SlideShare a Scribd company logo

Cybersecurity Risk Management Tools and Techniques (1).pptx

Download as PPTX, PDF
C
ClintonKelvin

Y

Career
1 of 85
Cybersecurity Risk Management Tools and Techniques L E C T U R E N O T E S F O R N I G E R D E L T A U N I V E R S I T Y : P R E P A R E D B Y A S E P E R I F . J O H N B S C , M S C ( L A G O S ) , G L O B A L M B A ( L O N D O N ) F C A , A C I B , C I S M , 4 X M I C R O S O F T C E R T I F I E D
Cybersecurity Risk Management Tools and Techniques
Content 1. The Four Major Branches of Criminology and How Cybersecurity Plays a Role in Their Effectiveness 2. What is cybersecurity, or information security? 3. What is a cybersecurity risk? 4. How do you manage cybersecurity risk? 5. What are the techniques for cybersecurity risk management? 6. What are the tools for cybersecurity risk management?
Cybersecurity Risk Management Tool and Techniques
What is cybersecurity, or information security? Cybersecurity, or information security, is the whole system of controls put in place by an organization’s Board of Directors through the commitment of the CISO and his team to secure the information assets of the organization. For example, in security organizations such as Police Force, Nigeria Army to mention two, the board of these organisations will set up standards for the operations of Information Security Department that meet their needs.
Four Major Branches of Criminology and How Cybersecurity Plays a Role in Their Effectiveness 1. The  Penology is the study of penal sanctions or punishment.  Victimology is the study and rehabilitation of the victims of crime.  Criminalistics, the methods of investigation and detection of crime, is especially the job of law enforcement agencies and forensic experts.  Administration
Information Security Triad
The Understanding What You Need as a Criminologist • Information is like an asset, e.g., a wife, husband, car. • You must protect it from theft or unauthorized use (confidentiality). • You must ensure that anytime you need it, it is available. • You must ensure that there is fidelity in your usage (integrity). • Where it otherwise occurs, it becomes a crime that must be investigated.
Test of Knowledge What is the meaning of information security? What is the Information Security Triad?
What is Cybersecurity Risk? Because information assets are things of value, they are subject to several risks that will compromise the CIA's confidentiality, integrity, and availability. Information risks are those activities, errors, omissions, and commissions that happen because an organization (police department, criminologist, NDA, DSS, etc.) loses the confidentiality, integrity, or availability of its information or information assets and reflect the potential adverse impacts to organizational operations (including mission, functions, image, security of lives and property, or reputation) and organizational assets.
What is Cybersecurity Risk? : You cannot practice criminology without a proper understanding of technologies and the ability to secure them because more than 60% of crimes occur through the internet. For example, "an estimated 53.35 million US citizens were affected by cybercrime in the first half of 2022. Between July 2020 and June 2021, the US was the most targeted country for cyber attacks, accounting for 46% of attacks globally."
Major Cybersecurity Risks  Malware (including fileless malware)  Cloud security  Phishing  Ransomware  Data loss  Password attacks  Insider threats  DDoS
What is cybersecurity risk mitigation? Cybersecurity risk mitigation involves the use of security policies and processes to reduce the overall risk or impact of a cybersecurity threat. In regard to cybersecurity, risk mitigation can be separated into three elements: prevention, detection, and remediation. As cybercriminals’ techniques rise in sophistication, your organization’s cybersecurity risk mitigation strategies will have to adapt to maintain the upper hand. Risk management is the process of identifying the risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure and taking steps to reduce this risk to an acceptable level.
Test of Knowledge Mention the information assets of crime fighting organizations, such as, EFCC, NPF, NDLEA, etc.
Suggested Answers  Databases of the:  Names of criminals  Locations  Bank Accounts  Property names and locations  Local, regional, and international connections  Supply Chain (opposite sex, drugs, substances, food, alcohol, etc.)  Weapons and weapons suppliers  System IP addresses  Names and addresses of closed associates, etc.  Fashion designers (e.g., barbers)
How do you manage cybersecurity risk? You cannot manage risk unless you carry out these undertakings:  Risk Identification  Risk assessment, and  Risk Control
RISK MANAGEMENT
Questions and Answers How do you manage the risk of information security for illegal substance importation?
QUESTION & ANSWERS Assets inventory must be documented, then: Risk identification: possibility of information compromise, identity theft, phishing, malware, DDOS, eavesdropping, password attacks, data loss, etc. risk assessment: Likelihood x Impact risk control: Strategies, policies, procedures etc.
Managing Cybersecurity risk Managing risk in organizations such as EFCC, DSS, NFP, Navy, NA etc.
Managing risk in organizations such as EFCC, DSS, NFP, etc. Risk identification: risk management strategy requires that information security professionals know their organizations’ information assets—that is, identify, classify, and prioritize them. Once the organizational assets have been identified, a threat assessment process carried out, that will quantify the risks facing each asset.
Components of Risk Identification Components of Risk Identification
Risk Assessment This happens after you, as a crime fighter, OR criminologist, have identified your organization’s information assets, vulnerabilities, and threats. Then you are expected to evaluate the risks that can negatively impact your organization’s ability to successfully engage these assets to fight and curb crimes and criminals.
RISK ASSESSMENT 1 OF 3 This happens after you as a crime fighter have identified your organisation’s information assets, vulnerabilities, and threats. Then you are expected to evaluate the risks that can negatively impact your organisation’s ability to successfully engage these assets to fight and curb crimes and criminals.
RISK ASSESSMENT 2 OF 3
RISK ASSESSMENT 3 OF 3
Test of Knowledge What happens after you as a crime fighter have identified your organisation’s information assets, vulnerabilities, and threats? I mean what should you do next in dealing with the risks?
Suggested Answers Evaluate the risks that can negatively impact your organisation’s ability to successfully engage these assets to fight and curb crimes and criminals. For examples: 1. Abuse of crime Information 2. Exposing the contents of classified information 3. Implantation of Malware in the DB etc
Risk Determination Risk = Likelihood of Vulnerability X Value of Information Assets - % (risk mitigated) + Uncertainty of current knowledge of vulnerability Or Risk = Likelihood x Impact
RISK DETERMINATION The risk of armed terrorists invading CBN is equal to the possibility that it will happen (say 15%) multiplied by what these criminals will steal if they become successful (say N15 billion). This means the risk is (0.15 x N15 billion) = N2.25 billion. This means that you, as the HOD of security operations, should ensure that you commit enough resources to curb this loss of N2.25 billion. This also explains why presidents and governors are heavily guarded when in a public environment by security agencies. The cost of re-electing new officers is high.
Identify Possible Controls For each threat and its associated vulnerabilities that have residual risk, you must create a preliminary list of potential controls. Residual risk is the risk to the information asset that remains even after the application of controls. There are three general categories of controls: policies, programs, and technologies. Policies are documents that specify an organization’s approach to security.
Risk Control Strategies 1 of 2 When organizational management determines that risks from information security threats are creating a competitive disadvantage, they empower the information technology and information security communities of interest to control the risks. 1. Defend: The defence-control strategy attempts to prevent the exploitation of the vulnerability. e.g., application of policy, training and development, and application of technology. 2. Transfer of Control
Risk Control Strategies 2 of 2 1. Mitigate: The mitigation control strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation. Mitigation begins with early detection that an attack is in progress and a quick, efficient, and effective response. Mitigation involves an incident response plan, a disaster recovery plan, and a business continuity plan. 2. Terminate The termination control strategy directs the organization to avoid those business activities that introduce uncontrollable risks.
What are the tools for cybersecurity risk management?
What are the tools for cybersecurity risk management? 1 of 3  This session is important to you as forensic experts and criminologists because when you are going to investigate or understudy a criminal cases, cartels, incidents, etc you must know the technology resources at their disposal and how to infiltrate them.  More importantly, understanding the tools you need to protect your organization is very key.  Here is our list of the six best cybersecurity risk management tools:
What are the tools for cybersecurity risk management? 2 of 3 1. SolarWinds is a product for cybersecurity risk management and assessment. It is used for monitoring, analysing, diagnosing, and optimizing the performance of databases and data operations. This tool can be used to drive crime-fighting business-critical applications such as the number of drugs imported into a country, weapons in use in a country, the manufacturer, etc. 2. CyberArk: This is used for managing generic, service, and privilege accounts. 2. It gives single sign-on capability for databases and servers. Seamlessly secure identities throughout the cycle of accessing any resource across any infrastructure, including hybrid, SaaS, and multi-cloud. 3. IAM: This is used for managing the identities of humans and machines such that it creates user profiles on the Active Directory, applications, databases, and servers.
What are the tools for cybersecurity risk management? 2 of 3 4. Active Directory is a tool for single-sign-on to windows, applications, and other security solutions. This prevents the risk of writing down several passwords. Password theft, identity risk, and saving resources. 5. Two-Factor Authentication: This tool protects against the crimes of phishing, social engineering, and password attacks. It secures users, for example, in security and crime-fighting organizations such as the Police Force, Nigerian Army, Nigerian Navy, etc. from credential-based attackers. This dramatically improves the security of login attempts. 2FA has also been shown to block nearly all automated bot-related attacks.
