Section 2.2 Risk Management

As you study this section, answer the following questions:

  • Explain the difference between the four risk response strategies.
  • How can risk management minimize an organization's exposure to cyber threats?
  • What are the five steps of threat modeling?

In this section, you will learn to:

  • Understand and explain the different security teams
  • Identify assets
  • Define potential threats

The key terms for this section include:

Key Terms and Definitions

Key Terms and Definitions
Term Definition
Cybersecurity leadershipA cybersecurity leader is responsible for creating a vision and setting goals for a team to secure an organization's assets. They must understand the technical and legal aspects of the industry and be able to advise on the best approaches for providing appropriate levels of protection.
Risk identificationRisk identification involves examining all aspects of an organization’s operations, processes, and activities to identify potential hazards, vulnerabilities, or weaknesses that may lead to negative consequences.
Risk response strategiesThis process involves analyzing the likelihood and impact of each risk and selecting an appropriate response based on its severity and importance. Responses to risk fall into four distinct categories: Avoid, Accept, Mitigate, and Transfer.
Risk monitoringRisk monitoring is continually assessing and monitoring potential risks, identifying changes in the risk landscape, and detecting emerging threats or vulnerabilities.
EvaluationRisk evaluation involves assessing the likelihood and potential impact of identified risks and prioritizing them based on their significance level.

This section helps you prepare for the following certification exam objectives:

Exam Objective
CompTIA CySA+ CS0-003

1.4 Compare and contrast threat-intelligence and threat-hunting concepts

  • Threat intelligence sharing
    • Risk management

2.5 Explain concepts related to vulnerability response, handling, and management

  • Risk management principles
    • Accept
    • Transfer
    • Avoid
    • Mitigate
  • Threat modeling

    2.2.1 Risk Management Principles

    A risk management program works to identify risks and determine how to minimize their likelihood or impact. After identifying risks, the next step is to handle them using different responses. Risk management principles include:

    • Minimize an organization's exposure to cyber threats.
    • Protect an organization’s assets from unauthorized access, theft, or damage.
    • Help organizations comply with data security and privacy regulations and standards.

    This lesson covers the following topics:

    • Cybersecurity leadership concepts
    • Risk identification
    • Risk response strategies
    • Risk monitoring and evaluation

    Cybersecurity Leadership Concepts

    It is essential to understand the basic concept of leadership in the cybersecurity field. A cybersecurity leader is responsible for creating a vision and setting goals for a team to secure an organization's assets. Additionally, they must understand the technical and legal aspects of the industry and be able to advise on the best approaches for providing appropriate levels of protection. Leaders must have a deep understanding of the industry and its nuances and the ability to make decisions quickly and confidently. A leader in cybersecurity must also possess strong interpersonal skills to communicate effectively with a wide range of technical and non-technical stakeholders.

    Video

    Click one of the buttons to take you to that part of the video.

    00:00-07:27 [James Stanger] From a government's risk

    and compliance perspective it's all about

    getting that set of requirements and then,

    determining the appropriate risk strategies.

    And there's somebody here, London's own, Ian Trump. How are you doing, Ian? I'm doing great, James. Thanks for having me on this. Ian's going to talk to us a little bit

    about his history and then talk about

    what it means to apply the appropriate risk strategies.

    Tell us about yourself and let's start talking

    about some risky business here. All right, sounds good. I'm the CISO for Cyjax, a threat intelligence company and I,

    one of the trends that I'm sort of tracking and looking at

    is the growing importance of GRC in driving businesses decisions and in order to do that, they have to have the kind of information,

    the kind of strategic information,

    to make those decisions. You know, as you're sourcing whether it be external developers, internal developers

    or you're procuring something from some sort of provider,

    what are some of those risk assessment factors

    that you look into? I think a lot of us have heard of whether it be MTTR or MTBF and et al.,

    how do all of those things work together

    to determine your risk assessment?

    Yeah. So, I mean, what you're talking about is sort of the more,

    the operational risk of this new thing

    we're going to bring into existence

    and I mean, it's one thing to put it on a piece of paper,

    it's quite another thing to actually practice it,

    you know, in a lot of cases, GRC is going to suggest

    what they can live with, what their tolerance is

    for downtime and they're going to pass that requirement

    on to the procurement or to the project manager

    in charge of bringing this new thing to life.

