From the course: Complete Guide to Cybersecurity: A Practical Approach
Understanding the risk management process
From the course: Complete Guide to Cybersecurity: A Practical Approach
Understanding the risk management process
- [Instructor] Let's go over some of the concepts of the risk management process. Risk and security-related issues definitely represent an ongoing concern for many chief information security officers, business leaders, and cybersecurity professionals. Now, there are many different frameworks and models used to facilitate the risk management process. And in this section, I want to go over first what is risk, what are some of the risk management terminologies, then we're going to go over different vulnerabilities and threats or the differences between vulnerabilities and the threats, the concepts of the likelihood and impact of security threats and related risk, the process of risk identification, risk assessment, risk treatment, prioritization, and risk tolerance. So risk is the measure of the extent to which an entity is threatened by a potential circumstance or event. It often is expressed as a combination of the adverse impact that will arise if the circumstance or that event occurs, and the likelihood of direct occurrence. Now, information security risk reflects the potential adverse impact that results from the possibility of things like unauthorized access, unauthorized use, the disclosure, or disruption or modification of data, and many other threats out there. Now talking about threats, let's go over some of the risk management terminologies, including what are assets, vulnerabilities, and threats. So let's start with assets. Assets is pretty much anything that needs protection, whether it's a system, data, or people. Now, vulnerability is basically a weakness or a flaw in a system, it's designs, and it can be in software and hardware. And basically vulnerability is potentially something that an attacker can exploit to manipulate systems, to steal data, to compromise networks and so on. A threat, on the other hand, can be pretty much anything. It can be fire. It can be somebody stealing your laptop. Vulnerabilities are often threats, but they're not the same, right? So the threat can be something more generic. Now, let's go over the concepts of likelihood and impact in relations to risk management. Whenever an organization or a cybersecurity professional is determining how a vulnerability can potentially be exploited, they often consider the probability or the likelihood of that vulnerability being exploited within the organization and within the environment by an attacker. Now, the likelihood of occurrence is a weighted factor based on a subjective analysis of the probability that a given threat or a set of threats is capable of exploiting a given vulnerability or a set of those vulnerabilities. Now, impact is the magnitude of harm that can be expected to result from the consequence of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information, or information system availability. The process of risk identification is also very important. Think about how do you identify risks. For example, you may see a couple of loose wires near your desk or near water on your office. You know, of course, you know that's something that you will like to remediate very fast to avoid any unnecessary outcomes. For cybersecurity, it is basically the ability for you to identify potential risk and categorize them and then estimate their potential for their organization, for them to, you know, protect or avoid those risk. Now, the key takeaways about risk identification is identifying risk to communicate them clearly. Employees and stakeholders at all levels of the organizations are responsible for identifying risk. You may have a risk department office and somebody dedicated for that. But at the end of the day, all stakeholders, all employers of the organization can identify risk and can bring them, you know, to management attention or to the security team's attention to protect against them. Now, of course, risk assessment is defined as a process of identifying, estimating, and prioritization risk within your organization, of course, including missions and functions and reputation and brand protection and assets, individuals, and many others, right? It is a very broad term and it's a very broad practice. Now, in cybersecurity, we look at risk and risk assessment in the eyes of how systems can be compromised from threat actors, how information can be compromised or stolen, and how a customer or employee data and systems, you know, can be modified. However, risk, you know, is beyond that. It can even include, you know, identify the risk of fire in a building, or again, you know, probably some geopolitical consideration as well. Now, risk treatment basically relates to making decisions about the best actions to take whenever you identify and prioritize risk within the organization. Let me draw a diagram here to identify or to illustrate the different ways that you can treat risk within the organization. And the options commonly used to respond to risk are accepting the risk, and that is risk acceptance, which is basically no action to reduce the likelihood of a risk occurring within the organization. The other one is risk avoidance, so avoiding a risk, and thus the decision to attempt to eliminate the risk completely from the organization. And that includes even ceasing operations for some of the activities of the organization, or basically, you know, making sure that, you know, a business decision is made that you no longer are going to perform an action or to cease, you know, complete operation of a business unit. It can go to that extreme. You also have risk mitigation, which is the common type of risk management that includes taking actions to prevent or reduce the possibility of a risk or its impact. Now, mitigation can involve remediation measures or controls like security controls, which we will go over later in the presentation, which basically establishes different policies, different procedures, different standards to minimize adverse risk. One thing to keep in mind is that risk cannot always be mitigated, but mitigations such as safety measures should always be in place within the organization. And then the fourth option is transferring that risk or risk transference. And risk transference is the practice of passing the risk to another party. It can be a third party. It can be, you know, another business unit within the organization. And that party will accept the financial impact and the business impact of the harm resulting from a risk being realized in exchange for some type of payment, right? A very good example of this risk, you know, option, or transferring a risk to a third party is the use of cyber insurance. And cyber insurance is extremely popular nowadays because of the number of breaches, and it is still, even though it's not a new concept, it is still in the infancy in comparison to other types of insurance in the industry. And that is because the calculation of losses, because of a cyber threat is very complex depending on the type of business that they're insuring and the type of conditions. Now, let's go over the different ways for prioritizing risk or risk priorities. Once risk have been identified within your organization, the next step is to be able to successfully prioritize them and analyze the risk through qualitative or quantitative analysis. Typically, risk assessment occurs in progressive phases, starting with a qualitative or subjective assessment, and then you may move into quantitative assessments to determine which risks are the most important to treat based on critical organization functions, and basically based on your business objectives and the mission of your corporation or your organization. One common method to prioritize risk is to use a risk matrix like the one that I just draw in the screen. And this will help you identify priority as the intersection of the likelihood of the occurrence of that threat and the impact to the organization. So basically, you have probability in one side, impact on the other, and you may say, "Okay, the threat may have high probability," I'm just going to put here P for probability, "but low impact." Or high probability, I'm just going to put HP here and then HI for high impact, and then definitely that's something that you should prioritize. And probably the ones that have low probability and low impact can be treated later. Or it may be that actually you may have some that are maybe low probability, but high impact, and you may determine whether to prioritize those, you know, if next, right? So it all depends on many different factors within the organization, many environmental factors, but this is a very easy way to determine if the risk may have high probability and high impact, then definitely that's something that you should prioritize. Now, the assignment of priority can also maybe influenced by business priorities, the cost of mitigating a risk, or the potential for loss if an incident occurs. Now, the last concept that I want to cover here is risk tolerance. The level of risk tolerance varies across organizations, and it's a very environmental factor. Different departments even within the organization may have different attitudes towards what is acceptable or what is not acceptable as far as risk. So in other words, acceptable or unacceptable risk. So understanding your organizations and senior management attitudes towards risk is typically the starting point for management acting regarding risks. In many cases, executive management or the board of directors of an organization may determine what is acceptable levels of risk for most of the organizations. And then other areas within the organization may have the goal to maintain the levels of risk within their management limits of risk tolerance. But something that can affect the organization as a whole needs to be clearly communicated to executives and or the board of directors, and they will determine what is an acceptable level of risk for the overall organization.
Contents
-
-
-
Module 1: Cybersecurity fundamentals introduction56s
-
Learning objectives48s
-
Understanding the security concepts of information assurance9m 4s
-
Understanding the risk management process12m 50s
-
Understanding security controls2m 37s
-
Understanding governance processes6m 36s
-
Building your cybersecurity lab4m 59s
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-