Design Networks with Cybersecurity Risk in Mind

Without any doubt, cybersecurity risks increasingly adding critical impacts on the overall IT risk, and that’s why it’s one of the top concerns of today’s organizations in the cyberspace. At the same time architecting and designing networks, is key to achieve successful IT solutions.

This blog aims to focus on an area that is not commonly covered, which is the mapping between cybersecurity risks and network design, and how the different cybersecurity risks can be translated into design considerations. This will be key to produce a network design that is not only secure, but also helps to minimize cybersecurity risks.

Please note there is a difference between cybersecurity risk and preventing cyberattack, if you are focusing mainly on how to prevent attacks, simply you are designing to fail at some stage. Why? This is what we will find out throughout this blog series.

Part-1 of this blog series focuses on the drivers, concepts and methodologies that pertain to risk and managing the risk in the context of cybersecurity thief_at_computer_300_clr_19505

We all know that if we are connected to the internet, we are exposed to countless risks.

So what does “risk” mean in the context of cybersecurity?

Risk, in cybersecurity refers to the relationship or the interaction between a threat and the likelihood of this threat or a threat agent to exploit a vulnerability.


Cybersecurity risk management on the other hand, is the process of identifying, assessing and minimizing or mitigating risks to an adequate level.

You might be wondering, why minimizing or mitigating the risk and not eliminating it completely?

Simply because, there is no system or environment that is 100% percent risk free or 100% secure, therefore, we always have some risk to deal with.

If you know the enemy, and know yourself, you need not fear the result of 100 battles.

If you know yourself, but not the enemy, for every victory gained, you’ll also suffer defeat.

If you know neither the enemy nor yourself, you will succumb in every battle.

These philosophies are from Chinese General and Philosopher, Sun Tzu’s, The Art of War, a Chinese military treatise going back to 5th century B.C. Incredibly enough, over 2,500 years later, these points are all applicable to the cybersecurity era.

Therefore, even though there is no absolute or a standardized formula to measure risk, it is indispensable that you have a very good awareness of your risk environment “know your enemy”, along with your vulnerabilities and the likelihood that a threat event will occur “know yourself”.

Note: although there are a few commonly accepted risk management frameworks such as; ISO 31000:2009, NIST RMF, ISACA Risk IT, it’s up to an organization or entity to adopt any or none of them.

A threat is typically a danger that can impact/damage your assets, such as fires, floods, hackers accessing a system, malware infecting your systems, your server crashing without backups to go to, or even could be someone accidentally pulling out the plug to an important network node or a server, or even power cables connected in a messy way like the ones shown in the figure below.


On the other hand, threat agents or actors are the ones who carry out the threats.

Yes, hacker is the first thing that come to our mind in today’s cyberspace, but mother nature through earthquakes, tornadoes, fires, and floods is also a form of a threat agent.

A vulnerability is a weakness, a flaw in a program, device, network, and even a person. Weak authentication checks, default user name password combinations, incorrectly configured firewalls, and even a gullible or naive employee are all vulnerabilities.

When threat actors carry out a threat, they typically seeking to exploit a vulnerability. And as mentioned above risk is the likelihood of a threat actor exploiting a vulnerability.

Note: Exploit can be a verb meaning penetrating a system to exploit, or a noun meaning the tool or method used to penetrate a system and exploit.

In order to determining your risk posture, you must have a good awareness of where you are vulnerable and to what and whom, along with the possibility a threat actor exploiting your vulnerabilities. Typically, there are two main risk sources: technical risks and human/process risks.

Note: since this blog is focusing on cybersecurity and not on information security, physical risk will not be discussed.

Estimating the Risk

This section will provide an over simplified converged of how to build a risk estimation matrix.


As we know, the technical and human risks are the two key factors into your risk analysis as well as you may consider your intellectual property and trade secrets in this context.

In order to build an estimated cybersecurity risk analysis, you need to consider the following steps. These steps or process is based on the qualitative risk assessment methodology, where the assessment and its result is more subjective and opinion based, however, it is simpler to use it to build a foundational estimation to support your design decisions later:

  • Identify the possible threats and threat actors: first you need to know your enemy!  by identifying the possible threats and threat actors
  • Identify and define vulnerabilities: second, you need to know yourself, interims of the existing or potential vulnerabilities that you can obtain from different sources such a penetration testing report.
  • Threat to vulnerability mapping: Simply, a threat without a vulnerability will not create a risk. Likewise, a vulnerability without a threat has no risk to concern about, therefore, ensuring there is a mapping between threats and vulnerabilities is a key in the context of cybersecurity risk management process, to ensure there is a risk that we need to address.
  • Identify the magnitude of a threat and its impact value: it is important to evaluate or identify the critical assets that could be compromised, stolen or damaged due to cyber-attack and measure the impact the expected cyber-attack would have, as part of this exercise you may find an incident induces different impacts, ideally each should be analyzed under its own deliberate risk analysis process.
  • Business Impact Assessment: At this stage, you should be able to define an impact assessment estimate, to measure the impact expected by the different threats you have identified, that could exploit the vulnerabilities you have identified. The fowling chart illustrates an over simplified sample chart or mapping of a threat likelihood along with the expected impact magnitude For instance you might have identified that one of your web applications has vulnerability in which an attacker can use SQL Inject to exploit it, however this web application is not critical therefore, its impact is low.


