Organizations face an almost dizzying array of cybersecurity risks, ranging from the reputational and financial damage associated with a breach of personal information to the operational issues caused by a natural disaster.
The discipline of risk management seeks to bring order to the process of identifying and addressing these risks
Analyzing Risk
We operate in a world full of risks. If you left your home and drove to your office this morning, you encountered a large number of risks.
You could have been involved in an automobile accident, encountered a train delay, or been struck by a bicycle on the sidewalk. Before we move too deeply into the risk assessment process, let's define a few important terms that we'll use during our discussion:
Threats are any possible events that might have an adverse impact on the confidentiality, integrity, and/or availability of our information or information systems. Vulnerabilities are weaknesses in our systems or controls that could be exploited by a threat. Risks occur at the intersection of a vulnerability and a threat that might exploit that vulnerability. A threat without a corresponding vulnerability does not pose a risk, nor does a vulnerability without a corresponding threat. Let's consider another example drawn from the cybersecurity domain. Organizations regularly conduct vulnerability scans designed to identify potential vulnerabilities in their environment. One of these scans might identify a server that exposes TCP port 22 to the world, allowing brute-force SSH attempts by an attacker. Exposing port 22 presents a vulnerability to a brute-force attack. An attacker with a brute-force scanning tool presents a threat. The combination of the port exposure and the existence of attackers presents a risk.
🆔 Risk Identification
The risk identification process requires identifying the threats and vulnerabilities that exist in your operating environment. These risks may come from a wide variety of sources ranging from hackers to hurricanes.
External risks are those risks that originate from a source outside the organization. This is an extremely broad category of risk, including cybersecurity adversaries, malicious code, and natural disasters, among many other types of risk. Internal risks are those risks that originate from within the organization. They include malicious insiders, mistakes made by authorized users, equipment failures, and similar risks. Multiparty risks are those that impact more than one organization. For example, a power outage to a city block is a multiparty risk because it affects all of the buildings on that block. Similarly, the compromise of an SaaS provider's database is a multiparty risk because it compromises the information of many different customers of the SaaS provider. Legacy systems pose a unique type of risk to organizations. These outdated systems often do not receive security updates and cybersecurity professionals must take extraordinary measures to protect them against unpatchable vulnerabilities. Intellectual property (IP) theft risks occur when a company possesses trade secrets or other proprietary information which, if disclosed, could compromise the organization's business advantage. Software compliance/licensing risks occur when an organization licenses software from a vendor and intentionally or accidentally runs afoul of usage limitations that expose the customer to financial and legal risk. Lawsuits: Software vendors can sue organizations that use their software without a proper license. Such lawsuits can result in significant financial penalties and damage to the organization's reputation. Unbudgeted Costs: Non-compliance discovered during an audit can lead to unbudgeted expenses, such as the need to purchase additional licenses or pay fines. Increased Renewal Costs: Organizations found in non-compliance might face higher costs when renewing their software licenses or may lose volume discount benefits.
💬 Risk Management Strategies
Risk Management is the process of identifying, assessing, and prioritizing risks, followed by the application of resources to minimize, monitor, and control the probability or impact of adverse events.
A risk assessment, as a core component of risk management, serves two primary roles:
Identification and Analysis of Risks: Identification: This is the process of recognizing potential threats or vulnerabilities that could negatively impact an organization's ability to conduct business. These risks could be financial, operational, reputational, or related to other aspects of the business. Analysis: Once risks are identified, they need to be analyzed to understand their potential severity and the likelihood of them occurring. This often involves quantifying the risks in terms of potential damage and the probability of occurrence. The result is often a risk matrix or similar tool that ranks and prioritizes risks. Determination of Appropriate Mitigation Strategies: Evaluation: After analyzing the risks, the organization evaluates which risks are acceptable and which need to be addressed. This often involves comparing the risks to a predefined acceptable risk level. Mitigation Strategy Development: For risks that are deemed unacceptable, the organization develops strategies to mitigate them. This could involve implementing new technologies, changing business processes, or purchasing insurance. The chosen strategies should be cost-effective, meaning the cost of implementing the strategy should be less than the potential damage from the risk.
