resilience.

What is the difference? Simple: cyber-resilience emphasises the need to couple investments in mitigation with similar efforts in response and recovery because, as the saying goes, it is not a matter of if (a company gets breached), it is a matter of when. Despite now sounding obvious, this shift has been dramatic: up to 10-15 years ago, the focus was overwhelmingly on trying to keep threat actors out. It comes as no surprise, therefore, that conversations around business continuity management, disaster management and crisis communication are becoming commonplace in cyber.

When it comes to cyber-risks, four main elements are at play:

1)      Risk agents: Adversaries and attackers in general who, thanks to their skills, resources and in function of their motivations, perpetrate cyber-attacks.

2)      Risk absorbing systems: Organisations (and individuals) that are impacted by the actions of the adversaries. With their investments in defence, they work to nullify, or at least mitigate, cyber-attacks.

3)      Controls: Tools, processes, and activities executed by risk absorbing systems to protect assets.

4)      Assets: Which are the real target for the adversaries (e.g., data; infrastructure) and whose protection is risk absorbing systems’ main goal.

Research and practice have traditionally focused on investigating TTPs (Tactics, Techniques and Procedures) of risk agents, to identify countermeasures and appropriate controls.

Overtime, the realisation that, often, organisations are authors of their own misfortune, has moved the focus onto investigating risk absorbing systems: How does the triad people-processes-technology create internal vulnerabilities ripe for exploitation? Together with this, efforts in identifying and appropriately implementing the right controls (third element) have progressively intensified.

The fourth element is by far the most immature, yet, paradoxically, the most basic one: How can you fully protect your organisation if you do not have complete visibility over your data assets, their value to the business, and the associated processes? This is the domain of data governance (or asset governance in general). Whilst this is not a new topic, it has received increasing prioritisation recently due to the strategic imperative of implementing AI within organisations.

Ok, but what do Companies do?

When faced with cyber-risks, typically organisations resort to a hodgepodge "Fear, Uncertainty and Doubt", mixed with a dash of “I just need to be better than the next mob” poured into a glass of “FOMO at reaching an abstract maturity level”. This has often led to organisations investing in cybersecurity capabilities that have not necessarily provided the most optimal risk buy-down. Risk buy-down is a term used to determine the level of risk reduction return for a given investment. In worst cases, this has made cyber-investments impossible, due to the inability to influence key stakeholders that fund the cybersecurity program.

But what are the options organisations have when it comes to addressing risks? Generally speaking, there are 4 risk treatment strategies, to which cyber-risk controls contribute:

Risk Acceptance, Risk Avoidance, Risk Transfer, and Risk Mitigation.

The Landscape of Cybersecurity Challenges

In a domain in which evidence to make sound decisions is scarce or lacks quality (What does best practice look like in cybersecurity?), to make things harder, the ecosystem is plagued by three interrelated challenges.

First, the sheer volume and sophistication of cyber-threats are escalating. Attack vectors such as ransomware, phishing, and Advanced Persistent Threats (APTs) are becoming more common, making it difficult for organisations to keep pace. According to various reports, cybercrime is projected to cost the global economy trillions of dollars annually, underscoring the urgency for effective protective, detective and recovery-based controls.

Second, organisations often lack the necessary skills and resources to implement robust cybersecurity measures and manage cyber-risks in general. The skills gap in the cybersecurity workforce is a well-documented issue, with many companies struggling to find qualified personnel. This shortage leaves organisations vulnerable, as they may not be able to deploy or maintain adequate security measures.

Third, regulatory requirements and compliance mandates are ever-evolving, adding another layer of complexity. Organisations must navigate a patchwork of regulations that vary by industry and geography, making it challenging to develop a unified cybersecurity strategy.

The Advantages of Risk-Based Approaches

Risk management is intrinsically difficult, evidence to make good decisions is scarce, and the ecosystem is overly complex. How could this possibly lead to a good outcome?

This struggle has resulted in organisations relying on maturity models as frameworks for assessing their cybersecurity posture. While these models provide a useful benchmark for organisational capabilities, they often do so in isolation without contextualising the direct risks associated with specific investments. Maturity models typically measure an organisation’s progress along a predefined scale, focusing on benchmarks and process adherence rather than the actual effectiveness of security measures in mitigating (a selected amount of) risks.

In short: you can assume you are doing well based on whether you have specific controls in place, without specific assessment of their effectiveness. An approach that is certainly better than nothing, but far from perfect.

For example, while a maturity model may indicate that an organisation has implemented a robust firewall, it does not consider whether that firewall effectively mitigates the specific threats the organisation faces.

The most common example of a maturity-based approach in Australia is a simplified cyber mitigation action plan called the Essential 8s.

The origins of the model stem from a comprehensive framework of 37 mitigation strategies (Top 37) addressing 5 areas:

- Preventing malware delivery and execution;

- Limiting the extent of cyber-incidents;

- Detecting cybersecurity incidents and responding;

- Recovering data and system availability;

- Preventing malicious insiders

The Top 37 framework was based on an organisation-first understanding on the ways in which common risk scenarios are applied to them. An excerpt from the guidance material suggests: “Prior to implementing any of the mitigation strategies, organisations need to identify their assets and perform a risk assessment to identify the level of protection required from various cyber threats”. The 37 mitigation strategies were classified based on their security effectiveness (from “Essential” to “Very Limited”). It just so happened that by common observation, the suggested Essential 8 were seen as providing the strongest traceability for performing the risk reductions in those specific scenarios.

This highlights that inherently, even on face-value, one of the most common maturity frameworks like the Essential 8s has its grounding in a simplified risk-based approach. This allows organisations to evaluate not just where they are on a maturity scale, but how well their cybersecurity investments translate into risk reduction (risk buy-down).

According to a report by McKinsey, organisations should prioritise investments based on the specific risks they face and the potential impact of those risks. This approach aligns cybersecurity practices with business objectives and helps ensure that resources are allocated to the most critical areas.

In the above examples of a firewall deployment, a risk-based approach would help assess the firewall's effectiveness in reducing the likelihood of a breach or its potential financial impact in risk scenarios relevant to that specific organisation. More specifically, how the firewall needs to be designed and deployed to best achieve these objectives. This is quality evidence to make more informed decisions about whether that firewall, for instance, needs an upgrade. 

Wrapping things up…

The traction that cybersecurity risk management as a fundamental organisational activity has gained recently has come with the realisation that best practices in the space are extremely hard to define. Compounding things further, the surrounding ecosystem (threat actors and regulations) never stops to change.

Maturity-based models to address cyber-risks are a good starting approach, especially for organisations that need to go greenfield with cybersecurity risk management. Maturity-based models, however, need to be complemented with risk-based ones for a more realistic and evidence-based method to assess cyber-risks, decide on mitigation strategies, and evaluate the performance of the latter. The key focus here is ensuring Risk Traceability – the why and how of uplifting cyber capabilities to achieve the most effective risk buy-down.

In the final part of this article, we will cover the limitations of qualitative cyber-risk assessment and the rationale for a Risk Traceability approach, through quantitative approaches. Stay tuned!