Risk Management
strategies are developed.
Risk
The probability of a threat exploiting a
vulnerability.
Risk = Theat * Vulnerability
 Asset
o Anything within an environment that
should e protected
 Asset Valuation
o A dollar value assigned to an asset
based on actual cost and nonmonetary
expenses
 Threats
o Any potential occurrence that may harm
the asset
 Threat Agent / Actors
o People, programs, hardware, or systems
that use threats to cause harm
 Threat Events
o Threat events are occurrences that lead
to the exploitation of vulnerabilities
 Threat Vector
o A threat vector or attack vector is the
path or means y which an attack or
attack can gain access to a target to
cause harm
 Vulnerabilities
o The weakness in an asset or the
absence or the weakness of a safeguard
or countermeasure that could be
exploited
 Exposure
o Actual or anticipated damage from a
threat
 Safeguards
o Anything that removes or reduces a risk
 Attack
o The threat exploiting the vulnerability
 Breach
o The occurrence of a security mechanism
being bypassed or thwarted by a threat
agent
Risk Identification
Risk identification involves understanding
the initial phase of the risk management
process where potential security risks are
recognized and described. This stage is
critical for establishing a baseline from which
risk analysis, assessment, and mitigation
 Ad Hoc Risk Assessment: Ad hoc risk
assessments are performed as needed,
often in response to specific events or
changes in the environment. For example,
an ad hoc assessment might be
conducted after a major security breach
in the industry or the release of a new
threat. These assessments are useful for
addressing immediate and emerging risks
 Recurring Risk Assessment: This type
of risk assessment is conducted at regular
intervals, such as quarterly or annually.
Recurring risk assessments are part of a
systematic approach to risk management
and ensure that changes in the
organization's environment, assets, and
threat landscape are consistently
accounted for and addressed.
 One-Time Risk Assessment: One-time
risk assessments are conducted for
specific scenarios, such as before
launching a new product, implementing a
new IT system, or entering a new market.
They are focused and are typically not
repeated unless there are significant
changes to the initial conditions
 Continuous Risk Assessment:
Continuous risk assessment involves
ongoing monitoring and analysis of the
risk landscape. This approach uses real-
time data and automated tools to
constantly evaluate risk levels.
Continuous assessments are becoming
increasingly important and feasible due to
advancements in technology and the
dynamic nature of cyber threats.
 Quantitative Risk Analysis:
Quantitative risk assessment comes into
play when we can map a monetary
amount to an identified risk.
o Asset Value (AV): Dollar value of an
asset
o Exposure Factor (EF): The percentage
of loss that an org would experience if a
specific asset were violated
o Single Loss Expectancy (SLE): Cost
associated with a single realized risk
against a specific asset
 SLE = AV * EF
 o Annualized Rate of Occurrence
(ARO): The expected frequency with
which a specific threat or risk will occur
within a single year
o Annualized Loss Expectancy (ALE):
The possible yearly cost of all instances
of a specific realized threat against a
specific asset
 ALE = SLE * ARO or AV * EF *ARO
o Annual Cost of Safeguard (ACS):
The cost of safeguard should be lower
than ALE to a worthwhile investment
 Value = ALE before safeguard – ALE
after safeguard – ACS
 Qualitative Risk Analysis: Qualitative
risk analysis involves assessing risks
based on subjective criteria, such as
expert opinions, scenario analysis, and
industry best practices. It typically
categorizes risks into levels such as low,
medium, or high based on their perceived
severity and likelihood. This approach is
useful for understanding the general
magnitude of risks when precise data is
not available.
Risk Register
A risk register is an essential component of
effective risk management, serving as a
centralized repository for information about:
 Identified risks
 Their assessment
 And actions taken to mitigate them
Description of Risks
The risk register begins with a detailed
description of each identified risk. This
includes:
 The nature of the risk
 The assets or areas affected
 And the potential consequences if the risk
were to materialize
Key Risk Indicators (KRI)
KRIs are metrics used to measure and
monitor the likelihood and impact of risks.
They provide early warning signs that a risk
may be increasing or decreasing in severity.
For example, a high number of failed login
attempts might be a KRI for unauthorized
access risks.
Risk Owners
Each risk is assigned a risk owner, who is
responsible for managing and mitigating that
specific risk. The risk owner is typically
someone in a management role who has the
authority and knowledge to implement risk
responses.
