NIS2 - How to work with risk management

Daniel Andersson Senior Information Security Consultant, Cegal Sweden. Daniel has extensive experience in information security and is a Certified Information Security Manager (CISM) as well as a certified Cybersecurity Practitioner (CSX-P). With a background in both technology and leadership, Daniel has a broad view of today's challenges and their various solutions.

02/18/2025 |

NIS2 makes clear that information security work should be risk-based, but what does that mean and how should you define and work with risk?

We all see risk differently. What one person sees as a risk, another person may see as an opportunity. To simplify, one can take the example of financial risk. Trading in shares always carries a risk of losing money while it carries the possibility of making money, so some people see it as a risk while others see it as an opportunity. Yet, in our technological world, what is considered risk in some cases can be a great business opportunity.

How is risk defined?

The Oxford English Dictionary defines risk well in technical contexts, with the essence of the definition being:

"(Exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility."

Where the undesired effect for NIS2 is that the delivery of a socially critical function cannot be carried out in the capacity needed to not negatively impact society.

Risk therefore needs two components, an event and an adverse effect. These two components together form the assessed risk.

ISO 31000 takes a broader view of risk, where a risk can have both positive and negative effects, which is different from other risk frameworks that only deal with negative effects.

How do we define probability?

The likelihood of an event needs to be estimated. This is done based on the information you have available, partly from your own experience in the business and also from public information about similar activities or locations.

The estimate needs to be made on a numerical scale to be able to be part of the calculation of risk, here it is important that the numerical scale is well defined in the risk management policy. The granularity of the scale needs to be manageable, for example a scale of 1-3 may be too narrow, while a scale of 1-50 may lead to more discussion about whether the probability is every three months or every four months, at the expense of discussing how to manage a risk.

For example, a scale of 1-5 could be an ascending scale from occurring every ten years to occurring several times a year. Where the latter would mean 5 in probability.

How do we define impact?

The effect, or as is often said, the consequence, also needs to be assessed on a defined scale in order to be part of the risk calculation. Again, this is an assessment based on available information, both internal and external. Normally, the scale is equivalent to probability.

The direct impact is often relatively easy to calculate, partly through information on lost turnover due to operational disruptions and public information on the costs of responding to ransomware.

The indirect effect can be even more difficult to calculate, where indirect effects include a deteriorating reputation that can lead to reduced sales, more difficult to retain and recruit employees or other more difficult economic effects.

In terms of NIS2, it is the direct impact on the delivery of essential services that is the primary aspect to address.

For example, a scale of 1-5 could represent an ascending scale ranging from a financial loss of $7,000 to $1.5 million, where $1.5 million would signify significant difficulty in continuing operations. For larger companies, the scale might range from losses of $100,000 to $30 million, or even higher, depending on the company’s financial situation.

For NIS2, it is necessary to assess whether the scale should take these aspects into account. The economic damage may be limited for the company, but the societal damage could be greater if critical services cannot be delivered.

How is the risk calculated?

Based on the probability and impact, a risk value can be calculated, normally defined as 'R = P x C'; that is, risk is the product of the factors probability and consequence (impact). Which for an example with a probability of 5 and consequence of 3 results in a risk of 15.

How is risk managed?

A risk can be managed in several ways: it can either be accepted with no further action taken, or measures can be implemented to reduce either the probability or the consequence. If we take the example of ransomware, it is possible to reduce both through technical measures, partly by making it more difficult for ransomware to enter the company's IT environment, but also by making it more difficult for ransomware to spread internally within the company if an individual device becomes infected.

Completely removing a risk usually means stopping some activity, which usually leads to a negative impact on the company, but may be necessary if the risk is greater than can be accepted and measures to reduce the probability and consequence are too costly.

Who can accept a risk?

It is most appropriate for the board and management to set an acceptable level of risk, from which the business can then consolidate all risks and identify whether it as a whole exceeds the accepted level of risk. If it exceeds the accepted level of risk, it needs to be addressed either through action or by taking a decision to the board and management to change the accepted level of risk.

However, it is important to understand that risks should not be accepted blindly just because you are below the accepted risk level. There are many measures that can reduce both the probability and the impact that are easy to implement and therefore should not be avoided even if you are below the acceptable risk level.

What else can be done?

What is described in this text is a simple model for risk management, suitable to start with to identify risks and work on them. More advanced methods exist for calculating the cost of risk and linking this to the return of security investment (RoSI). However, this is not a requirement in NIS2.

Cegal and risk management

Cegal's information and cyber security consultants have experience in establishing information security management systems for compliance with both NIS and other regulatory frameworks. This includes establishing governance in risk management.

Our consultants also have experience in leading risk workshops to identify and document the risks that exist for your business, in collaboration with your business.