Cyber Risk Management

Review Time
● Confidentiality

● Integrity

● Availability

Everything revolves around

Data! We ensure these
principles through proper
Risk Management.

Source: http://blogs.technet.com/b/seanearp/archive/2007/08/01/layers-defense-in-depth-part-1.aspx
What is Risk?
So Many Definition(s):
The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or
individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat
occurring. FIPS 200 under RISK

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the
adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. See Information
System-Related Security Risk. NIST SP 800-30 Rev. 1 under Risk CNSSI 4009

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the
adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. [Note: Information
system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or
information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or
reputation), organizational assets, individuals, other organizations, and the Nation. Adverse impacts to the Nation include, for example,
compromises to information systems that support critical infrastructure applications or are paramount to government continuity of
operations as defined by the Department of Homeland Security.] NIST SP 800-137 under Risk FIPS 200 - Adapted NIST SP 800-37 Rev. 1
under Risk FIPS 200 - Adapted NIST SP 800-53A Rev. 4 under Risk CNSSI 4009

The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting
from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring. NIST SP
800-18 Rev. 1 under Risk NIST SP 800-30

Risk is the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset. (ISC)2 CISSP Eighth Edition
Risk - Keep it Simple

Risk = Impact * Likelihood

Impact = aka Severity and/or
Consequence. The after effect of an event
that can be measured in some way such
as cost
Likelihood = what is the probability the
impact will happen
Simple “Cyber Risk”
“Cyber Risk” = Impact * Vulnerability * Threat

Likelihood = Vulnerability * Threat

Impact: aka Severity, Consequence, Asset, and more

Costs, Value (monetary and nonmonetary), Opportunity Cost, etc.
CIA Triad/Triangle

Vulnerability
Exposure, Footprint, Weakness and/or susceptible to a threat

Threat
Actions or inaction that could cause damage, destruction, alterations, loss, etc. Intentional or accidental. From
people, hardware, network, structure, nature.

What are some examples of threats?

Cybersecurity Risk
Management
Risk Management Guidance
• ISO 27000 Series
• 27001
• 27002

• NIST Special Publications – Risk

Management
• SP 800-30: Risk assessment standard
• SP 800-37: Guide for Risk Management
Framework Implementation
• SP 800-39: Managing information
security risk
Risk Management Framework (RMF)

• Align risk tolerance with security

strategy
• Define an appropriate response to
threats
• Reduce operational losses from
realized threats
• Improve deployment of protective
resources
Cybersecurity Risk Management
Current State Desired State

1. Highest Value First 1. Highest Value First

2. Asset Focused; Some Organizational 2. Enterprise-Wide (including Third Parties)
○ Inconsistency, silo’d, separated costs, high ○ Consistency, holistic, synergy costs and
overhead less overhead
3. System Centric 3. Business/Mission Centric
4. Vulnerability-based 4. Predictive and Holistic-based
5. Qualitative and Anecdotal 5. Standardized Qualitative
6. Some Quantitative 6. Data Science Quantitative

Cybersecurity is a function of IT Department Cybersecurity is part of Enterprise Risk

Management
Quantitative vs. Qualitative Risk Analysis
• There are different methods to determine the risk exposure to
an asset

• Qualitative Analysis
• Relies on prioritization of threats based upon their severity

• Quantitative Analysis
• Uses financial measures and dollar values to determine risk
exposure

• Organizations typically rely on combining the two techniques

to perform risk analysis
Quantitative Analysis
• Single Loss Expectancy (SLE)
• Asset Value (AV) x Exposure Factor (EF) = SLE
• The exposure factor represents the percentage of loss a realized threat
could have on a certain asset

• Annualized Loss Expectancy (ALE)

• SLE x Annualized Rate of Occurrence (ARO) = ALE
• The annualized rate of occurrence (ARO) is the value that represents the
estimated possibility of a specific threat taking place
Example

• Tornado is estimated to damage 50% of a facility if it hits, and the

value of the facility is $200,000. The probability is once every ten
years.
AV x EF = SLE = 200,000 x .50 = 100,000
SLE x ARO = ALE = 100,000 x .10 = 10,000
ALE is $10,000

• Management should not spend over $10,000 in countermeasures

trying to protect against this risk
Cost-Benefit Analysis

• Return on Investment (ROI)

• Total Cost of Ownership (TCO)

• To demonstrate the financial benefits of deploying a control,

a cost-benefit analysis calculation should be performed

• If the TCO is less than the ALE, then the ROI is positive
Cost-Benefit Analysis Example
$10K ALE (before – per calculation)

- $1K ALE (after – policy deductible)

- $2K TCO (insurance premium)

________________________________________

$7K ROI (financial benefit)

=======
Risk Matrix for Qualitative
Risk Handling
Avoid Transfer/Share

Mitigate Accept
Third Party Risk
Vendors (Supply Chain)
Business Partners
Contractors
Information & Data
Systems
Security Control (Countermeasures)
• Controls – technical or nontechnical risk mitigation mechanisms
• Safeguards are preventative (proactive) controls
• Countermeasures are detective (reactive) controls

• Security processes implemented to protect the confidentiality, integrity,

and availability of an information system
• Controls typically fall into three different categories

• Controls employ different techniques to protect resources

Security Control Categories
• Administrative
• Policies and procedures, personnel security, hiring practices

• Technical
• Network access, application access, malware control, encryption

• Physical
• Locks, guards, fire suppression systems
Security Control Types
• Preventative

• Detective

• Corrective

• Deterrent

• Recovery

• Compensating
Residual Risk
• Residual risk is that risk that exists after the
organization deploys a management-approved
security control

• It is understood that it is impossible to remove all

risk exposure
• Management should deploy security controls that will
mitigate risk to an acceptable level
Residual Risk “Calculation”
Total Risk Exposure X

(Controls Gap)

Acceptable Risk Exposure Y

__________

Residual Risk Z
0% Risk Exposure ==========
Class Exercise
Review: Cybersecurity Risk
Management
Review: Cybersecurity Risk Management
Current State Desired State

1. Highest Value First 1. Highest Value First

2. Asset Focused; Some Organizational 2. Enterprise-Wide (including Third Parties)
○ Inconsistency, silo’d, separated costs, high ○ Consistency, holistic, synergy costs and
overhead less overhead
3. System Centric 3. Business/Mission Centric
4. Vulnerability-based 4. Predictive and Holistic-based
5. Qualitative and Anecdotal 5. Standardized Qualitative
6. Some Quantitative 6. Data Science Quantitative

Cybersecurity is a function of IT Department Cybersecurity is part of Enterprise Risk

Management
https://www.csiac.org/wp-content/uploads/2021/03/2021-03-19-csiac-dod-cybersecurity-poli
cy-chart.pdf