What are the tools for cybersecurity risk management? 3 of 3 6. Imperva is an infrastructure monitoring tool that monitors transactions and activities in an organization's database. 7. A web access firewall protects an organization's web application by removing, monitoring, and blocking any malicious requests from HTTPS or HTTP traveling to the web application. This helps organizations, forensic experts, and cybersecurity professionals prevent any unauthorized data from leaving the app.
RISK CONTROL STRATEGY The whole essence of the tools for risk control is to help organizations such as NDU, NPF, NA, Zenith Bank, amongst others, and states or nations such as Nigeria identify, analyze, evaluate, prioritize, treat, and monitor risks that are bent on disrupting their operations and operational efficiencies. As earlier mentioned, criminologists are duty-bound to develop strategies for penal code creation (Penology), creating databases for victims of crime (victimology), creating databases for information on crimes and criminals (criminology), and perhaps storing information about the administration of justice systems in society (Administration). All of this information is stored, transmitted, processed, and used for the good of their profession.
RISK CONTROL STRATEGY This information is an asset that must be protected from hackers, misuse, and distortion to ensure that the objectives of Confidentiality, integrity, and Availability are achieved. This is why you need to know the whole relevance and relationship between criminology and information, or cybersecurity. When organizational management evaluates that there are risks to the security of information stored on digital platforms and that such risks are creating security threats and leading to competitive disadvantage, they empower the information technology and information security communities of interest to control the risks. Risk Control is the process for identifying, analyzing, evaluating, prioritizing, treating, and monitoring risks confronting the security of Information in an organization such that they threaten the CIA. The information security expert controls these risks through these five strategies: Defend, Transfer, Mitigate, Accept, and Terminate
RISK CONTROL STRATEGY Defend: The defense-control strategy attempts to prevent the exploitation of the vulnerability. This is why cybersecurity technology experts’ use tools to detect vulnerabilities, threats, and risks within the information technology platforms to defend against cyberattacks. These Cybersecurity Experts apply:  Application of policy: logical policy such as role-based access control instituted on windows, security layers for accessing secret information, etc. An IT security policy lays out the rules regarding how an organization's IT resources can be used. The policy should define acceptable and unacceptable behaviors, access controls, and potential consequences for breaking the rules. Examples of tools for policy application are 2FA, MFA, biometrics, etc. Acceptable encryption and key management policy, data breach response policy, and clean desk policy  Education and training: Online, on-premises, and Hybrid  Application of technology, e.g., IAM, CyberArk, etc.:
RISK CONTROL STRATEGY Transfer This strategy attempts to shift risks to other assets, other processes, or other organizations. This can be accomplished by remodeling how services are served, revising technology deployment models, outsourcing to third-party organizations to save costs and achieve efficiencies, purchasing insurance, or implementing service contracts with providers. Outsourcing, however, is not without its own risks. The owner of the information asset, IT management, and the information security team must ensure that the disaster recovery requirements of the outsourcing contract are sufficient and have been met before they are needed. For example, if NPF does not have the capability to secure its network, it can outsource to an organization such as Microsoft or AWS, among others, to secure its network perimeters, but it must carry out security assessments and ensure constant monitoring to ensure that objectives are met.
Test of Knowledge  What is Risk Control?  Mention one tool for defending against intruders in your organization's security network.
Suggested Answers  Tools:  Imperva  CyberArk  IAM  2FA  MFA
RISK CONTROL STRATEGY Mitigate The mitigation control strategy aims to reduce or eliminate the impact caused by the exploitation of vulnerability through planning and preparation against cyber incidents. Cybersecurity professionals in organizations ensure that these plans are followed:  the incident response plan,  the disaster recovery plan, and  the business continuity plan. The success of these plans depends on the ability to detect, analyze, and treat an attack as quickly as possible, the deployment of technological tools such as DLP and the Intrusion Detection System, physical and administrative mitigants, and the reliance on the quality of the other plans. Mitigation begins with early detection that an attack is in progress and a quick, efficient, and effective response.
Plans that make mitigation effective  Incidence Response Plan  Disaster Recovery Plan  Business Continuity Plans
Plans that make mitigation effective What should he or she document? Plans that make mitigation effective:  Incidence Response Plan  Disaster Recovery Plan  Business Continuity Plans Incidence Response Plan The IR plan provides answers to questions victims might pose in the midst of an incident, such as: "What do I do now?" For example, a systems administrator may notice that someone is copying information from the server without authorization, indicating a violation of policy by a potential hacker or an unauthorized employee.
Plans that make mitigation effective  What should the administrator do first?  Who should he or she contact? The IR plan supplies the answers. In the event of a serious virus or worm outbreak, the IR plan can be used to assess the likelihood of imminent damage and to inform key decision-makers [1]. makers in the various communities of interest (IT, information security, organization management, and users)
Test of Knowledge Give me an example of an incident of cybersecurity in a criminal justice organization.
Suggested Answers  Phishing Attack  Malware  Wiretapping  Password Attacks  Privilege Abuse  Insider Data Theft  Identity-Based Attacks.  Code Injection Attacks.  Supply Chain Attacks
DISASTER RECOVERY PLAN After all is said and done in terms of putting in place the best risk controls, the unexpected happens. The most common of the mitigation procedures in this instance is the disaster recovery (DR) plan. Although media backup strategies are an integral part of the DR plan, the overall program includes the entire spectrum of activities used to recover from an incident. DR plans normally contain all preparations for the recovery process. strategies to limit losses during the disaster and detailed steps to follow when the smoke clears, the dust settles, or the floodwaters recede. For example, if there is a breach of the NPF data center, such as a fire outbreak, the next thing is to revert to backups.
BUSINESS CONTINUITY PLAN The business continuity (BC) plan is the most strategic and long-term of the three plans. It encompasses the continuation of business activities if a catastrophic event occurs, such as the loss of an entire database, building, or operations center. The BC plan includes planning the steps necessary to ensure the continuation of the organization when the scope or scale of a disaster exceeds the ability of the DR plan to restore it. This can include preparation steps for the activation of secondary data centers, hot sites, or business recovery sites.
Business Continuity and Disaster Recovery Plan in the Animal Kingdom: https://www.youtube.com/watch?v=gE273IJGzpg
BUSINESS CONTINUITY PLAN Accept There are times when risk in cybersecurity will be accepted, such that criminologists, cybersecurity experts, etc. will accept doing nothing to protect a vulnerability and accepting the outcome of its exploitation. This may or may not be a conscious business decision. For example, when attacks are made on data or information assets that have been classified as public information and from which an organization does not derive any value, the risk strategy might be to accept the attack. But the experts and business leaders in such organizations must have done:  Determined the level of risk Assessed  The probability of attack Estimated the potential damage that could occur from attacks  Performed a thorough cost-benefit analysis.  Evaluated controls using each appropriate type of feasibility  Decided that the particular function, service, information, or asset did not justify the cost of protection.
BUSINESS CONTINUITY PLAN For example, a record or database for all crimes and criminals already condemned for more than 100 years The risk of protecting such data might be accepted if the cost of protecting it is higher than its value to The Police. Note that If every vulnerability in the organization is handled by means of acceptance, it may reflect an inability to conduct proactive security activities and an apathetic approach to security in general.
THE RISK CONTROL STRATEGIES
Summaries of Mitigation Plans
BUSINESS CONTINUITY PLAN Terminate •The termination control strategy directs the organization to avoid those business activities that introduce uncontrollable risks. For example, it does not make sense to make a security budget for the protection of an information asset list of armories that no longer exist in the Nigerian Army or Police. •If some IT infrastructure is set up for tracking Osama Bin Laden, for example, since he has been captured and killed, the project should be terminated.
BUSINESS CONTINUITY PLAN Terminate In the core business world, if Alibaba studies the risks of deploying business-to-consumer e-commerce operations and determines that the risks are not sufficiently offset by the potential benefits, the organization may seek an alternate mechanism to meet customer needs—perhaps developing new channels for product distribution or new partnership opportunities. By terminating the questionable activity, the organization reduces its risk exposure.
Test of Knowledge What DO you understand by Risk Control in Cybersecurity? What are the connections between Criminology and Cybersecurity? What are the major incidents in Cybersecurity?
Selecting A Risk Control Strategy Risk control involves selecting one of the five risk control strategies for each vulnerability. For example, if there is a breach in the databased where the name of drug cartel organisations is breached, so much so that some of the secret files were copied. The control strategy to select might be to encrypt all files in the database, restrict logical and physical accesses to only authorised team leaders and head of the department of Narcotics. However, there must be regular review of these control strategies to ensure that they met business and security objectives. A=== Access Restriction to authorized users only B === Encrypted Files
Test of Knowledge What are the five major strategies for risks control?
The 5 Major Strategies for risk control are: 1. Avoiding risks or defense. To avoid risks, organisations must first be aware of the potential for these risks to occur 2. Risk Transfer 3. Mitigation 4. Accept 5. Terminate