Taking the above into considerations you can build risk assessment heat map to identify where you have high, medium and low risk, which you can use it in your design process. For example, you may have built security measures against ransomware attacks to reduce its likelihood to take place, nevertheless, its possibility can be rated as medium because you have not built a strong users’ cybersecurity awareness. As a result, its total risk will be high.


Risk Handling Decision

As an executive, manager, architect or a designer, one of your key responsibilities is to control risk to protect your team, organization or customer in the cybersecurity era. Controlling risk can take different forms, through policies and procedures or following certain architecture and design principles.

following the risk analysis process, you should have a good understanding of the possible and critical threats, threat actors and vulnerabilities along with its impact magnitude based on the likelihood of a threat to exploit a vulnerability, taking into account the value of your assets being assessed.

It’s time to make a decision “countermeasures” with regard to the risk(s). Organizations typically deal with risks in different manners, based on the assets’ value and the possible impact magnitude of the threat(s). The following summarizes the common risk handling options:

Mitigate: mitigation aims to overcome/reduce the deficiency that creates vulnerabilities and/or leveraging some other mechanisms that minimize and control the vulnerabilities risk to an acceptable level that is enough to continue conducting business. As mentioned earlier in this blog, we can eliminate some vulnerabilities and block some threats, but these won’t ever be going to be 100%. For instance, encryption, hashing, firewalls, IPS systems, and others, all can reduce the risk, therefore, we always have some risk to deal with. The remaining risk commonly referred to as “residual risk”


In other words, conceptually not mathematically, total risk – countermeasures = residual risk

The key question is, what level of residual risk an organization may find it acceptable?

Transfer: although you won’t be able to transfer responsibilities of your organizations, in the context of cybersecurity risk, you can transfer the risk. Just like your car insurance, there are a few insurance companies offer insurance for cybersecurity events. This is becoming common when an organization finds that the total risk is too high to gamble with and/or they don’t have the expertise to put in place a robust continuous mitigation systems and strategies, transferring the risk to an insurance company can be a better and safer option. The other possible option here, is the use of a cloud provider services (e.g. SaaS), in which the cloud provider is now responsible for securing your data using their standards and policies.

Avoid: simply avoidance is about stopping doing something that might expose you to a risk. For instance, you may have a legacy Web server that has numerous vulnerabilities, in which an attacker can take advantage of it to enter your network and scan for other systems. instated of spending time and cost trying to identify and fix these vulnerabilities with the possibility that some fixes may not work, you may find it more feasible to disconnect this Web server to avoid the risk (assuming the business functions of this server can be handled by another system)

Accept: in some special cases, where the cost of fixing a vulnerability is overweighing the asset value in terms of cost and its criticality to the company, you may decide to accept the risk. Based on the fact that the costs associated with fixing and mitigating are high, with a low probability of a cybersecurity attack to happen and low potential impact. That being said, accepting a cybersecurity risk is not a simple decision to be made, because it must be a business decision, and typically senior executives need be involved to approve it.

 Part -2 of this blog will focus on how to utilize and incorporate all the discussed concepts to architect a secure network design that aims to minimize cybersecurity risks.

Marwan Al-shawi – CCDE No. 20130066, Google Cloud Certified Architect, AWS Certified Solutions Architect, Cisco Press author (author of the Top Cisco Certifications’ Design Books “CCDE Study Guide and the upcoming CCDP Arch 4th Edition”). He is Experienced Technical Architect. Marwan has been in the networking industry for more than 12 years and has been involved in architecting, designing, and implementing various large-scale networks, some of which are global service provider-grade networks. Marwan holds a Master of Science degree in internetworking from the University of Technology, Sydney. Marwan enjoys helping and assessing others, Therefore, he was selected as a Cisco Designated VIP by the Cisco Support Community (CSC) (official Cisco Systems forums) in 2012, and by the Solutions and Architectures subcommunity in 2014. In addition, Marwan was selected as a member of the Cisco Champions program in 2015 and 2016.