The choice of strategy often depends on the risk's severity, likelihood of occurrence, and the organization's risk tolerance. Here's a detailed look at the four primary risk management strategies:
Risk Mitigation
Risk Mitigation is the process of applying security controls to reduce the probability and/or magnitude of a risk.
Risk mitigation is the most common risk management strategy and the vast majority of the work of security professionals revolves around mitigating risks through the design, implementation, and management of security controls. Many of these controls involve engineering tradeoffs between functionality, performance, and security. Mitigation:
Definition: Mitigation involves implementing measures to reduce the likelihood or impact of a risk. It doesn't eliminate the risk entirely but seeks to bring it down to an acceptable level. Application: This strategy is commonly used for risks that are likely to occur and have a moderate to high impact. For instance, to mitigate the risk of data breaches, a company might implement encryption, multi-factor authentication, and regular security audits. Advantages: Allows organizations to continue their operations or projects while managing the risk to an acceptable level. Challenges: Requires ongoing effort and resources, and there's no guarantee that the mitigation measures will be entirely effective. Example: A company operating an e-commerce website identifies the risk of cyberattacks. To mitigate this risk, they implement a range of security measures, such as firewalls, intrusion detection systems, and regular security audits. While these measures don't guarantee the site won't be attacked, they significantly reduce the likelihood and potential impact of such an event.
Risk Avoidance
Risk avoidance is a risk management strategy where we change our business practices to completely eliminate the potential that a risk will materialize.
Definition: Avoidance involves changing plans or strategies to entirely avoid the risk. Application: Used for risks with catastrophic potential impacts or those that exceed the organization's risk tolerance. For example, if a company identifies a high risk associated with launching a product in a particular country due to regulatory concerns, it might decide not to launch the product there at all. Advantages: Completely eliminates the specific risk. Challenges: Might result in missed opportunities or the need to redirect significant resources. Example: A software company discovers that a feature they planned to add to their product has potential legal implications in certain jurisdictions. Instead of facing potential lawsuits, the company decides not to implement that feature, thus avoiding the risk entirely.
Risk Transference
Risk Transference shifts some of the impact of a risk from the organization experiencing the risk to another entity. The most common example of risk transference is purchasing an insurance policy that covers a risk.
Definition: Transference involves shifting the risk to a third party. This doesn't eliminate the risk but transfers the responsibility of managing it. Application: Commonly used in the form of insurance policies or outsourcing agreements. For instance, an organization might purchase cyber insurance to transfer the financial risks associated with potential data breaches. Advantages: Reduces the organization's direct responsibility for the risk and can provide financial protection. Challenges: There's usually a cost involved, and not all risks can be transferred. Additionally, the third party might not manage the risk effectively. Example: A company recognizes the financial risk of potential damages from natural disasters at their headquarters. They decide to purchase insurance. In this case, while the risk of a natural disaster remains, the financial burden of any damages would be transferred to the insurance company.
Risk Acceptance
Risk Acceptance is the final risk management strategy and it boils down to deliberately choosing to take no other risk management strategy and to simply continue operations as normal in the face of the risk.
A risk acceptance approach may be warranted if the cost of mitigating a risk is greater than the impact of the risk itself.
Risk acceptance is a deliberate decision that comes as the result of a thoughtful analysis. It should not be undertaken as a default strategy!
Definition: Acceptance means recognizing the risk and making a deliberate decision to accept it without taking specific actions to avoid, transfer, or mitigate it. Application: Typically used for risks that are unlikely to occur or have a low impact. For instance, a business might accept the risk of a rare, minor software glitch if the cost of fixing it outweighs the potential impact. Advantages: No immediate resource expenditure on mitigation or transference. Challenges: The organization must be prepared to deal with the consequences if the risk materializes. Example: A small business identifies a risk in a software they use: there's a minor bug that could cause a slight delay in their operations once a year. However, fixing the bug would be costly and time-consuming. The business decides to accept the risk, understanding that the potential operational delay's impact is minimal and can be managed.