Major Information Security Mistakes Cybersecurity Mistakes of individuals
Risk Control Automation Whatever control strategies that your organisation select, ensure that these control strategies are automated to be effective and efficient:
Important Risk Control Strategies;  When a vulnerability (flaw or weakness) exists: Implement security controls to reduce.  The likelihood of a vulnerability being exercised.  When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent occurrence.  When the attacker’s cost is less than his or her potential gain: Apply protections to increase the attacker’s cost (e.g., use system controls to limit what a system user can access and do, thereby significantly reducing an attacker’s gain).  When potential loss is substantial: Apply design principles, architectural designs, and technical and nontechnical protections to limit the extent of the attack, thereby reducing the potential for loss.
Feasibility Studies Ideally, organizations will want to select the best control strategy that meets their business, competitive, strategic, security, and regulatory objectives. To make such a decision, there is a need to conduct feasibility studies. In making a choice on the control strategy of defending, transferring, mitigating, accepting, or terminating a specific vulnerability, threat, or risk, organizations such as NDU, Harvard, and the University of Lagos, amongst others, must explore all the economic and noneconomic consequences of the vulnerability facing the information asset. This is an attempt to answer the question, "What are the actual and perceived advantages of implementing a control as opposed to the actual and perceived disadvantages of implementing the control?“
Feasibility Studies There are always challenges of cost and resource constraints with security organizations such as the NPF, NA, Civil Defense Corps, and private security organizations working for public or private institutions. Selecting the best control strategy must be productive and meet the needs of the business of the organization, in criminologists’ instances, fighting crimes and making society safe through security in cyberspace.
Advantages of Control Strategies There are a number of ways to determine the advantage of a specific control. For example, using CBA, Payback Period, and Balanced Scorecard, amongst others There are also many methods an organization can use to identify the disadvantages of specific controls. For example, the number of times crimes occurred in society, the number of attacks on the information assets of the police force, the number of brute force attacks on users’ profiles, etc. Cost avoidance is the process of preventing the financial impact of an incident by implementing controls.
Cost Benefit Analysis Organizations where criminologists, forensic experts, etc. work should consider the economic feasibility of implementing information security controls, mitigations, and safeguards. This is because there are a few alternatives for solving a problem, and each may not have the same economic feasibility. Most organizations can spend only a reasonable amount of time and money on information security, and the definition of reasonable differs from organization to organization and even from manager to manager. For example, the security vote for the Nigeria Police is the same as the New York Department of Police. For example, State and local governments will spend $129 billion on corrections and courts in 2020 (Urban Institute, 2020). Now, these costs’ effectiveness must sometimes be measured using cost-benefit analysis.
Items That Affect The Cost of a Control Strategy  The first step in using CBA is to determine the value of the information to be secured.  The second step is to determine the loss in value if those information assets were compromised by the exploitation of a specific vulnerability.  Cost of development or acquisition (purchase cost) of hardware, software, and services Training fees (cost to train personnel)  Cost of implementation (cost to install, configure, and test hardware, software, and services)  Service costs (vendor fees for maintenance and upgrades)  Cost of maintenance (labor expense to verify and continually test, maintain, and update)
Assets Valuation Benefit is the value that an organization realizes by using controls to prevent losses associated with a specific vulnerability. The amount of the benefit is usually determined by valuing the information asset or assets exposed by the vulnerability and then determining how much of that value is at risk and how much risk there is for the asset. A benefit may be expressed as a reduction in the annualized loss expectancy. This is the process of assigning financial value or worth to all information assets in transit, at rest, and in use within an organization. All your information about crimes, logistics, strategies, investigations, and operations stored in Databases, hard drives, or any electronic or hard drive must be valued to determine how much security cost to invest in protecting them from cybercriminals.
Assets Valuation The value of information assets differs within and between organizations, depending both on the characteristics of the information and the perceived value of that information. If, for example, the government gives free education up until university level and spends N = 50 billion annually on Nigerian youths, And there is a drug cartel peddling cocaine to university students in Nigeria, such that it reduces the time commitment and academic performance of students by 80%. The implication of this is that the government will be losing value for her investment up to the tune of $N=40 billion annually to this crime. The value of all information assets for confronting this crime should be based on the perceived value of the government’s investments in education (N40 billion).
Assets Valuation The valuation of assets involves the estimation of real and perceived costs associated with design, development, installation, maintenance, protection, recovery, and defense against loss and litigation. Other costs are almost impossible to determine accurately, for example, the dollar value of the loss in market share if information on new product offerings is released prematurely and a company loses its competitive edge. A further complication is the value that some information assets acquire over time that is beyond the intrinsic value of the asset under consideration. In most cases, the higher the acquired value, the more appropriate it is. Once an organization has estimated the worth of various assets, it can begin to examine the potential loss that could occur from the exploitation of a vulnerability or a threat occurrence.
Evaluation, Assessment, and Maintenance of Risk Controls The selection and implementation of a control strategy is not the end of a process; the strategy and its accompanying controls must be monitored and reevaluated on an ongoing basis to determine their effectiveness and to more accurately calculate the estimated residual risk.
Quantitative Versus Qualitative Risk Control Practices Quantitative Risk Control Practice is an assessment practice that uses actual values and estimates to determine the cost and benefit of risk control. While Qualitative is where an organization cannot use specific numbers of values and estimates to assess the cost of control, This could be accomplished using scales rather than specific estimates. A sample scale could include none, representing no chance of occurrence, then low, medium. For example, instead of estimating that a particular piece of information is worth $1 million, you can value information on a scale of 1–20, with 1 indicating relatively worthless information and 20 indicating extremely critical information.
Risk Control Cycle
Benchmarking and Best Practices Benchmarking is the practice of examining the process being used by peer organizations to determine the financial value they place on their information assets and implementing security as an acceptable percentage of that value based on what the peer organizations do. In other words, benchmarking is the process of seeking out and studying the practices used in other organizations that produce results you would like to duplicate in your organization. Two Types of Measures For Benchmarking When benchmarking, an organization such as NPF, NA, and some private security organizations should typically use one of two types of measures to compare practices: metrics-based measures or process-based measures. These are metric-based measures and Process-based measures.
Benchmarking and Best Practices Metrics-based measures are comparisons based on numerical standards, such as: Number of successful attacks Staff hours spent on system protection Dollars spent on protection Numbers of security personnel Estimated value in dollars of the information lost in successful attacks Loss in productivity hours associated with successful attacks. process-based measures. Process-based measures are generally less focused on numbers and are more strategic than metrics-based measures. For each of the areas the organization is interested in benchmarking, process-based measures enable the organization to examine the activities an individual company performs in pursuit of its goal rather than the specifics of how goals are attained. The primary focus is on the method the organization uses to accomplish a particular process, rather than the outcome.
Risk Management Discussion Points Not every organization has the collective will or budget to manage each vulnerability by applying controls; therefore, each organization must define the level of risk it is willing to live with.
Risk Appetite Risk appetite defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility. For instance, a financial services company, regulated by the government and conservative by nature, may seek to apply every reasonable control and even some invasive controls to protect its information assets. Other nonregulated organizations may also be conservative by nature, seeking to avoid the negative publicity associated with the perceived loss of integrity.
Residual Risk Even when vulnerabilities have been controlled as much as possible, there is often still some risk that has not been completely removed, shifted, or planned for. This remainder is called residual risk. To express it another way, "residual risk is a combined function of (1) a threat less the effect of threat-reducing safeguards, (2) a vulnerability less the effect of vulnerability-reducing safeguards, and (3) an asset less the effect of asset value-reducing safeguards.
Residual Risk The significance of residual risk must be judged within the context of the organization. Although it is counterintuitive, the goal of information security is not to bring residual risk to zero; it is to bring residual risk into line with an organization’s comfort zone or risk appetite. If decision-makers have been informed of uncontrolled risks and the proper authority groups within the communities of interest have decided to leave residual risk in place, the information security program has accomplished its primary goal.
Other Areas You Should Focus
THANK YOU, ALL E seun pupo Study and Wait, Opportunities will Come …Lincon

Recommended

Ransomware attack
Ransomware attackRansomware attack
Ransomware attackkamranrazzaq8
 
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsSatori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsDean Evans
 
Outsmarting the Attackers A Deep Dive into Threat Intelligence.docx
Outsmarting the Attackers A Deep Dive into Threat Intelligence.docxOutsmarting the Attackers A Deep Dive into Threat Intelligence.docx
Outsmarting the Attackers A Deep Dive into Threat Intelligence.docxmanas23pgdm157
 
Unveiling the Art of Threat Detection: Safeguarding the Digital Landscape
Unveiling the Art of Threat Detection: Safeguarding the Digital LandscapeUnveiling the Art of Threat Detection: Safeguarding the Digital Landscape
Unveiling the Art of Threat Detection: Safeguarding the Digital Landscapegreendigital
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionIvanti
 
Best Open Threat Management Platform in USA
Best Open Threat Management Platform in USABest Open Threat Management Platform in USA
Best Open Threat Management Platform in USACompanySeceon
 
Tips to Make an Incident Response Plan to Tackle Cyber Threats and Safeguardi...
Tips to Make an Incident Response Plan to Tackle Cyber Threats and Safeguardi...Tips to Make an Incident Response Plan to Tackle Cyber Threats and Safeguardi...
Tips to Make an Incident Response Plan to Tackle Cyber Threats and Safeguardi...Ahad
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 

Recommended

Ransomware attack
Ransomware attackRansomware attack
Ransomware attackkamranrazzaq8
 
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsSatori Whitepaper: Threat Intelligence - a path to taming digital threats
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsDean Evans
 
Outsmarting the Attackers A Deep Dive into Threat Intelligence.docx
Outsmarting the Attackers A Deep Dive into Threat Intelligence.docxOutsmarting the Attackers A Deep Dive into Threat Intelligence.docx
Outsmarting the Attackers A Deep Dive into Threat Intelligence.docxmanas23pgdm157
 
Unveiling the Art of Threat Detection: Safeguarding the Digital Landscape
Unveiling the Art of Threat Detection: Safeguarding the Digital LandscapeUnveiling the Art of Threat Detection: Safeguarding the Digital Landscape
Unveiling the Art of Threat Detection: Safeguarding the Digital Landscapegreendigital
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionIvanti
 
Best Open Threat Management Platform in USA
Best Open Threat Management Platform in USABest Open Threat Management Platform in USA
Best Open Threat Management Platform in USACompanySeceon
 
Tips to Make an Incident Response Plan to Tackle Cyber Threats and Safeguardi...
Tips to Make an Incident Response Plan to Tackle Cyber Threats and Safeguardi...Tips to Make an Incident Response Plan to Tackle Cyber Threats and Safeguardi...
Tips to Make an Incident Response Plan to Tackle Cyber Threats and Safeguardi...Ahad
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 
Database Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every OrganizationDatabase Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every OrganizationApril Dillard
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilienceSymantec
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Morakinyo Animasaun
 
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docxgilbertkpeters11344
 
Threat Hunters
Threat HuntersThreat Hunters
Threat Huntersinfosec train
 
It risk assessment in uae
It risk assessment in uaeIt risk assessment in uae
It risk assessment in uaeRishalHalid1
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceMarlabs
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfChinatu Uzuegbu
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills
 
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptxREPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptxJakeariesMacarayo
 
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptxIAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptxJakeariesMacarayo
 
Week 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadWeek 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadVinoth Sn
 
Risk Management
Risk ManagementRisk Management
Risk Managementijtsrd
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAbdullahKanash
 
Enhancing Cyber Security Awareness: Building a Safer Digital World
Enhancing Cyber Security Awareness: Building a Safer Digital WorldEnhancing Cyber Security Awareness: Building a Safer Digital World
Enhancing Cyber Security Awareness: Building a Safer Digital Worldcyberprosocial
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALIJNSA Journal
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
VIP Call Girl Bhilai Aashi 8250192130 Independent Escort Service Bhilai
VIP Call Girl Bhilai Aashi 8250192130 Independent Escort Service BhilaiVIP Call Girl Bhilai Aashi 8250192130 Independent Escort Service Bhilai
VIP Call Girl Bhilai Aashi 8250192130 Independent Escort Service BhilaiSuhani Kapoor
 
内布拉斯加大学林肯分校毕业证录取书( 退学 )学位证书硕士
内布拉斯加大学林肯分校毕业证录取书( 退学 )学位证书硕士内布拉斯加大学林肯分校毕业证录取书( 退学 )学位证书硕士
内布拉斯加大学林肯分校毕业证录取书( 退学 )学位证书硕士obuhobo
 

More Related Content

Similar to Cybersecurity Risk Management Tools and Techniques (1).pptx

Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 
Database Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every OrganizationDatabase Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every OrganizationApril Dillard
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilienceSymantec
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Morakinyo Animasaun
 
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docxgilbertkpeters11344
 
It risk assessment in uae
It risk assessment in uaeIt risk assessment in uae
It risk assessment in uaeRishalHalid1
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceMarlabs
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfChinatu Uzuegbu
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills
 
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptxREPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptxJakeariesMacarayo
 
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptxIAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptxJakeariesMacarayo
 
Week 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadWeek 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadVinoth Sn
 
Risk Management
Risk ManagementRisk Management
Risk Managementijtsrd
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAbdullahKanash
 
Enhancing Cyber Security Awareness: Building a Safer Digital World
Enhancing Cyber Security Awareness: Building a Safer Digital WorldEnhancing Cyber Security Awareness: Building a Safer Digital World
Enhancing Cyber Security Awareness: Building a Safer Digital Worldcyberprosocial
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALIJNSA Journal
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 

Similar to Cybersecurity Risk Management Tools and Techniques (1).pptx (20)

Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
Database Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every OrganizationDatabase Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every Organization
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilience
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
 
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
 
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
 
Threat Hunters
Threat HuntersThreat Hunters
Threat Hunters
 
It risk assessment in uae
It risk assessment in uaeIt risk assessment in uae
It risk assessment in uae
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdf
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
 
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptxREPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
 
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptxIAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
 
Week 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadWeek 1&2 intro_ v2-upload
Week 1&2 intro_ v2-upload
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdf
 
Enhancing Cyber Security Awareness: Building a Safer Digital World
Enhancing Cyber Security Awareness: Building a Safer Digital WorldEnhancing Cyber Security Awareness: Building a Safer Digital World
Enhancing Cyber Security Awareness: Building a Safer Digital World
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 

Recently uploaded

VIP Call Girl Bhilai Aashi 8250192130 Independent Escort Service Bhilai
VIP Call Girl Bhilai Aashi 8250192130 Independent Escort Service BhilaiVIP Call Girl Bhilai Aashi 8250192130 Independent Escort Service Bhilai
VIP Call Girl Bhilai Aashi 8250192130 Independent Escort Service BhilaiSuhani Kapoor
 
内布拉斯加大学林肯分校毕业证录取书( 退学 )学位证书硕士
内布拉斯加大学林肯分校毕业证录取书( 退学 )学位证书硕士内布拉斯加大学林肯分校毕业证录取书( 退学 )学位证书硕士
内布拉斯加大学林肯分校毕业证录取书( 退学 )学位证书硕士obuhobo
 
PM Job Search Council Info Session - PMI Silver Spring Chapter
PM Job Search Council Info Session - PMI Silver Spring ChapterPM Job Search Council Info Session - PMI Silver Spring Chapter
PM Job Search Council Info Session - PMI Silver Spring ChapterHector Del Castillo, CPM, CPMM
 
女王大学硕士毕业证成绩单(加急办理)认证海外毕业证
女王大学硕士毕业证成绩单(加急办理)认证海外毕业证女王大学硕士毕业证成绩单(加急办理)认证海外毕业证
女王大学硕士毕业证成绩单(加急办理)认证海外毕业证obuhobo
 
办理学位证(Massey证书)新西兰梅西大学毕业证成绩单原版一比一
办理学位证(Massey证书)新西兰梅西大学毕业证成绩单原版一比一办理学位证(Massey证书)新西兰梅西大学毕业证成绩单原版一比一
办理学位证(Massey证书)新西兰梅西大学毕业证成绩单原版一比一A SSS
 
Preventing and ending sexual harassment in the workplace.pptx
Preventing and ending sexual harassment in the workplace.pptxPreventing and ending sexual harassment in the workplace.pptx
Preventing and ending sexual harassment in the workplace.pptxGry Tina Tinde
 
(Call Girls) in Lucknow Real photos of Female Escorts 👩🏼‍❤️‍💋‍👩🏻 8923113531 ➝...
(Call Girls) in Lucknow Real photos of Female Escorts 👩🏼‍❤️‍💋‍👩🏻 8923113531 ➝...(Call Girls) in Lucknow Real photos of Female Escorts 👩🏼‍❤️‍💋‍👩🏻 8923113531 ➝...
(Call Girls) in Lucknow Real photos of Female Escorts 👩🏼‍❤️‍💋‍👩🏻 8923113531 ➝...gurkirankumar98700
 
Gray Gold Clean CV Resume2024tod (1).pdf
Gray Gold Clean CV Resume2024tod (1).pdfGray Gold Clean CV Resume2024tod (1).pdf
Gray Gold Clean CV Resume2024tod (1).pdfpadillaangelina0023
 
Call Girls In Bhikaji Cama Place 24/7✡️9711147426✡️ Escorts Service
Call Girls In Bhikaji Cama Place 24/7✡️9711147426✡️ Escorts ServiceCall Girls In Bhikaji Cama Place 24/7✡️9711147426✡️ Escorts Service
Call Girls In Bhikaji Cama Place 24/7✡️9711147426✡️ Escorts Servicejennyeacort
 
