Skip to content
You could have been involved in an automobile accident, encountered a train delay, or been struck by a bicycle on the sidewalk. Threats are any possible events that might have an adverse impact on the confidentiality, integrity, and/or availability of our information or information systems.Vulnerabilities are weaknesses in our systems or controls that could be exploited by a threat.Risks occur at the intersection of a vulnerability and a threat that might exploit that vulnerability. A threat without a corresponding vulnerability does not pose a risk, nor does a vulnerability without a corresponding threat.Let's consider another example drawn from the cybersecurity domain. Organizations regularly conduct vulnerability scans designed to identify potential vulnerabilities in their environment. One of these scans might identify a server that exposes TCP port 22 to the world, allowing brute-force SSH attempts by an attacker. Exposing port 22 presents a vulnerability to a brute-force attack. An attacker with a brute-force scanning tool presents a threat. The combination of the port exposure and the existence of attackers presents a risk.
External risks are those risks that originate from a source outside the organization. This is an extremely broad category of risk, including cybersecurity adversaries, malicious code, and natural disasters, among many other types of risk.Internal risks are those risks that originate from within the organization. They include malicious insiders, mistakes made by authorized users, equipment failures, and similar risks.Multiparty risks are those that impact more than one organization. For example, a power outage to a city block is a multiparty risk because it affects all of the buildings on that block. Similarly, the compromise of an SaaS provider's database is a multiparty risk because it compromises the information of many different customers of the SaaS provider.Legacy systems pose a unique type of risk to organizations. These outdated systems often do not receive security updates and cybersecurity professionals must take extraordinary measures to protect them against unpatchable vulnerabilities.Intellectual property (IP) theft risks occur when a company possesses trade secrets or other proprietary information which, if disclosed, could compromise the organization's business advantage.Software compliance/licensing risks occur when an organization licenses software from a vendor and intentionally or accidentally runs afoul of usage limitations that expose the customer to financial and legal risk.Legal Risks:Lawsuits: Software vendors can sue organizations that use their software without a proper license. Such lawsuits can result in significant financial penalties and damage to the organization's reputation.Financial Risks:Unbudgeted Costs: Non-compliance discovered during an audit can lead to unbudgeted expenses, such as the need to purchase additional licenses or pay fines.Increased Renewal Costs: Organizations found in non-compliance might face higher costs when renewing their software licenses or may lose volume discount benefits.
Identification and Analysis of Risks:Identification: This is the process of recognizing potential threats or vulnerabilities that could negatively impact an organization's ability to conduct business. These risks could be financial, operational, reputational, or related to other aspects of the business.Analysis: Once risks are identified, they need to be analyzed to understand their potential severity and the likelihood of them occurring. This often involves quantifying the risks in terms of potential damage and the probability of occurrence. The result is often a risk matrix or similar tool that ranks and prioritizes risks.Determination of Appropriate Mitigation Strategies:Evaluation: After analyzing the risks, the organization evaluates which risks are acceptable and which need to be addressed. This often involves comparing the risks to a predefined acceptable risk level.Mitigation Strategy Development: For risks that are deemed unacceptable, the organization develops strategies to mitigate them. This could involve implementing new technologies, changing business processes, or purchasing insurance. The chosen strategies should be cost-effective, meaning the cost of implementing the strategy should be less than the potential damage from the risk.
Risk mitigation is the most common risk management strategy and the vast majority of the work of security professionals revolves around mitigating risks through the design, implementation, and management of security controls. Many of these controls involve engineering tradeoffs between functionality, performance, and security.Definition: Mitigation involves implementing measures to reduce the likelihood or impact of a risk. It doesn't eliminate the risk entirely but seeks to bring it down to an acceptable level.Application: This strategy is commonly used for risks that are likely to occur and have a moderate to high impact. For instance, to mitigate the risk of data breaches, a company might implement encryption, multi-factor authentication, and regular security audits.Advantages: Allows organizations to continue their operations or projects while managing the risk to an acceptable level.Challenges: Requires ongoing effort and resources, and there's no guarantee that the mitigation measures will be entirely effective.Example: A company operating an e-commerce website identifies the risk of cyberattacks. To mitigate this risk, they implement a range of security measures, such as firewalls, intrusion detection systems, and regular security audits. While these measures don't guarantee the site won't be attacked, they significantly reduce the likelihood and potential impact of such an event.