Risk Analysis
Risk Analysis is the process of identifying and assessing potential risks to determine their magnitude and likelihood. It helps organizations understand the nature of the risk, its potential impact, and the probability of its occurrence.
Definition: Risk analysis is the process of identifying and assessing potential risks to determine their magnitude and likelihood. It helps organizations understand the nature of the risk, its potential impact, and the probability of its occurrence. Components: Risk analysis typically involves: Risk Identification: Spotting and documenting potential risks. Risk Assessment: Evaluating the potential severity of the risk and its likelihood. Risk Prioritization: Ranking risks based on their potential impact and likelihood to determine which risks need immediate attention. Definition: Inherent risk refers to the level of risk that exists in the absence of any controls or mitigation measures. It represents the natural level of risk present in a specific activity or process without considering any interventions. Example: Consider a bank that offers online banking services. The inherent risk might include potential cyberattacks or fraud. This risk level is considered before implementing any security measures like encryption or two-factor authentication. Definition: Residual risk is the level of risk remaining after controls and mitigation measures have been implemented. It's the risk that persists even after efforts have been made to reduce or manage the inherent risk. Example: Continuing with the online banking scenario, after the bank implements various security measures (like firewalls, encryption, and fraud detection systems), the remaining risk (like the chance of a new, unforeseen type of cyberattack) represents the residual risk. Definition: Risk appetite is the amount and type of risk an organization is willing to take in order to meet its strategic objectives. It's a reflection of the organization's risk tolerance and is often influenced by the organization's culture, strategy, and external environment. Application: Risk appetite can be expressed in various ways, such as qualitative descriptions (e.g., "low tolerance for operational risks") or quantitative measures (e.g., "willing to accept a potential loss of up to $1 million annually"). It serves as a guide for decision-making, helping organizations decide which risks to accept, avoid, mitigate, or transfer. Example: A startup tech company might have a high risk appetite, willing to take significant risks for potential high rewards. In contrast, a well-established financial institution might have a low risk appetite, prioritizing stability and long-term growth over short-term gains. These three concepts are connected by the way that an organization manages risk.
An organization begins with its inherent risk and then implements risk management strategies to reduce that level of risk. It continues doing so until the residual risk is at or below the organization's risk appetite.
Risk Awareness
Risk awareness refers to the knowledge and understanding among individuals and organizations about potential threats, vulnerabilities, and the potential consequences they might face due to these risks.
It encompasses the recognition of the sources of risks, the potential impact of those risks, and the understanding of measures to mitigate them.
They must understand the risks they face and the controls they can implement to manage those risks. They must also conduct regular risk control assessments and self-assessments to determine whether those controls continue to operate effectively.
Risk Register
A risk register, also known as a risk log, is a risk management tool used to identify, assess, and track risks associated with a project or an organization.
It serves as a centralized repository for all identified risks and provides a structured way to document and manage them. Scope
Provides a detailed view of each risk, capturing a wide range of information. Includes not just likelihood and impact, but also other details like risk causes, mitigation strategies, risk owners, and review dates Usage
A risk register is a comprehensive document or database that lists all identified risks, along with details about each risk, such as its description, cause, mitigation strategy, owner, and status. It serves as a centralized repository for tracking and managing risks throughout their lifecycle.
The risk register is a living document that is updated regularly as new risks emerge, old risks are mitigated, or the understanding of existing risks changes.
Risk Matrix / Heat Map
A Risk Matrix is a visual tool used to assess and prioritize risks based on their likelihood of occurrence and potential impact.
It helps in visualizing and understanding the severity of risks, allowing stakeholders to focus on the most significant threats.
Scope
Focuses on two main dimensions: likelihood and impact. Provides a high-level overview of risks based on these dimensions. Usage
Often used in discussions or presentations to quickly convey the severity and prioritization of risks to stakeholders. Helps in decision-making by visually highlighting which risks require immediate attention. 
5.4 Summarize risk management processes and concepts