Delhi Call Girls In Atta Market 9711199012 Book Your One night Stand Call Girls
Delhi Call Girls In Atta Market 9711199012 Book Your One night Stand Call GirlsDelhi Call Girls In Atta Market 9711199012 Book Your One night Stand Call Girls
Delhi Call Girls In Atta Market 9711199012 Book Your One night Stand Call Girlsshivangimorya083
 
VIP Russian Call Girls in Amravati Deepika 8250192130 Independent Escort Serv...
VIP Russian Call Girls in Amravati Deepika 8250192130 Independent Escort Serv...VIP Russian Call Girls in Amravati Deepika 8250192130 Independent Escort Serv...
VIP Russian Call Girls in Amravati Deepika 8250192130 Independent Escort Serv...Suhani Kapoor
 
Ioannis Tzachristas Self-Presentation for MBA.pdf
Ioannis Tzachristas Self-Presentation for MBA.pdfIoannis Tzachristas Self-Presentation for MBA.pdf
Ioannis Tzachristas Self-Presentation for MBA.pdfjtzach
 
办理学位证(纽伦堡大学文凭证书)纽伦堡大学毕业证成绩单原版一模一样
办理学位证(纽伦堡大学文凭证书)纽伦堡大学毕业证成绩单原版一模一样办理学位证(纽伦堡大学文凭证书)纽伦堡大学毕业证成绩单原版一模一样
办理学位证(纽伦堡大学文凭证书)纽伦堡大学毕业证成绩单原版一模一样umasea
 
Sonam +91-9537192988-Mind-blowing skills and techniques of Ahmedabad Call Girls
Sonam +91-9537192988-Mind-blowing skills and techniques of Ahmedabad Call GirlsSonam +91-9537192988-Mind-blowing skills and techniques of Ahmedabad Call Girls
Sonam +91-9537192988-Mind-blowing skills and techniques of Ahmedabad Call GirlsNiya Khan
 
VIP Call Girl Cuttack Aashi 8250192130 Independent Escort Service Cuttack
VIP Call Girl Cuttack Aashi 8250192130 Independent Escort Service CuttackVIP Call Girl Cuttack Aashi 8250192130 Independent Escort Service Cuttack
VIP Call Girl Cuttack Aashi 8250192130 Independent Escort Service CuttackSuhani Kapoor
 
Storytelling, Ethics and Workflow in Documentary Photography
Storytelling, Ethics and Workflow in Documentary PhotographyStorytelling, Ethics and Workflow in Documentary Photography
Storytelling, Ethics and Workflow in Documentary PhotographyOrtega Alikwe
 
Black and White Minimalist Co Letter.pdf
Black and White Minimalist Co Letter.pdfBlack and White Minimalist Co Letter.pdf
Black and White Minimalist Co Letter.pdfpadillaangelina0023
 
How to Find the Best NEET Coaching in Indore (2).pdf
How to Find the Best NEET Coaching in Indore (2).pdfHow to Find the Best NEET Coaching in Indore (2).pdf
How to Find the Best NEET Coaching in Indore (2).pdfmayank158542
 

Recently uploaded (20)

VIP Call Girl Bhilai Aashi 8250192130 Independent Escort Service Bhilai
VIP Call Girl Bhilai Aashi 8250192130 Independent Escort Service BhilaiVIP Call Girl Bhilai Aashi 8250192130 Independent Escort Service Bhilai
VIP Call Girl Bhilai Aashi 8250192130 Independent Escort Service Bhilai
 
内布拉斯加大学林肯分校毕业证录取书( 退学 )学位证书硕士
内布拉斯加大学林肯分校毕业证录取书( 退学 )学位证书硕士内布拉斯加大学林肯分校毕业证录取书( 退学 )学位证书硕士
内布拉斯加大学林肯分校毕业证录取书( 退学 )学位证书硕士
 
PM Job Search Council Info Session - PMI Silver Spring Chapter
PM Job Search Council Info Session - PMI Silver Spring ChapterPM Job Search Council Info Session - PMI Silver Spring Chapter
PM Job Search Council Info Session - PMI Silver Spring Chapter
 
女王大学硕士毕业证成绩单(加急办理)认证海外毕业证
女王大学硕士毕业证成绩单(加急办理)认证海外毕业证女王大学硕士毕业证成绩单(加急办理)认证海外毕业证
女王大学硕士毕业证成绩单(加急办理)认证海外毕业证
 
办理学位证(Massey证书)新西兰梅西大学毕业证成绩单原版一比一
办理学位证(Massey证书)新西兰梅西大学毕业证成绩单原版一比一办理学位证(Massey证书)新西兰梅西大学毕业证成绩单原版一比一
办理学位证(Massey证书)新西兰梅西大学毕业证成绩单原版一比一
 
Preventing and ending sexual harassment in the workplace.pptx
Preventing and ending sexual harassment in the workplace.pptxPreventing and ending sexual harassment in the workplace.pptx
Preventing and ending sexual harassment in the workplace.pptx
 
(Call Girls) in Lucknow Real photos of Female Escorts 👩🏼‍❤️‍💋‍👩🏻 8923113531 ➝...
(Call Girls) in Lucknow Real photos of Female Escorts 👩🏼‍❤️‍💋‍👩🏻 8923113531 ➝...(Call Girls) in Lucknow Real photos of Female Escorts 👩🏼‍❤️‍💋‍👩🏻 8923113531 ➝...
(Call Girls) in Lucknow Real photos of Female Escorts 👩🏼‍❤️‍💋‍👩🏻 8923113531 ➝...
 
Gray Gold Clean CV Resume2024tod (1).pdf
Gray Gold Clean CV Resume2024tod (1).pdfGray Gold Clean CV Resume2024tod (1).pdf
Gray Gold Clean CV Resume2024tod (1).pdf
 
Call Girls In Bhikaji Cama Place 24/7✡️9711147426✡️ Escorts Service
Call Girls In Bhikaji Cama Place 24/7✡️9711147426✡️ Escorts ServiceCall Girls In Bhikaji Cama Place 24/7✡️9711147426✡️ Escorts Service
Call Girls In Bhikaji Cama Place 24/7✡️9711147426✡️ Escorts Service
 
Delhi Call Girls In Atta Market 9711199012 Book Your One night Stand Call Girls
Delhi Call Girls In Atta Market 9711199012 Book Your One night Stand Call GirlsDelhi Call Girls In Atta Market 9711199012 Book Your One night Stand Call Girls
Delhi Call Girls In Atta Market 9711199012 Book Your One night Stand Call Girls
 
Call Girls In Prashant Vihar꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCe
Call Girls In Prashant Vihar꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCeCall Girls In Prashant Vihar꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCe
Call Girls In Prashant Vihar꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCe
 
VIP Russian Call Girls in Amravati Deepika 8250192130 Independent Escort Serv...
VIP Russian Call Girls in Amravati Deepika 8250192130 Independent Escort Serv...VIP Russian Call Girls in Amravati Deepika 8250192130 Independent Escort Serv...
VIP Russian Call Girls in Amravati Deepika 8250192130 Independent Escort Serv...
 
Ioannis Tzachristas Self-Presentation for MBA.pdf
Ioannis Tzachristas Self-Presentation for MBA.pdfIoannis Tzachristas Self-Presentation for MBA.pdf
Ioannis Tzachristas Self-Presentation for MBA.pdf
 
办理学位证(纽伦堡大学文凭证书)纽伦堡大学毕业证成绩单原版一模一样
办理学位证(纽伦堡大学文凭证书)纽伦堡大学毕业证成绩单原版一模一样办理学位证(纽伦堡大学文凭证书)纽伦堡大学毕业证成绩单原版一模一样
办理学位证(纽伦堡大学文凭证书)纽伦堡大学毕业证成绩单原版一模一样
 
Sonam +91-9537192988-Mind-blowing skills and techniques of Ahmedabad Call Girls
Sonam +91-9537192988-Mind-blowing skills and techniques of Ahmedabad Call GirlsSonam +91-9537192988-Mind-blowing skills and techniques of Ahmedabad Call Girls
Sonam +91-9537192988-Mind-blowing skills and techniques of Ahmedabad Call Girls
 
VIP Call Girl Cuttack Aashi 8250192130 Independent Escort Service Cuttack
VIP Call Girl Cuttack Aashi 8250192130 Independent Escort Service CuttackVIP Call Girl Cuttack Aashi 8250192130 Independent Escort Service Cuttack
VIP Call Girl Cuttack Aashi 8250192130 Independent Escort Service Cuttack
 
Storytelling, Ethics and Workflow in Documentary Photography
Storytelling, Ethics and Workflow in Documentary PhotographyStorytelling, Ethics and Workflow in Documentary Photography
Storytelling, Ethics and Workflow in Documentary Photography
 
FULL ENJOY Call Girls In Gautam Nagar (Delhi) Call Us 9953056974
FULL ENJOY Call Girls In Gautam Nagar (Delhi) Call Us 9953056974FULL ENJOY Call Girls In Gautam Nagar (Delhi) Call Us 9953056974
FULL ENJOY Call Girls In Gautam Nagar (Delhi) Call Us 9953056974
 