    But I think where the focus now of GRC is really

    around what kind of data do we have,

    what kind of policies do we have in place to govern that particular type of data,

    be it a data retention policy or be it all data must be encrypted at rest

    and in transit and then finally, and this is sort of the new huge issue on the block

    that GRC is facing, is geography.

    We want to live in this global marketplace,

    the reality is there are some countries that are

    very sensitive about data, where it is, who's processing it,

    who's prying eyes are looking at it.

    And then, you know, the aspirations of a sales

    and marketing team about doing business in new territories,

    really has to go through a lens of GRC informing them

    that the best approach would be to get a partner

    on the ground because, you know, setting up

    a corporate entity there might be difficult,

    in the case of Latin America, the Middle East,

    that's truly the thing or it might be impossible

    to do without a partner on the ground

    in some other countries. You know, it's interesting to see too where,

    a lot of times, people talk about the risk of data loss

    and that's, that's right, but so often there are

    regulations that will say, "Well, X company,

    if you're going to go into business

    in this particular region, you have to make sure that data is available to the customers

    and if it's not, there are fines and things like that too," right?

    I've seen that. When it comes to handling risk,

    you can transfer, you know, have the insurance company pick it up, yeah, right.

    You can accept the risk and avoid it.

    Let's talk about, you know, mitigation,

    all those different elements of risk handling.

    Yeah. So, first and foremost, GRC really needs to be

    at the front of the, of the line when it comes to this

    because they need to make sure everybody around the table

    understands, you know, what the protections of that data need to be

    from a policy perspective, from a regulatory compliance perspective.

    That should drive all the discussion amongst,

    you know, all of the delivery efforts so the IT department,

    the development department, security, all of them

    need to understand what it is that's being built,

    what the level of risk to the business is

    and then it's time to whiteboard and they'll get creative solutions for dealing with this.

    Now, it's going to cost money, that's the thing.

    So, if you never had static testing

    or dynamic testing of code, but the data

    that you're dealing with is sensitive enough

    to warrant that you need all, to take all of these precautions,

    then, you know, that's something that needs to be tabled

    in the risk, it's going to affect the budget,

    it might even protect, it might even impact

    the delivery time for the project.

    IT security has to be at the table

    and voice their wisdom on saying,

    "Hey, do not worry, we got this. We have similar applications with similar providers

    and this is the de rigueur that we've put them through,

    this is the telemetry that we're getting

    to throw into our SIM, you know, we got you."

    And then, you know, everyone else

    can breathe a sigh of relief because, you know,

    IT security are the big heroes in this story.

    Absolutely. When it comes to tracking risk,

    there are risk registers for example,

    let's talk about what a risk register is

    and then some of the key performance indicators

    of what it means to track risk. Yeah, and, you know, I will say that GRC's role

    has gotten really difficult because so much risk now

    in business is dynamic and a lot of that dynamic risk

    is dependent on your hosting provider

    or the line of business vendor of the particular thing

    because when you think of it, almost every company out there

    is a franking company, you know, they're taking a piece of Oracle and a piece of Azure

    and a piece of Google and they're throwing it together

    and they're building their thing that makes them money

    or they're providing their service

    that think makes money. So, the GRC's role now I think is really focused on

    supply chain issues and compliance within that supply chain

    and trying to, you know, educate procurement teams and,

    and project management in, you know,

    what is the sort of minimum threshold

    that will engage with the company.

    You know, what is the level of risk tolerance

    that we have in this organization.

    Because nobody wants to buy something

    that becomes the next big hack, right?

    That's usually a career ending decision when that happens.

    And I think, GRC's role now is to really articulate

    on that tolerance of risk and when they work

    in conjunction with IT audit, you have a very powerful story about due diligence

    within an organization and that due diligence,

    if the worst happens, is going to be the thing

    that saves the company from heavy regulatory fines and penalties.

    I like to say, in cyber security,

    you can try and fail, that's okay so long as you have evidence that you tried.

    [James] That's right. [Ian] If you don't try and you fail,

    bad things are coming for you. And that's what kind of registering and,

    and documenting all of this is all about.

    -Thank you. -Yeah.

    Keeping it up to date is super important

    because, you know, you're one privacy complaint away

    from an investigation into, you know,

    how that database got into the hands

    of the third-party marketing company and,

    all of a sudden, you know, hundreds of thousands

    of email messages went out. In some territories of the world,

    that's an okay thing, in other territories of the world, that's a bad thing.

