Fundamentals of Cyber Risk Management
Fundamentals of Cyber Risk Management Course Introduction
Course Agenda
- Risk Management Overview
- Risk Management Frameworks
- Critical Assets and Operations
- Threats and Vulnerabilities
- Risk Analysis and Mitigation
- Security Controls
- Mitigation Strategy Maintenance
- Response and Recovery
Risk Management Overview
- NIST SP 800-30
- Defines risk as “a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence”
- At a high level, this is accomplished by balancing exposure to risks against cost of mitigation and implementing appropriate countermeasures/controls.
Tiers of Risk Management
- Tier 1 – Organization (Governance)
- Tier 2 – Mission (Business Process)
- Tier 3 – Information System (Environment of Operations)
Terms to Know
- Response vs. Recovery
- Threat, Vulnerability, and Risk
- Risk Assessment
- Business Continuity Management
- Risk Assessment
- Business Impact Analysis (BIA)
- Business Continuity Planning (BCP)
The Risk Equation
- Risk = Threat x (Likelihood x Vulnerability) x Impact
Risk Assessment
- A study of vulnerabilities, threats, likelihood, loss or impact, and theoretical effectiveness of security measures
Business Continuity
Risk and Business Impact Analysis
- Know what is important to you.
- What are your critical business functions?
- Know what threats you have.
- Know your vulnerabilities and the likelihood they get exploited.
- Know the impact to your business if the threat occurred.
- Analyze your risks.
- Risk = Threat x (Likelihood x Vulnerability) x Impact
- Decide what to do about the risks.
Types of Risk
- Inherent Risk is the risk linked to a particular activity itself.
- Complex regulations
- Poor management
- Control Risk comes from a failure of the controls to properly mitigate risk.
- Failure of firewall to block malicious traffic
- Residual Risk is the combination of the inherent and the control risk; it is what remains after the controls have been applied to mitigate risk.
- Eliminating risk is not possible IF you have chosen to expose yourself to it.
- Residual risk must be accepted by management.
Operational Resilience
- Resilience: The physical property of a material when it can return to its original shape or position after deformation that does not exceed its elastic limit
- Operational resilience: The emergent property of an organization that can continue to carry out its mission in the presence of operational stress and disruption that does not exceed its limit
Operational Resilience and Risk
- Operational resilience emerges from effective operational risk management.
- Operational risk categories
- Actions of people
- Systems and technology failures
- Failed internal processes
- External events
Elements of Resilience …
- You should focus on all three; do not ignore one for the others. (Venn Diagram)
- Security (Mostly Physical Security, Life & Limb) + Business Continuity
- Business Continuity (COOP, Redundancy, Back-ups) + IT Operations
- IT Operations (Information Assurance, Network Security) + Security
- = RESILIENCE
Risk Management in a Nutshell
- Identify assets, threats, and vulnerabilities
- Determine “likely” threat scenarios
- Create and implement an appropriate response to reduce exposure
- Continually monitor, review, assess, evaluate, and update
Outcomes of Risk Management
- An understanding of
- The organization’s threat, vulnerability and risk profile
- Risk exposure
- Potential consequences of compromise
- Awareness of risk management priorities based on potential consequences
- A risk mitigation strategy sufficient to achieve an acceptable level of residual risk
- Organizational acceptance/deference based on an understanding of potential consequences of residual risk
- Integration as “business as usual”
Next up: Risk Management Framework