Black and White Minimalist Co Letter.pdf
Black and White Minimalist Co Letter.pdfBlack and White Minimalist Co Letter.pdf
Black and White Minimalist Co Letter.pdf
 
How to Find the Best NEET Coaching in Indore (2).pdf
How to Find the Best NEET Coaching in Indore (2).pdfHow to Find the Best NEET Coaching in Indore (2).pdf
How to Find the Best NEET Coaching in Indore (2).pdf
 

Cybersecurity Risk Management Tools and Techniques (1).pptx

  • 1. Cybersecurity Risk Management Tools and Techniques L E C T U R E N O T E S F O R N I G E R D E L T A U N I V E R S I T Y : P R E P A R E D B Y A S E P E R I F . J O H N B S C , M S C ( L A G O S ) , G L O B A L M B A ( L O N D O N ) F C A , A C I B , C I S M , 4 X M I C R O S O F T C E R T I F I E D
  • 2. Cybersecurity Risk Management Tools and Techniques
  • 3. Content 1. The Four Major Branches of Criminology and How Cybersecurity Plays a Role in Their Effectiveness 2. What is cybersecurity, or information security? 3. What is a cybersecurity risk? 4. How do you manage cybersecurity risk? 5. What are the techniques for cybersecurity risk management? 6. What are the tools for cybersecurity risk management?
  • 5. What is cybersecurity, or information security? Cybersecurity, or information security, is the whole system of controls put in place by an organization’s Board of Directors through the commitment of the CISO and his team to secure the information assets of the organization. For example, in security organizations such as Police Force, Nigeria Army to mention two, the board of these organisations will set up standards for the operations of Information Security Department that meet their needs.
  • 6. Four Major Branches of Criminology and How Cybersecurity Plays a Role in Their Effectiveness 1. The  Penology is the study of penal sanctions or punishment.  Victimology is the study and rehabilitation of the victims of crime.  Criminalistics, the methods of investigation and detection of crime, is especially the job of law enforcement agencies and forensic experts.  Administration
  • 8. The Understanding What You Need as a Criminologist • Information is like an asset, e.g., a wife, husband, car. • You must protect it from theft or unauthorized use (confidentiality). • You must ensure that anytime you need it, it is available. • You must ensure that there is fidelity in your usage (integrity). • Where it otherwise occurs, it becomes a crime that must be investigated.
  • 9. Test of Knowledge What is the meaning of information security? What is the Information Security Triad?
  • 10. What is Cybersecurity Risk? Because information assets are things of value, they are subject to several risks that will compromise the CIA's confidentiality, integrity, and availability. Information risks are those activities, errors, omissions, and commissions that happen because an organization (police department, criminologist, NDA, DSS, etc.) loses the confidentiality, integrity, or availability of its information or information assets and reflect the potential adverse impacts to organizational operations (including mission, functions, image, security of lives and property, or reputation) and organizational assets.
  • 11. What is Cybersecurity Risk? : You cannot practice criminology without a proper understanding of technologies and the ability to secure them because more than 60% of crimes occur through the internet. For example, "an estimated 53.35 million US citizens were affected by cybercrime in the first half of 2022. Between July 2020 and June 2021, the US was the most targeted country for cyber attacks, accounting for 46% of attacks globally."
  • 12. Major Cybersecurity Risks  Malware (including fileless malware)  Cloud security  Phishing  Ransomware  Data loss  Password attacks  Insider threats  DDoS
  • 13. What is cybersecurity risk mitigation? Cybersecurity risk mitigation involves the use of security policies and processes to reduce the overall risk or impact of a cybersecurity threat. In regard to cybersecurity, risk mitigation can be separated into three elements: prevention, detection, and remediation. As cybercriminals’ techniques rise in sophistication, your organization’s cybersecurity risk mitigation strategies will have to adapt to maintain the upper hand. Risk management is the process of identifying the risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure and taking steps to reduce this risk to an acceptable level.
  • 14. Test of Knowledge Mention the information assets of crime fighting organizations, such as, EFCC, NPF, NDLEA, etc.
  • 15. Suggested Answers  Databases of the:  Names of criminals  Locations  Bank Accounts  Property names and locations  Local, regional, and international connections  Supply Chain (opposite sex, drugs, substances, food, alcohol, etc.)  Weapons and weapons suppliers  System IP addresses  Names and addresses of closed associates, etc.  Fashion designers (e.g., barbers)
  • 16. How do you manage cybersecurity risk? You cannot manage risk unless you carry out these undertakings:  Risk Identification  Risk assessment, and  Risk Control
  • 18. Questions and Answers How do you manage the risk of information security for illegal substance importation?
  • 19. QUESTION & ANSWERS Assets inventory must be documented, then: Risk identification: possibility of information compromise, identity theft, phishing, malware, DDOS, eavesdropping, password attacks, data loss, etc. risk assessment: Likelihood x Impact risk control: Strategies, policies, procedures etc.
  • 20. Managing Cybersecurity risk Managing risk in organizations such as EFCC, DSS, NFP, Navy, NA etc.
  • 21. Managing risk in organizations such as EFCC, DSS, NFP, etc. Risk identification: risk management strategy requires that information security professionals know their organizations’ information assets—that is, identify, classify, and prioritize them. Once the organizational assets have been identified, a threat assessment process carried out, that will quantify the risks facing each asset.
  • 23. Risk Assessment This happens after you, as a crime fighter, OR criminologist, have identified your organization’s information assets, vulnerabilities, and threats. Then you are expected to evaluate the risks that can negatively impact your organization’s ability to successfully engage these assets to fight and curb crimes and criminals.
  • 24. RISK ASSESSMENT 1 OF 3 This happens after you as a crime fighter have identified your organisation’s information assets, vulnerabilities, and threats. Then you are expected to evaluate the risks that can negatively impact your organisation’s ability to successfully engage these assets to fight and curb crimes and criminals.
  • 27. Test of Knowledge What happens after you as a crime fighter have identified your organisation’s information assets, vulnerabilities, and threats? I mean what should you do next in dealing with the risks?
  • 28. Suggested Answers Evaluate the risks that can negatively impact your organisation’s ability to successfully engage these assets to fight and curb crimes and criminals. For examples: 1. Abuse of crime Information 2. Exposing the contents of classified information 3. Implantation of Malware in the DB etc
  • 29. Risk Determination Risk = Likelihood of Vulnerability X Value of Information Assets - % (risk mitigated) + Uncertainty of current knowledge of vulnerability Or Risk = Likelihood x Impact
  • 30. RISK DETERMINATION The risk of armed terrorists invading CBN is equal to the possibility that it will happen (say 15%) multiplied by what these criminals will steal if they become successful (say N15 billion). This means the risk is (0.15 x N15 billion) = N2.25 billion. This means that you, as the HOD of security operations, should ensure that you commit enough resources to curb this loss of N2.25 billion. This also explains why presidents and governors are heavily guarded when in a public environment by security agencies. The cost of re-electing new officers is high.
  • 31. Identify Possible Controls For each threat and its associated vulnerabilities that have residual risk, you must create a preliminary list of potential controls. Residual risk is the risk to the information asset that remains even after the application of controls. There are three general categories of controls: policies, programs, and technologies. Policies are documents that specify an organization’s approach to security.
  • 32. Risk Control Strategies 1 of 2 When organizational management determines that risks from information security threats are creating a competitive disadvantage, they empower the information technology and information security communities of interest to control the risks. 1. Defend: The defence-control strategy attempts to prevent the exploitation of the vulnerability. e.g., application of policy, training and development, and application of technology. 2. Transfer of Control
  • 33. Risk Control Strategies 2 of 2 1. Mitigate: The mitigation control strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation. Mitigation begins with early detection that an attack is in progress and a quick, efficient, and effective response. Mitigation involves an incident response plan, a disaster recovery plan, and a business continuity plan. 2. Terminate The termination control strategy directs the organization to avoid those business activities that introduce uncontrollable risks.
  • 34. What are the tools for cybersecurity risk management?
  • 35. What are the tools for cybersecurity risk management? 1 of 3  This session is important to you as forensic experts and criminologists because when you are going to investigate or understudy a criminal cases, cartels, incidents, etc you must know the technology resources at their disposal and how to infiltrate them.  More importantly, understanding the tools you need to protect your organization is very key.  Here is our list of the six best cybersecurity risk management tools:
  • 36. What are the tools for cybersecurity risk management? 2 of 3 1. SolarWinds is a product for cybersecurity risk management and assessment. It is used for monitoring, analysing, diagnosing, and optimizing the performance of databases and data operations. This tool can be used to drive crime-fighting business-critical applications such as the number of drugs imported into a country, weapons in use in a country, the manufacturer, etc. 2. CyberArk: This is used for managing generic, service, and privilege accounts. 2. It gives single sign-on capability for databases and servers. Seamlessly secure identities throughout the cycle of accessing any resource across any infrastructure, including hybrid, SaaS, and multi-cloud. 3. IAM: This is used for managing the identities of humans and machines such that it creates user profiles on the Active Directory, applications, databases, and servers.
  • 37. What are the tools for cybersecurity risk management? 2 of 3 4. Active Directory is a tool for single-sign-on to windows, applications, and other security solutions. This prevents the risk of writing down several passwords. Password theft, identity risk, and saving resources. 5. Two-Factor Authentication: This tool protects against the crimes of phishing, social engineering, and password attacks. It secures users, for example, in security and crime-fighting organizations such as the Police Force, Nigerian Army, Nigerian Navy, etc. from credential-based attackers. This dramatically improves the security of login attempts. 2FA has also been shown to block nearly all automated bot-related attacks.
  • 38. What are the tools for cybersecurity risk management? 3 of 3 6. Imperva is an infrastructure monitoring tool that monitors transactions and activities in an organization's database. 7. A web access firewall protects an organization's web application by removing, monitoring, and blocking any malicious requests from HTTPS or HTTP traveling to the web application. This helps organizations, forensic experts, and cybersecurity professionals prevent any unauthorized data from leaving the app.
  • 39. RISK CONTROL STRATEGY The whole essence of the tools for risk control is to help organizations such as NDU, NPF, NA, Zenith Bank, amongst others, and states or nations such as Nigeria identify, analyze, evaluate, prioritize, treat, and monitor risks that are bent on disrupting their operations and operational efficiencies. As earlier mentioned, criminologists are duty-bound to develop strategies for penal code creation (Penology), creating databases for victims of crime (victimology), creating databases for information on crimes and criminals (criminology), and perhaps storing information about the administration of justice systems in society (Administration). All of this information is stored, transmitted, processed, and used for the good of their profession.
  • 40. RISK CONTROL STRATEGY This information is an asset that must be protected from hackers, misuse, and distortion to ensure that the objectives of Confidentiality, integrity, and Availability are achieved. This is why you need to know the whole relevance and relationship between criminology and information, or cybersecurity. When organizational management evaluates that there are risks to the security of information stored on digital platforms and that such risks are creating security threats and leading to competitive disadvantage, they empower the information technology and information security communities of interest to control the risks. Risk Control is the process for identifying, analyzing, evaluating, prioritizing, treating, and monitoring risks confronting the security of Information in an organization such that they threaten the CIA. The information security expert controls these risks through these five strategies: Defend, Transfer, Mitigate, Accept, and Terminate
  • 41. RISK CONTROL STRATEGY Defend: The defense-control strategy attempts to prevent the exploitation of the vulnerability. This is why cybersecurity technology experts’ use tools to detect vulnerabilities, threats, and risks within the information technology platforms to defend against cyberattacks. These Cybersecurity Experts apply:  Application of policy: logical policy such as role-based access control instituted on windows, security layers for accessing secret information, etc. An IT security policy lays out the rules regarding how an organization's IT resources can be used. The policy should define acceptable and unacceptable behaviors, access controls, and potential consequences for breaking the rules. Examples of tools for policy application are 2FA, MFA, biometrics, etc. Acceptable encryption and key management policy, data breach response policy, and clean desk policy  Education and training: Online, on-premises, and Hybrid  Application of technology, e.g., IAM, CyberArk, etc.:
  • 42. RISK CONTROL STRATEGY Transfer This strategy attempts to shift risks to other assets, other processes, or other organizations. This can be accomplished by remodeling how services are served, revising technology deployment models, outsourcing to third-party organizations to save costs and achieve efficiencies, purchasing insurance, or implementing service contracts with providers. Outsourcing, however, is not without its own risks. The owner of the information asset, IT management, and the information security team must ensure that the disaster recovery requirements of the outsourcing contract are sufficient and have been met before they are needed. For example, if NPF does not have the capability to secure its network, it can outsource to an organization such as Microsoft or AWS, among others, to secure its network perimeters, but it must carry out security assessments and ensure constant monitoring to ensure that objectives are met.
  • 43. Test of Knowledge  What is Risk Control?  Mention one tool for defending against intruders in your organization's security network.
  • 44. Suggested Answers  Tools:  Imperva  CyberArk  IAM  2FA  MFA
  • 45. RISK CONTROL STRATEGY Mitigate The mitigation control strategy aims to reduce or eliminate the impact caused by the exploitation of vulnerability through planning and preparation against cyber incidents. Cybersecurity professionals in organizations ensure that these plans are followed:  the incident response plan,  the disaster recovery plan, and  the business continuity plan. The success of these plans depends on the ability to detect, analyze, and treat an attack as quickly as possible, the deployment of technological tools such as DLP and the Intrusion Detection System, physical and administrative mitigants, and the reliance on the quality of the other plans. Mitigation begins with early detection that an attack is in progress and a quick, efficient, and effective response.
  • 46. Plans that make mitigation effective  Incidence Response Plan  Disaster Recovery Plan  Business Continuity Plans
  • 47. Plans that make mitigation effective What should he or she document? Plans that make mitigation effective:  Incidence Response Plan  Disaster Recovery Plan  Business Continuity Plans Incidence Response Plan The IR plan provides answers to questions victims might pose in the midst of an incident, such as: "What do I do now?" For example, a systems administrator may notice that someone is copying information from the server without authorization, indicating a violation of policy by a potential hacker or an unauthorized employee.
  • 48. Plans that make mitigation effective  What should the administrator do first?  Who should he or she contact? The IR plan supplies the answers. In the event of a serious virus or worm outbreak, the IR plan can be used to assess the likelihood of imminent damage and to inform key decision-makers [1]. makers in the various communities of interest (IT, information security, organization management, and users)
  • 49. Test of Knowledge Give me an example of an incident of cybersecurity in a criminal justice organization.
  • 50. Suggested Answers  Phishing Attack  Malware  Wiretapping  Password Attacks  Privilege Abuse  Insider Data Theft  Identity-Based Attacks.  Code Injection Attacks.  Supply Chain Attacks
  • 51. DISASTER RECOVERY PLAN After all is said and done in terms of putting in place the best risk controls, the unexpected happens. The most common of the mitigation procedures in this instance is the disaster recovery (DR) plan. Although media backup strategies are an integral part of the DR plan, the overall program includes the entire spectrum of activities used to recover from an incident. DR plans normally contain all preparations for the recovery process. strategies to limit losses during the disaster and detailed steps to follow when the smoke clears, the dust settles, or the floodwaters recede. For example, if there is a breach of the NPF data center, such as a fire outbreak, the next thing is to revert to backups.
  • 52. BUSINESS CONTINUITY PLAN The business continuity (BC) plan is the most strategic and long-term of the three plans. It encompasses the continuation of business activities if a catastrophic event occurs, such as the loss of an entire database, building, or operations center. The BC plan includes planning the steps necessary to ensure the continuation of the organization when the scope or scale of a disaster exceeds the ability of the DR plan to restore it. This can include preparation steps for the activation of secondary data centers, hot sites, or business recovery sites.
  • 53. Business Continuity and Disaster Recovery Plan in the Animal Kingdom: https://www.youtube.com/watch?v=gE273IJGzpg
  • 54. BUSINESS CONTINUITY PLAN Accept There are times when risk in cybersecurity will be accepted, such that criminologists, cybersecurity experts, etc. will accept doing nothing to protect a vulnerability and accepting the outcome of its exploitation. This may or may not be a conscious business decision. For example, when attacks are made on data or information assets that have been classified as public information and from which an organization does not derive any value, the risk strategy might be to accept the attack. But the experts and business leaders in such organizations must have done:  Determined the level of risk Assessed  The probability of attack Estimated the potential damage that could occur from attacks  Performed a thorough cost-benefit analysis.  Evaluated controls using each appropriate type of feasibility  Decided that the particular function, service, information, or asset did not justify the cost of protection.
  • 55. BUSINESS CONTINUITY PLAN For example, a record or database for all crimes and criminals already condemned for more than 100 years The risk of protecting such data might be accepted if the cost of protecting it is higher than its value to The Police. Note that If every vulnerability in the organization is handled by means of acceptance, it may reflect an inability to conduct proactive security activities and an apathetic approach to security in general.
  • 56. THE RISK CONTROL STRATEGIES
  • 58. BUSINESS CONTINUITY PLAN Terminate •The termination control strategy directs the organization to avoid those business activities that introduce uncontrollable risks. For example, it does not make sense to make a security budget for the protection of an information asset list of armories that no longer exist in the Nigerian Army or Police. •If some IT infrastructure is set up for tracking Osama Bin Laden, for example, since he has been captured and killed, the project should be terminated.
  • 59. BUSINESS CONTINUITY PLAN Terminate In the core business world, if Alibaba studies the risks of deploying business-to-consumer e-commerce operations and determines that the risks are not sufficiently offset by the potential benefits, the organization may seek an alternate mechanism to meet customer needs—perhaps developing new channels for product distribution or new partnership opportunities. By terminating the questionable activity, the organization reduces its risk exposure.
  • 60. Test of Knowledge What DO you understand by Risk Control in Cybersecurity? What are the connections between Criminology and Cybersecurity? What are the major incidents in Cybersecurity?
  • 61. Selecting A Risk Control Strategy Risk control involves selecting one of the five risk control strategies for each vulnerability. For example, if there is a breach in the databased where the name of drug cartel organisations is breached, so much so that some of the secret files were copied. The control strategy to select might be to encrypt all files in the database, restrict logical and physical accesses to only authorised team leaders and head of the department of Narcotics. However, there must be regular review of these control strategies to ensure that they met business and security objectives. A=== Access Restriction to authorized users only B === Encrypted Files
  • 62. Test of Knowledge What are the five major strategies for risks control?