    -Serious problems then. -Yeah.

    Ian, thank you so much for your wisdom

    talking about applying the appropriate risk strategies

    in regards, in regards to GRC, thanks man.

    -You're welcome, James. -Yeah.

    Risk Identification

    Risk identification involves examining all aspects of an organization’s operations, processes, and activities to identify potential hazards, vulnerabilities, or weaknesses that may lead to negative consequences. This process allows organizations to take proactive measures to mitigate these risks and prevent or reduce the negative consequences they may cause.

    Risk identification includes identifying potential risks or threats to an organization’s assets, including:

    • People
    • Systems
    • Data
    • Finances

    Risk Response Strategies

    After identifying risks, the next step is to handle them using different responses. This process involves analyzing the likelihood and impact of each risk and selecting an appropriate response based on its severity and importance. Responses to risk fall into four distinct categories:

    A box labeled Risk Responses is surrounded by four other boxes labeled: Avoid, Accept, Mitigate, and Transfer.

    The four types of risk responses.

    Risk Type Description
    AvoidRisk avoidance often means that you stop doing an activity that is risk-bearing. For instance, risk managers may discover a software application has numerous high-severity security vulnerabilities. After reporting this new finding and providing context to the risks, the governance team may decide that the cost of maintaining the application, or the probability of catastrophic failure due to the newly discovered vulnerabilities, is not worth its benefit and so choose to have it decommissioned.
    AcceptRisk acceptance means continuing to operate without change after evaluating an identified risk item. The risk item could be related to software, hardware, or existing processes. We must consider risk in all we do; even simple daily tasks involve risks. But despite this, we are still productive and largely safe so long as we are aware of risks and act within safe limits. Helping organizations operate this way is precisely the goal of risk management—to help contain threats within carefully constructed and mutually agreed-upon boundaries because it is impossible to eliminate risk.
    MitigateRisk mitigation describes reducing exposure to risk items by implementing mitigating controls to ensure that technical business operations are safe. For example, there are many potential security issues associated with web applications. Since web applications are critical to many business processes, we must determine how to operate them safely while meeting the organization's needs. To do this, we use various means to improve the web application's safety and security through mitigating controls.

    By implementing effective mitigating controls, we can reduce the overall risk. We implement mitigating controls until risk levels are reduced to a level deemed "acceptable" by risk managers and governance teams.
    TransferRisk transference (or sharing) means assigning risk to a third party, which is most typically accomplished through insurance policies. Insurance transfers financial risks to a third party. This is an essential strategy as the cost of data breaches and other cybersecurity events can be extremely high and result in bankruptcy.

    Despite the presence of mitigating controls, some risks may still be troublesome. It could also be that mitigating controls are not available to help reduce the risk level. For example, a different risk response might be warranted, like avoidance. Circumstances may warrant a risk exception if a different risk response is not reasonable or feasible. Issuing a risk exception is a serious decision. It must include careful documentation identifying why the risks are concerning and specific justifications describing why an exception is warranted. The explanation should document the dates when the decision to issue an exception was made and include the signatures of all involved.

    Risk Monitoring and Evaluation

    Risk monitoring and evaluation are critical components of an effective risk management program. Risk monitoring is continually assessing and monitoring potential risks, identifying changes in the risk landscape, and detecting emerging threats or vulnerabilities. This requires ongoing data analysis from internal and external sources, such as threat intelligence feeds, incident reports, and regulatory updates. By monitoring risks continuously, organizations can proactively identify potential issues and take corrective action before they escalate into major problems.

    Risk evaluation involves assessing the likelihood and potential impact of identified risks and prioritizing them based on their significance level. This process requires careful analysis of risk data to determine the probability of an event occurring and the potential impact on organizational operations, reputation, and financial stability. Risk evaluation enables organizations to focus on managing the most critical risks and implementing appropriate controls to mitigate their potential impact. Risk monitoring and evaluation provide a comprehensive view of an organization's risk landscape, enabling decision-makers to make informed choices about risk management strategies and ensure ongoing business resilience.

    2.2.2 Applying the Appropriate Risk Strategies

    Click one of the buttons to take you to that part of the video.

