Module 16: Risk Management

Glossary of Terms

The probability that the actual outcome or result of an action will be different from the expected outcome.

The level of risk that an organization is prepared to accept in the pursuit of its objectives.

The degree of risk or uncertainty that is deemed acceptable to either an individual or an organization.

Risk stemming from people, such as employees falling for phishing attempts or malicious "insider threats" who sell or misuse company data.

Risk arising from sources like insecure devices, network vulnerabilities, loose firewall rules, or insecurely stored passwords.

Risk from threats that hinder everyday business functionality, such as physical threats (fires, floods) or large-scale technical issues like ransomware attacks.

The possibility that future regulations or legal restrictions may not align with the current business model, potentially forcing major changes or even business failure.

The process of identifying potential risks that could prevent an organization from achieving its objectives. It is the first step in the risk management process.

A method of creating scenarios to identify potential threats to system security. A common technique is STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege).

The process used to identify, evaluate, and estimate the levels of risks involved in a situation, followed by determining an acceptable risk level.

A subjective analysis of the probability and impact of risks, often based on expertise and judgment, using categories like "High," "Medium," and "Low."

A method that seeks to assign numerical values to risks, using data and statistical methods to quantify probability and potential losses (e.g., in monetary terms).

Tools designed to help identify, evaluate, and mitigate risks in organizations of all sizes. Examples include NIST RMF, TARA, COSO, and COBIT.

The National Institute for Standards and Technology (NIST) Risk Management Framework, designed to integrate security and privacy into the development cycle of digital systems from the start.

The COSO enterprise risk management framework, designed to seamlessly integrate risk management into a corporate strategy for success. It is often visualized as a cube.

The Control Objectives for Information and related Technology (COBIT) framework, developed by ISACA for IT management and governance.

Voluntary sets of guidelines and practices to help organizations mitigate risks (e.g., CIS Controls, NIST SP 800-53).

Mandated procedures aimed at mitigating risks and their potential harms, which often entail consequences (like fines) for non-compliance.

Frameworks & Processes

Components of Risk Assessment

A 3-Step Process

A comprehensive risk assessment generally involves these three main components:

1. Risk Identification: Recognizing threats that could affect the system, identifying vulnerabilities that could be exploited, and understanding the potential consequences.
2. Risk Analysis: Assessing the likelihood of each identified risk occurring and the potential impact it would have on the organization. This can be qualitative or quantitative.
3. Risk Evaluation: Comparing the estimated levels of risk against the organization's predefined risk criteria to determine which risks need treatment and prioritization.

Example: Phishing Attack Assessment

Applying the 3-step process to a phishing threat:

Identification: The threat is a phishing attack. Vulnerabilities could be weak passwords, lack of user training, and outdated software.
Analysis: Determine the likelihood is high due to industry trends, and the impact is severe due to sensitive customer data.
Evaluation: Conclude that the risk is unacceptable given the high likelihood and high impact, and therefore requires mitigation.

NIST Risk Management Framework (RMF)

7 Key Steps

The NIST RMF integrates security and privacy throughout the system development lifecycle with the following steps:

Prepare: Essential activities to prepare the organization to manage security and privacy risks.
Categorize: Categorize the system and information based on an impact analysis.
Select: Select the set of NIST SP 800-53 controls to protect the system.
Implement: Implement the controls and document how they are deployed.
Assess: Assess the controls to determine if they are operating as intended.
Authorize: A senior official makes a risk-based decision to authorize the system to operate.
Monitor: Continuously monitor control implementation and risks to the system.

COSO Enterprise Risk Management Framework

Key Components

The COSO framework integrates risk management into corporate strategy. Key components include:

Evaluating the internal environment (ethics, core values, risk tolerance).
Using the organization's mission for objective setting.
Distinguishing between risks (negative) and opportunities (positive) for event identification.
Identifying the likelihood and impact of risks through a risk assessment.
Selecting one of four risk responses (reduce, accept, transfer, avoid) based on risk tolerance.

NIST Cybersecurity Framework (CSF)

Three Main Components

The NIST CSF provides flexible and cost-effective risk management strategies with three main components:

The Core: A set of cybersecurity activities and outcomes aimed at mitigating risks.
Implementation Tiers: Help organizations determine the level of risk they are willing to accept based on factors like budget and data sensitivity.
Profiles: Unique to each organization to align their cybersecurity risk with specific objectives and resources.