Risks and security-related issues represent an ongoing concern of businesses as well as the field of cybersecurity, but far too often organizations fail to proactively manage risk. Assessing and analyzing risks should be a continuous and comprehensive exercise in any organization. As a member of an organization’s security team, you will work through risk assessment, analysis, mitigation, remediation and communication.

There are many frameworks and models used to facilitate the risk management process, and each organization makes its own determination of what constitutes risk and the level of risk it is willing to accept. However, there are commonalities among the terms, concepts and skills needed to measure and manage risk. This module gets you started by presenting foundational terminology and introducing you to the risk management process.

First, a definition of risk is a measure of the extent to which an entity is threatened by a potential circumstance or event. It is often expressed as a combination of:

the adverse impacts that would arise if the circumstance or event occurs, and

the likelihood of occurrence.

Information security risk reflects the potential adverse impacts that result from the possibility of unauthorized access, use, disclosure, disruption, modification or destruction of information and/or information systems. This definition represents that risk is associated with threats, impact and likelihood, and it also indicates that IT risk is a subset of business risk.

Risk Management Terminology

Security professionals use their knowledge and skills to examine operational risk management, determine how to use risk data effectively, work cross-functionally and report actionable information and findings to the stakeholders concerned. Terms such as threats, vulnerabilities and assets are familiar to most cybersecurity professionals.

An asset is something in need of protection.

A vulnerability is a gap or weakness in those protection efforts.

A threat is something or someone that aims to exploit a vulnerability to thwart protection efforts.

Risk is the intersection of these terms. Let's look at them more closely.

Threats

A threat is a person or thing that takes action to exploit (or make use of) a target organization’s system vulnerabilities, as part of achieving or furthering its goal or objectives. To better understand threats, consider the scenario in the video on the next page.

In the context of cybersecurity, typical threat actors include the following:

Insiders (either deliberately, by simple human error, or by gross incompetence).

Outside individuals or informal groups (either planned or opportunistic, discovering vulnerability).

Formal entities that are nonpolitical (such as business competitors and cybercriminals).

Formal entities that are political (such as terrorists, nation-states, and hacktivists).

Intelligence or information gatherers (could be any of the above).

Technology (such as free-running bots and artificial intelligence, which could be part of any of the above).

*Threat Vector: The means by which a threat actor carries out their objectives.

Vulnerabilities

A vulnerability is an inherent weakness or flaw in a system or component, which, if triggered or acted upon, could cause a risk event to occur. Consider the pickpocket scenario on the next page.

An organization’s security team strives to decrease its vulnerability. To do so, they view their organization with the eyes of the threat actor, asking themselves, “Why would we be an attractive target?” The answers might provide steps to take that will discourage threat actors, cause them to look elsewhere or simply make it more difficult to launch an attack successfully. For example, to protect yourself from the pickpocket, you could carry your wallet in an inside pocket instead of the back pant pocket or behave alertly instead of ignoring your surroundings. Managing vulnerabilities starts with one simple step: Learn what they are.

Likelihood

When determining an organization’s vulnerabilities, the security team will consider the probability, or likelihood, of a potential vulnerability being exploited within the construction of the organization’s threat environment. Likelihood of Occurrence is a weighted factor based on a subjective analysis of the probability that a given threat or set of threats is capable of exploiting a given vulnerability or set of vulnerabilities.

Finally, the security team will consider the likely results if a threat is realized, and an event occurs. Impact is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.

Think about the impact and the chain of reactions that can result when an event occurs by revisiting the pickpocket scenario in the next article.

WE ARE HERE TO HELP!

CLICK HERE for a Dogma C3X free trial!

Dogma C3X is an Intelligent Business Consulting Platform inspired by the 3Cs industry model, which offers a strategic look at the pillars that every company needs for success: Customers – Company – Competitors. "Intelligent" because by using artificial intelligence (AI) and machine learning (ML) it can collect, process, and analyze the growing tsunami of data (structured and unstructured) related to the 3Cs, which is incredibly valuable. Only by strengthening, positioning, and integrating these three pillars (Customers - Company - Competitors) you will be able to build a sustainable competitive advantage.