    Risk Management Principles 00:00-01:17 Cybersecurity risk management refers to identifying and responding to potential physical and digital threats. Risk management helps to minimize an organization's exposure to cyber threats. It also helps organizations comply with data security and privacy regulations and standards. Risk management helps to ensure that organizational assets are well-protected.

    People are one of the most important assets to an organization. Skilled and engaged employees can drive innovation, productivity, and overall business success. Customers provide a source of revenue and valuable feedback that can be used to improve products and services and drive future growth.

    Computer and network systems are other valuable resources to an organization, enabling efficient data management, business communication, and collaboration among employees. An organization's data hold private customer and organizational information. It also provides insights into customer behavior, operational efficiency, and market trends that drive business success. The security of customers and other confidential data is essential to any organization. And, of course, finances are an important asset. Finances, whether in cash or other investments, provide the foundation for current and future operations.

    Risk Identification 01:17-02:27 One of the first steps of risk management is to identify potential risks. Risks can come from various sources, including natural disasters, cyberattacks, human error, and noncompliance with regulatory compliance requirements. An organization's finances, operations, network infrastructure, and reputation can be at risk.

    When identifying risk, it's also important to consider the potential repercussions associated with each. Financial repercussions associated with cybersecurity can include stolen funds, lost sales, recovery costs, and regulatory fines or legal costs.

    System downtime or disruption, loss of critical data or intellectual property, and compromised or damaged organizational assets and operations are examples of operational risks associated with cybersecurity threats.

    Cybersecurity incidents or perceived lack of security measures can result in reputational risks. These could include public exposure of sensitive or confidential data, negative media coverage, social media backlash, and loss of customer trust. Considering the potential repercussions of a risk helps prepare you to assign a response to each.

    Risk Response Strategies 02:27-03:25 The next steps of risk management involve evaluating the nature and repercussions of each risk to determine its severity. Once calculated, the severity is then used to determine which response strategy should be applied.

    There are four types of risk responses. Risk avoidance involves eliminating or not engaging in activities that pose a potential cyber risk, such as not allowing employees to use personal devices for work-related activities. Risk mitigation involves reducing the likelihood or impact of a cyber threat through proactive measures, such as implementing firewalls and intrusion detection systems.

    Risk acceptance involves acknowledging and accepting the potential risk, such as not implementing additional security measures despite being aware of potential vulnerabilities. Risk transfer involves transferring the risk to another party, such as purchasing cybersecurity insurance to help mitigate financial loss resulting from a cyber attack.

    Risk Monitoring 03:25-03:56 Finally, it's necessary for cybersecurity organizations to continuously monitor and evaluate potential risks and the effectiveness of their risk response strategies. This involves conducting regular risk assessments, testing security controls, and updating policies and procedures based on changes in the threat landscape or organizational needs. By staying vigilant and adaptable, cybersecurity organizations can be well-prepared to address potential risks and protect their assets from cyber threats and attacks.

    Summary 03:56-04:13 That's it for this lesson. In this lesson, we discussed risk management. We talked about identifying financial, operational, and reputational risks. We examined risk response strategies. We also discussed the importance of ongoing monitoring and evaluating potential risks.

    2.2.3 Threat Modeling

    Click one of the buttons to take you to that part of the video.

    Threat Modeling 00:00-00:52 As a cybersecurity professional, you help to protect your company's assets and data. One of the best ways to do this is through threat modeling.

    Threat modeling is a risk management process that helps identify, quantify, and prioritize potential threats to your business. It's used to evaluate and minimize the risk of a data breach or other malicious activity.

    To start, you should analyze your company's assets and data to determine which ones are most important and vulnerable. Then, you can create a list of potential threats, such as a malicious hacker, natural disaster, or cyber-attack. Once you've identified the threats, you can create a plan of action to mitigate the risks. This may include implementing security measures such as firewalls and user authentication or increasing your data backup. By taking the time to analyze and address potential threats properly, you can ensure that your company's assets and data remain secure and protected.

    5 Steps of Threat Modeling 00:52-03:06 Now that we've talked about the basics of threat modeling let's look at the five steps involved.

    The first step is adversary capability analysis. This involves understanding the capabilities of potential attackers so you can assess the risks they pose to your company. During this phase, you'll identify potential threat sources, determine how likely those attacks will occur, and consider what the adversary is capable of. For example: What damage could they do or what data could be accessed?

