All articles in the "Introduction to Cyber Security" series
- Cyber Security. Not What I thought
- Basics of Cyber Security Requirements
- The CIA Triad
- Introducing the ASD
- Introducing the Essential 8
- Mapping Strategies to controls
- Threats, Vulnerabilities, and Risks
- Introduction to Risk and Risk Management
- ICT Assets and Asset Registers
- Cyber Threat Awareness
- Introduction to Cyber Incident Response Plan
- Risk Management and Cyber Controls
- Risk Mitigation Plans
- Implement Security Controls
- Measuring Security
- Exploring Implementation Discrepancy
- CIRP as a Mitigation Strategy
Introduction to Risk
What is Risk?
Risk is defined as “the effect of uncertainty on objectives”. In the context of cybersecurity, risk is the possibility of a threat exploiting a vulnerability to cause harm to an organisation’s assets. The goal of risk management is to identify, assess, and control these threats to an acceptable level. It is a fundamental part of an organisation’s culture that links directly to its corporate strategy.
Identify and Evaluate Risk
The risk assessment process is crucial for arriving at a satisfactory level of risk and identifying necessary control measures. It is a continuous process that involves several key steps:
- Characterise the system: Understand the assets and their context (processes, functions, applications).
- Identify threats: Recognise the potential threats that could target the system.
- Determine inherent risk & impact: Assess the potential impact of an event on people, places, and systems, and determine the inherent risk without any controls in place.
- Analyse the control environment: Evaluate the existing security controls to see how well they mitigate the identified threats.
- Determine a likelihood rating: Assess how likely the threat is to happen based on factors like causes and conditions.
- Calculate the risk rating: Combine the impact and likelihood ratings to calculate the overall risk rating.
The risk assessment aims to identify and document cybersecurity requirements. This process also helps to determine the value of information systems and assets, and identify vulnerabilities such as weak encryption, missing authentication, and weak passwords.
Designing a Process to Manage Risk
A well-designed risk management process is not a separate, standalone function but is integrated into an organisation’s decision-making.
The process should be a clear sequence of steps that achieves a desired outcome and provides a tangible benefit. An effective process is one that yields reliable outcomes, clarifies resource needs, reduces inefficiency, and enforces accountability, all of which ultimately reduce risk and create value.
The design of this process should be a collaborative effort, involving the people who will actually use it. It must include built-in evaluation and improvement methods to ensure that risk is continuously managed to a satisfactory level. The process should also be adaptable and applied in situations with high uncertainty, when a consistent level of quality is required, and when a certain threshold is reached.
The Risk Management Process Steps:
The process for managing risk is typically broken down into a series of steps:
- Risk Identification: Pinpointing and documenting potential threats and risks.
- Risk Analysis: Evaluating the identified risks, their potential impact, and their likelihood of occurrence.
- Risk Evaluation and Ranking: Prioritizing risks based on their severity.
- Risk Treatment: Deciding how to handle each risk, which could involve one of five control strategies:
- Defence Risk Control: Implementing measures to remove or reduce the vulnerability.
- Transferal Risk Control: Shifting the risk to another entity, such as through outsourcing.
- Mitigation Risk Control: Reducing the potential impact of an incident.
- Acceptance Risk Control: Choosing to do nothing about the threat and accepting the potential outcome.
- Termination Risk Control: Removing the asset from the environment to eliminate the risk entirely.
- Risk Monitor and Review: Continuously evaluating the effectiveness of the implemented controls and processes to ensure they remain relevant.
A robust cybersecurity framework is built on the pillars of asset identification, threat awareness, and a systematic approach to risk management. By understanding what to protect, what the threats are, and how to effectively manage the associated risks, organisations can build a resilient defense against an ever-evolving digital threat landscape.