  • 63. The 5 Major Strategies for risk control are: 1. Avoiding risks or defense. To avoid risks, organisations must first be aware of the potential for these risks to occur 2. Risk Transfer 3. Mitigation 4. Accept 5. Terminate
  • 65. Risk Control Automation Whatever control strategies that your organisation select, ensure that these control strategies are automated to be effective and efficient:
  • 66. Important Risk Control Strategies;  When a vulnerability (flaw or weakness) exists: Implement security controls to reduce.  The likelihood of a vulnerability being exercised.  When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent occurrence.  When the attacker’s cost is less than his or her potential gain: Apply protections to increase the attacker’s cost (e.g., use system controls to limit what a system user can access and do, thereby significantly reducing an attacker’s gain).  When potential loss is substantial: Apply design principles, architectural designs, and technical and nontechnical protections to limit the extent of the attack, thereby reducing the potential for loss.
  • 67. Feasibility Studies Ideally, organizations will want to select the best control strategy that meets their business, competitive, strategic, security, and regulatory objectives. To make such a decision, there is a need to conduct feasibility studies. In making a choice on the control strategy of defending, transferring, mitigating, accepting, or terminating a specific vulnerability, threat, or risk, organizations such as NDU, Harvard, and the University of Lagos, amongst others, must explore all the economic and noneconomic consequences of the vulnerability facing the information asset. This is an attempt to answer the question, "What are the actual and perceived advantages of implementing a control as opposed to the actual and perceived disadvantages of implementing the control?“
  • 68. Feasibility Studies There are always challenges of cost and resource constraints with security organizations such as the NPF, NA, Civil Defense Corps, and private security organizations working for public or private institutions. Selecting the best control strategy must be productive and meet the needs of the business of the organization, in criminologists’ instances, fighting crimes and making society safe through security in cyberspace.
  • 69. Advantages of Control Strategies There are a number of ways to determine the advantage of a specific control. For example, using CBA, Payback Period, and Balanced Scorecard, amongst others There are also many methods an organization can use to identify the disadvantages of specific controls. For example, the number of times crimes occurred in society, the number of attacks on the information assets of the police force, the number of brute force attacks on users’ profiles, etc. Cost avoidance is the process of preventing the financial impact of an incident by implementing controls.
  • 70. Cost Benefit Analysis Organizations where criminologists, forensic experts, etc. work should consider the economic feasibility of implementing information security controls, mitigations, and safeguards. This is because there are a few alternatives for solving a problem, and each may not have the same economic feasibility. Most organizations can spend only a reasonable amount of time and money on information security, and the definition of reasonable differs from organization to organization and even from manager to manager. For example, the security vote for the Nigeria Police is the same as the New York Department of Police. For example, State and local governments will spend $129 billion on corrections and courts in 2020 (Urban Institute, 2020). Now, these costs’ effectiveness must sometimes be measured using cost-benefit analysis.
  • 71. Items That Affect The Cost of a Control Strategy  The first step in using CBA is to determine the value of the information to be secured.  The second step is to determine the loss in value if those information assets were compromised by the exploitation of a specific vulnerability.  Cost of development or acquisition (purchase cost) of hardware, software, and services Training fees (cost to train personnel)  Cost of implementation (cost to install, configure, and test hardware, software, and services)  Service costs (vendor fees for maintenance and upgrades)  Cost of maintenance (labor expense to verify and continually test, maintain, and update)
  • 72. Assets Valuation Benefit is the value that an organization realizes by using controls to prevent losses associated with a specific vulnerability. The amount of the benefit is usually determined by valuing the information asset or assets exposed by the vulnerability and then determining how much of that value is at risk and how much risk there is for the asset. A benefit may be expressed as a reduction in the annualized loss expectancy. This is the process of assigning financial value or worth to all information assets in transit, at rest, and in use within an organization. All your information about crimes, logistics, strategies, investigations, and operations stored in Databases, hard drives, or any electronic or hard drive must be valued to determine how much security cost to invest in protecting them from cybercriminals.
  • 73. Assets Valuation The value of information assets differs within and between organizations, depending both on the characteristics of the information and the perceived value of that information. If, for example, the government gives free education up until university level and spends N = 50 billion annually on Nigerian youths, And there is a drug cartel peddling cocaine to university students in Nigeria, such that it reduces the time commitment and academic performance of students by 80%. The implication of this is that the government will be losing value for her investment up to the tune of $N=40 billion annually to this crime. The value of all information assets for confronting this crime should be based on the perceived value of the government’s investments in education (N40 billion).
  • 74. Assets Valuation The valuation of assets involves the estimation of real and perceived costs associated with design, development, installation, maintenance, protection, recovery, and defense against loss and litigation. Other costs are almost impossible to determine accurately, for example, the dollar value of the loss in market share if information on new product offerings is released prematurely and a company loses its competitive edge. A further complication is the value that some information assets acquire over time that is beyond the intrinsic value of the asset under consideration. In most cases, the higher the acquired value, the more appropriate it is. Once an organization has estimated the worth of various assets, it can begin to examine the potential loss that could occur from the exploitation of a vulnerability or a threat occurrence.
  • 75. Evaluation, Assessment, and Maintenance of Risk Controls The selection and implementation of a control strategy is not the end of a process; the strategy and its accompanying controls must be monitored and reevaluated on an ongoing basis to determine their effectiveness and to more accurately calculate the estimated residual risk.
  • 76. Quantitative Versus Qualitative Risk Control Practices Quantitative Risk Control Practice is an assessment practice that uses actual values and estimates to determine the cost and benefit of risk control. While Qualitative is where an organization cannot use specific numbers of values and estimates to assess the cost of control, This could be accomplished using scales rather than specific estimates. A sample scale could include none, representing no chance of occurrence, then low, medium. For example, instead of estimating that a particular piece of information is worth $1 million, you can value information on a scale of 1–20, with 1 indicating relatively worthless information and 20 indicating extremely critical information.
  • 78. Benchmarking and Best Practices Benchmarking is the practice of examining the process being used by peer organizations to determine the financial value they place on their information assets and implementing security as an acceptable percentage of that value based on what the peer organizations do. In other words, benchmarking is the process of seeking out and studying the practices used in other organizations that produce results you would like to duplicate in your organization. Two Types of Measures For Benchmarking When benchmarking, an organization such as NPF, NA, and some private security organizations should typically use one of two types of measures to compare practices: metrics-based measures or process-based measures. These are metric-based measures and Process-based measures.
  • 79. Benchmarking and Best Practices Metrics-based measures are comparisons based on numerical standards, such as: Number of successful attacks Staff hours spent on system protection Dollars spent on protection Numbers of security personnel Estimated value in dollars of the information lost in successful attacks Loss in productivity hours associated with successful attacks. process-based measures. Process-based measures are generally less focused on numbers and are more strategic than metrics-based measures. For each of the areas the organization is interested in benchmarking, process-based measures enable the organization to examine the activities an individual company performs in pursuit of its goal rather than the specifics of how goals are attained. The primary focus is on the method the organization uses to accomplish a particular process, rather than the outcome.
  • 80. Risk Management Discussion Points Not every organization has the collective will or budget to manage each vulnerability by applying controls; therefore, each organization must define the level of risk it is willing to live with.
  • 81. Risk Appetite Risk appetite defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility. For instance, a financial services company, regulated by the government and conservative by nature, may seek to apply every reasonable control and even some invasive controls to protect its information assets. Other nonregulated organizations may also be conservative by nature, seeking to avoid the negative publicity associated with the perceived loss of integrity.
  • 82. Residual Risk Even when vulnerabilities have been controlled as much as possible, there is often still some risk that has not been completely removed, shifted, or planned for. This remainder is called residual risk. To express it another way, "residual risk is a combined function of (1) a threat less the effect of threat-reducing safeguards, (2) a vulnerability less the effect of vulnerability-reducing safeguards, and (3) an asset less the effect of asset value-reducing safeguards.
  • 83. Residual Risk The significance of residual risk must be judged within the context of the organization. Although it is counterintuitive, the goal of information security is not to bring residual risk to zero; it is to bring residual risk into line with an organization’s comfort zone or risk appetite. If decision-makers have been informed of uncontrolled risks and the proper authority groups within the communities of interest have decided to leave residual risk in place, the information security program has accomplished its primary goal.
  • 84. Other Areas You Should Focus
  • 85. THANK YOU, ALL E seun pupo Study and Wait, Opportunities will Come …Lincon