Risk Threshold
Risk threshold refers to the level of risk that
the organization is willing to accept. Risks
that fall below the threshold might be
accepted or monitored, while those above it
will require active mitigation.
Risk Appetite
Risk appetite refers to the risk that an
organization is prepared to pursue, retain, or
take in its operations. It reflects the
organization's attitude towards risk and is
shaped by factors like:
 Organizational culture
 Business goals
 Market conditions
 And Regulatory environment
Risk tolerance is the amount of risk the
organization is willing to take.
Expansionary Risk Appetite
An expansionary risk appetite indicates a
willingness to take on higher levels of risk in
pursuit of greater rewards. Organizations
with an expansionary appetite are often in
growth phases, seeking competitive
advantage and willing to invest in
opportunities that may carry higher risk,
including adopting new and potentially less
tested technologies.
Conservative Risk Appetite
A conservative risk appetite implies a
preference for lower risk and a focus on
stability and predictability. Organizations with
a conservative appetite prioritize protecting
assets and minimizing potential losses over
seeking out high-risk opportunities. They
tend to invest heavily in robust cybersecurity
measures and may be cautious in adopting
new technologies.
Neutral Risk Appetite
A neutral risk appetite strikes a balance mitigating the risk is greater than the
between expansionary and conservative potential loss from the risk itself, or when the
approaches. Organizations with a neutral likelihood of the risk materializing is
appetite are willing to accept some level of acceptably low. Exemption: Sometimes,
risk for reasonable returns but are not specific risks might be exempted from
inclined to pursue high-risk opportunities. mitigation due to their nature or the context
Their cybersecurity strategies aim to balance in which they exist. Exception: In some
risk mitigation with the pursuit of business cases, an exception might be made for a
objectives. risk, usually temporarily, until it can be
properly addressed at a later time
Risk Management Strategies
Risk Management Strategies refer to the
Risk Exploitation
systematic approach an organization takes to
Exploiting a risk involves taking advantage of
handle potential risks associated with its
the potential positive impacts of a risk. While
information systems and data. These
this is less common in cybersecurity, it could
strategies are designed to minimize the
involve leveraging a risky technological
impact of risks on organizational operations
innovation that could place the organization
and objectives. In cybersecurity, risk
at a competitive advantage.
management strategies are particularly
important due to the evolving nature of
threats and the critical importance of
Risk Reporting
protecting digital assets.
Risk Reporting involves understanding the
process of communicating information about
Risk Avoidance
identified risks, their analysis, and mitigation
Avoiding risk involves changing plans or
strategies to relevant stakeholders. Risk
procedures to eliminate the risk or to remove
reporting is a crucial element in
the organization’s exposure to it. This might
cybersecurity risk management as it ensures
mean not implementing a certain system or
transparency, informs decision-making, and
technology that introduces high risk.
aids in the ongoing management of
cybersecurity risks.
Risk Mitigation
Mitigation refers to taking steps to reduce
Business Impact Analysis
the likelihood or impact of a risk. In
BIA is a fundamental component in
cybersecurity, this often involves:
cybersecurity and business continuity
 Implementing security controls
planning, as it helps in identifying and
 Updating software
evaluating the potential effects of
 Improving user training
interruptions to critical business operations.
 And enhancing monitoring and detection
BIA is a proactive measure that aids in
capabilities
crafting effective business continuity and
disaster recovery strategies, ensuring
Risk Transfer
business resilience in the face of cyber
Transferring risk means shifting the impact of
threats.
a risk to a third party. This is often done
through insurance policies, where a company
Recovery Time
transfers the financial risk to an insurance
 Maximum Tolerable Downtime (MTD):
provider, or through outsourcing, where
Defines the amount of time a business
certain IT services or processes are managed
function can be inoperable without
by external vendors.
causing irreparable harm to the business.
Risk Acceptance Also known as the Maximum Tolerable
Accepting risk is a conscious decision to not Outage (MTO)
take any action against a particular risk. This
strategy is chosen when the cost of
  Recovery Time Objective (RTO):
Amount of time to recover the function in
the event of a disaster
 Recovery Point Objective (RPO):
Defines the point in time before the data
loss during the outage will leave the
business function unrecoverable.
 RTO should be less than MTD
Failure Time
 Mean Time to Repair
o MTTR is the average time taken to
repair a failed component, system, or
function and return it to operational
status
 Mean Time Between Failures
o MTBF is a measure of the reliability and
stability of IT systems, indicating the
average time between inherent failures
of a system or component in normal
operating conditions