Definition: Avoidance involves changing plans or strategies to entirely avoid the risk.Application: Used for risks with catastrophic potential impacts or those that exceed the organization's risk tolerance. For example, if a company identifies a high risk associated with launching a product in a particular country due to regulatory concerns, it might decide not to launch the product there at all.Advantages: Completely eliminates the specific risk.Challenges: Might result in missed opportunities or the need to redirect significant resources.Example: A software company discovers that a feature they planned to add to their product has potential legal implications in certain jurisdictions. Instead of facing potential lawsuits, the company decides not to implement that feature, thus avoiding the risk entirely.
Definition: Transference involves shifting the risk to a third party. This doesn't eliminate the risk but transfers the responsibility of managing it.Application: Commonly used in the form of insurance policies or outsourcing agreements. For instance, an organization might purchase cyber insurance to transfer the financial risks associated with potential data breaches.Advantages: Reduces the organization's direct responsibility for the risk and can provide financial protection.Challenges: There's usually a cost involved, and not all risks can be transferred. Additionally, the third party might not manage the risk effectively.Example: A company recognizes the financial risk of potential damages from natural disasters at their headquarters. They decide to purchase insurance. In this case, while the risk of a natural disaster remains, the financial burden of any damages would be transferred to the insurance company.
Definition: Acceptance means recognizing the risk and making a deliberate decision to accept it without taking specific actions to avoid, transfer, or mitigate it.Application: Typically used for risks that are unlikely to occur or have a low impact. For instance, a business might accept the risk of a rare, minor software glitch if the cost of fixing it outweighs the potential impact.Advantages: No immediate resource expenditure on mitigation or transference.Challenges: The organization must be prepared to deal with the consequences if the risk materializes.Example: A small business identifies a risk in a software they use: there's a minor bug that could cause a slight delay in their operations once a year. However, fixing the bug would be costly and time-consuming. The business decides to accept the risk, understanding that the potential operational delay's impact is minimal and can be managed.
Definition: Risk analysis is the process of identifying and assessing potential risks to determine their magnitude and likelihood. It helps organizations understand the nature of the risk, its potential impact, and the probability of its occurrence.Components: Risk analysis typically involves:Risk Identification: Spotting and documenting potential risks.
5.4 Summarize risk management processes and concepts
Last edited 871 days ago by Makiel [Muh-Keel].
Organizations face an almost dizzying array of cybersecurity risks, ranging from the reputational and financial damage associated with a breach of personal information to the operational issues caused by a natural disaster.
The discipline of risk management seeks to bring order to the process of identifying and addressing these risks
Analyzing Risk
We operate in a world full of risks. If you left your home and drove to your office this morning, you encountered a large number of risks.
Before we move too deeply into the risk assessment process, let's define a few important terms that we'll use during our discussion:
🆔 Risk Identification
The risk identification process requires identifying the threats and vulnerabilities that exist in your operating environment. These risks may come from a wide variety of sources ranging from hackers to hurricanes.
💬 Risk Management Strategies
Risk Management is the process of identifying, assessing, and prioritizing risks, followed by the application of resources to minimize, monitor, and control the probability or impact of adverse events.
A risk assessment, as a core component of risk management, serves two primary roles:
The choice of strategy often depends on the risk's severity, likelihood of occurrence, and the organization's risk tolerance. Here's a detailed look at the four primary risk management strategies:
Risk Mitigation
Risk Mitigation is the process of applying security controls to reduce the probability and/or magnitude of a risk.
Mitigation:
Risk Avoidance
Risk avoidance is a risk management strategy where we change our business practices to completely eliminate the potential that a risk will materialize.
Risk Transference
Risk Transference shifts some of the impact of a risk from the organization experiencing the risk to another entity. The most common example of risk transference is purchasing an insurance policy that covers a risk.
Risk Acceptance
Risk Acceptance is the final risk management strategy and it boils down to deliberately choosing to take no other risk management strategy and to simply continue operations as normal in the face of the risk.
A risk acceptance approach may be warranted if the cost of mitigating a risk is greater than the impact of the risk itself.
Risk acceptance is a deliberate decision that comes as the result of a thoughtful analysis. It should not be undertaken as a default strategy!
Risk Analysis
Risk Analysis is the process of identifying and assessing potential risks to determine their magnitude and likelihood. It helps organizations understand the nature of the risk, its potential impact, and the probability of its occurrence.
Want to print your doc?
This is not the way.
This is not the way.
Try clicking the ··· in the right corner or using a keyboard shortcut (
CtrlP
) instead.