    The second step is total attack surface analysis. This is a process of evaluating the entire attack surface of your assets to identify all the ways an adversary could access the system. When determining the total attack surface, it's critical to consider any possible entry points, such as external networks or internal applications. During this step, you'll also want to take inventory of the entire network. The inventory should include hardware, software, and the capabilities and processes of each device.

    The third step is attack vector analysis. This involves analyzing the different methods attackers may use to gain access to your data, such as malware, phishing scams, or social engineering. An attack vector is a specific path or means by which an attacker can gain access to a system or data. There are three main categories of attack vectors. Cyber-attack vectors involve hardware or software being used for an attack. Human attackers use social engineering techniques such as impersonating or coercing an employee inside the organization. Physical attack vectors involve attackers with malicious intent gaining physical access to the target location.

    The fourth step is impact analysis. This step helps you to understand the potential impacts of a breach or attack. The impact could include system repairs, fines, contract penalties, and lost customers. It could also impact your organization's reputation and customer confidence and satisfaction.

    The fifth and final step is likelihood analysis. This involves assessing the likelihood of a particular attack occurring based on the information from the previous four steps. When considering the likelihood of a threat, you'll want to consider an attacker's motivation, emerging capabilities, the effectiveness of attacks, and the annual rate of occurrence. These considerations help you decide what chance there is of an attack happening.

    Summary 03:06-03:21 That's it for this lesson. In this lesson, we discussed threat modeling and the five steps involved—adversary capability analysis, total attack surface analysis, attack vector analysis, impact analysis, and likelihood analysis.

    2.2.4 Threat Modeling Facts

    This lesson covers the following topics:

    • Threat modeling
    • The five steps of threat modeling

    Threat Modeling

    Threat modeling is designed to identify the principal risks and tactics, techniques, and procedures (TTPs) that a system may be subject to by evaluating the system both from an attacker's point of view and the defender's point of view. For each scenario-based threat situation, the model asks whether defensive systems are sufficient to repel an attack perpetrated by an adversary with a given level of capability. Threat modeling can be used to assess risks against corporate networks and business systems, and it can also be performed against more specific targets, such as a website or software deployment. The outputs from threat modeling can be used to build use cases for security monitoring and detection systems. Threat modeling is typically a collaborative process with inputs from various stakeholders. In addition to cybersecurity experts with knowledge of the relevant threat intelligence and research, stakeholders can include non-experts, such as users and customers, and persons with different priorities on the technical side, such as those who represent financial, marketing, and legal concerns.

    The Five Steps of Threat Modeling

    There are five basic threat modeling steps.

    Adversary Capability Analysis

    During the adversary capability analysis step, identify potential threat sources, determine how likely these attacks are, and consider the adversary's capabilities. Threat actors or possible threat sources could specifically target the organization, or the attack could be convenient or opportunistic. Depending on the nature of the organization, sources could include nation-state attackers, organized crime, or hacktivists.

    Total Attack Surface Analysis

    The total attack surface refers to all ways an adversary could access the system. When determining the total attack surface, take inventory of the entire network. The inventory should include hardware, software, and the capabilities and processes of each device.

    Attack Vector Analysis

    An attack vector is a specific point to exploit on the total attack surface. MITRE provides three main categories for attack vectors:

    Category
    		Description
    Cyber
    		Hardware or software is used for an attack. Examples include portable storage devices, messaging apps, unauthorized devices, and compromised user accounts.
    Human
    		An attacker uses social engineering techniques such as impersonating or coercing an employee inside the organization.
    PhysicalThe attacker with malicious intent gains physical access to the target location.
    ##### Impact Analysis

    An impact analysis evaluates the cost of an attack. It determines how an organization would be impacted if a threat were not stopped.

    Consideration
    		Description
    Financial cost
    		Financial cost includes:
    • System repair
    • Fines
    • Contract penalties
    • Additional staffing
    Impact of system downtime
    		Impact of system downtime:
    • Lost customers
    • Contract penalties
    • Refunds
    • Additional staffing or overtime
    Non-financial costs
    		Non-financial costs include:
    • Reputation
    • Customer satisfaction
    • Customer confidence
    Likelihood Analysis

    The likelihood analysis determines the probability that an attack will occur. When considering the likelihood of a threat, you will want to consider the following:

    • Attacker's motivation
    • Emerging capabilities
    • Effectiveness of attacks
    • The annual rate of occurrence (ARO)
    Last Updated: