How to Find the Best NEET Coaching in Indore (2).pdf
Cybersecurity Risk Management Tools and Techniques (1).pptx
1. Cybersecurity Risk Management
Tools and Techniques
L E C T U R E N O T E S F O R N I G E R D E L T A
U N I V E R S I T Y :
P R E P A R E D B Y
A S E P E R I F . J O H N B S C , M S C ( L A G O S ) ,
G L O B A L M B A ( L O N D O N ) F C A , A C I B , C I S M ,
4 X M I C R O S O F T C E R T I F I E D
3. Content
1. The Four Major Branches of Criminology and How Cybersecurity
Plays a Role in Their Effectiveness
2. What is cybersecurity, or information security?
3. What is a cybersecurity risk?
4. How do you manage cybersecurity risk?
5. What are the techniques for cybersecurity risk management?
6. What are the tools for cybersecurity risk management?
5. What is cybersecurity, or
information security?
Cybersecurity, or information security, is the whole system of
controls put in place by an organization’s Board of Directors
through the commitment of the CISO and his team to secure the
information assets of the organization.
For example, in security organizations such as Police Force,
Nigeria Army to mention two, the board of these organisations
will set up standards for the operations of Information Security
Department that meet their needs.
6. Four Major Branches of Criminology and How
Cybersecurity Plays a Role in Their Effectiveness
1. The
Penology is the study of penal sanctions or punishment.
Victimology is the study and rehabilitation of the victims of
crime.
Criminalistics, the methods of investigation and detection of
crime, is especially the job of law enforcement agencies and
forensic experts.
Administration
8. The Understanding What You
Need as a Criminologist
• Information is like an asset, e.g., a wife, husband, car.
• You must protect it from theft or unauthorized use
(confidentiality).
• You must ensure that anytime you need it, it is available.
• You must ensure that there is fidelity in your usage
(integrity).
• Where it otherwise occurs, it becomes a crime that must be
investigated.
9. Test of Knowledge
What is the meaning of information security?
What is the Information Security Triad?
10. What is Cybersecurity Risk?
Because information assets are things of value, they are
subject to several risks that will compromise the CIA's
confidentiality, integrity, and availability.
Information risks are those activities, errors, omissions, and
commissions that happen because an organization (police
department, criminologist, NDA, DSS, etc.) loses the
confidentiality, integrity, or availability of its information or
information assets and reflect the potential adverse impacts to
organizational operations (including mission, functions, image,
security of lives and property, or reputation) and organizational
assets.
11. What is Cybersecurity
Risk?
: You cannot practice criminology without a proper understanding of
technologies and the ability to secure them because more than 60% of
crimes occur through the internet.
For example, "an estimated 53.35 million US citizens were affected
by cybercrime in the first half of 2022. Between July 2020 and June
2021, the US was the most targeted country for cyber attacks,
accounting for 46% of attacks globally."
12. Major
Cybersecurity Risks
Malware (including fileless malware)
Cloud security
Phishing
Ransomware
Data loss
Password attacks
Insider threats
DDoS
13. What is cybersecurity risk
mitigation?
Cybersecurity risk mitigation involves the use of security policies
and processes to reduce the overall risk or impact of a cybersecurity
threat. In regard to cybersecurity, risk mitigation can be separated
into three elements: prevention, detection, and remediation.
As cybercriminals’ techniques rise in sophistication, your
organization’s cybersecurity risk mitigation strategies will have to
adapt to maintain the upper hand.
Risk management is the process of identifying the risk, as
represented by vulnerabilities, to an organization’s information
assets and infrastructure and taking steps to reduce this risk to an
acceptable level.
14. Test of Knowledge
Mention the information assets of crime fighting
organizations, such as, EFCC, NPF, NDLEA,
etc.
15. Suggested Answers
Databases of the:
Names of criminals
Locations
Bank Accounts
Property names and locations
Local, regional, and international connections
Supply Chain (opposite sex, drugs, substances, food, alcohol, etc.)
Weapons and weapons suppliers
System IP addresses
Names and addresses of closed associates, etc.
Fashion designers (e.g., barbers)
16. How do you manage cybersecurity
risk?
You cannot manage risk unless you carry out these
undertakings:
Risk Identification
Risk assessment, and
Risk Control
18. Questions and Answers
How do you manage the risk of
information security for illegal substance
importation?
19. QUESTION &
ANSWERS
Assets inventory must be documented, then:
Risk identification: possibility of information
compromise, identity theft, phishing, malware,
DDOS, eavesdropping, password attacks, data loss,
etc.
risk assessment: Likelihood x Impact
risk control: Strategies, policies, procedures etc.
21. Managing risk in organizations such as EFCC, DSS, NFP, etc.
Risk identification: risk management strategy
requires that information security
professionals know their organizations’
information assets—that is, identify, classify,
and prioritize them.
Once the organizational assets have been
identified, a threat assessment process carried
out, that will quantify the risks facing each
asset.
23. Risk
Assessment
This happens after you, as a crime
fighter, OR criminologist, have
identified your organization’s
information assets, vulnerabilities,
and threats.
Then you are expected to evaluate
the risks that can negatively impact
your organization’s ability to
successfully engage these assets to
fight and curb crimes and criminals.
24. RISK ASSESSMENT 1 OF 3
This happens after you as a crime fighter have identified your
organisation’s information assets, vulnerabilities, and threats.
Then you are expected to evaluate the risks that can negatively
impact your organisation’s ability to successfully engage these
assets to fight and curb crimes and criminals.
27. Test of Knowledge
What happens after you as a crime fighter have
identified your organisation’s information assets,
vulnerabilities, and threats?
I mean what should you do next in dealing with the
risks?
28. Suggested Answers
Evaluate the risks that can negatively impact
your organisation’s ability to successfully
engage these assets to fight and curb crimes
and criminals. For examples:
1. Abuse of crime Information
2. Exposing the contents of classified
information
3. Implantation of Malware in the DB etc
29. Risk Determination
Risk = Likelihood of Vulnerability X Value of
Information Assets - % (risk mitigated) +
Uncertainty of current knowledge of
vulnerability
Or
Risk = Likelihood x Impact
30. RISK DETERMINATION
The risk of armed terrorists invading CBN is equal to the
possibility that it will happen (say 15%) multiplied by what these
criminals will steal if they become successful (say N15 billion).
This means the risk is (0.15 x N15 billion) = N2.25 billion. This
means that you, as the HOD of security operations, should ensure
that you commit enough resources to curb this loss of N2.25
billion.
This also explains why presidents and governors are heavily
guarded when in a public environment by security agencies. The
cost of re-electing new officers is high.
31. Identify Possible Controls
For each threat and its associated vulnerabilities that
have residual risk, you must create a preliminary list
of potential controls. Residual risk is the risk to the
information asset that remains even after the
application of controls.
There are three general categories of controls:
policies, programs, and technologies. Policies are
documents that specify an organization’s approach to
security.
32. Risk Control Strategies 1 of 2
When organizational management determines that risks from
information security threats are creating a competitive disadvantage,
they empower the information technology and information security
communities of interest to control the risks.
1. Defend: The defence-control strategy attempts to prevent the
exploitation of the vulnerability. e.g., application of policy,
training and development, and application of technology.
2. Transfer of Control
33. Risk Control Strategies
2 of 2
1. Mitigate: The mitigation control strategy attempts to reduce the
impact caused by the exploitation of vulnerability through planning
and preparation. Mitigation begins with early detection that an attack
is in progress and a quick, efficient, and effective response.
Mitigation involves an incident response plan, a disaster recovery
plan, and a business continuity plan.
2. Terminate The termination control strategy directs the organization
to avoid those business activities that introduce uncontrollable risks.
34. What are the tools for cybersecurity risk management?
35. What are the tools for cybersecurity
risk management? 1 of 3
This session is important to you as forensic experts and
criminologists because when you are going to investigate or
understudy a criminal cases, cartels, incidents, etc you must
know the technology resources at their disposal and how to
infiltrate them.
More importantly, understanding the tools you need to
protect your organization is very key.
Here is our list of the six best cybersecurity risk
management tools:
36. What are the tools for cybersecurity
risk management? 2 of 3
1. SolarWinds is a product for cybersecurity risk management and assessment. It is used for monitoring,
analysing, diagnosing, and optimizing the performance of databases and data operations. This tool can be
used to drive crime-fighting business-critical applications such as the number of drugs imported into a
country, weapons in use in a country, the manufacturer, etc.
2. CyberArk: This is used for managing generic, service, and privilege accounts. 2. It gives single sign-on
capability for databases and servers. Seamlessly secure identities throughout the cycle of accessing any
resource across any infrastructure, including hybrid, SaaS, and multi-cloud.
3. IAM: This is used for managing the identities of humans and machines such that it creates user profiles on
the Active Directory, applications, databases, and servers.
37. What are the tools for cybersecurity
risk management? 2 of 3
4. Active Directory is a tool for single-sign-on to windows, applications, and
other security solutions. This prevents the risk of writing down several
passwords. Password theft, identity risk, and saving resources.
5. Two-Factor Authentication: This tool protects against the crimes of
phishing, social engineering, and password attacks. It secures users, for
example, in security and crime-fighting organizations such as the Police
Force, Nigerian Army, Nigerian Navy, etc. from credential-based attackers.
This dramatically improves the security of login attempts. 2FA has also been
shown to block nearly all automated bot-related attacks.
38. What are the tools for cybersecurity risk
management? 3 of 3
6. Imperva is an infrastructure monitoring tool that monitors
transactions and activities in an organization's database.
7. A web access firewall protects an organization's web application by
removing, monitoring, and blocking any malicious requests from HTTPS
or HTTP traveling to the web application. This helps organizations,
forensic experts, and cybersecurity professionals prevent any
unauthorized data from leaving the app.
39. RISK CONTROL
STRATEGY
The whole essence of the tools for risk control is to help organizations such as
NDU, NPF, NA, Zenith Bank, amongst others, and states or nations such as
Nigeria identify, analyze, evaluate, prioritize, treat, and monitor risks that are
bent on disrupting their operations and operational efficiencies. As earlier
mentioned, criminologists are duty-bound to develop strategies for penal code
creation (Penology), creating databases for victims of crime (victimology),
creating databases for information on crimes and criminals (criminology), and
perhaps storing information about the administration of justice systems in
society (Administration). All of this information is stored, transmitted,
processed, and used for the good of their profession.
40. RISK CONTROL STRATEGY
This information is an asset that must be protected from hackers, misuse, and distortion to
ensure that the objectives of Confidentiality, integrity, and Availability are achieved. This is why
you need to know the whole relevance and relationship between criminology and information, or
cybersecurity.
When organizational management evaluates that there are risks to the security of information
stored on digital platforms and that such risks are creating security threats and leading to
competitive disadvantage, they empower the information technology and information security
communities of interest to control the risks. Risk Control is the process for identifying, analyzing,
evaluating, prioritizing, treating, and monitoring risks confronting the security of Information in
an organization such that they threaten the CIA.
The information security expert controls these risks through these five strategies:
Defend, Transfer, Mitigate, Accept, and Terminate
41. RISK CONTROL STRATEGY
Defend: The defense-control strategy attempts to prevent the exploitation of the vulnerability.
This is why cybersecurity technology experts’ use tools to detect vulnerabilities, threats, and risks
within the information technology platforms to defend against cyberattacks.
These Cybersecurity Experts apply:
Application of policy: logical policy such as role-based access control instituted on windows,
security layers for accessing secret information, etc. An IT security policy lays out the rules
regarding how an organization's IT resources can be used. The policy should define acceptable
and unacceptable behaviors, access controls, and potential consequences for breaking the rules.
Examples of tools for policy application are 2FA, MFA, biometrics, etc. Acceptable encryption
and key management policy, data breach response policy, and clean desk policy
Education and training: Online, on-premises, and Hybrid
Application of technology, e.g., IAM, CyberArk, etc.:
42. RISK CONTROL STRATEGY
Transfer
This strategy attempts to shift risks to other assets, other processes, or other
organizations. This can be accomplished by remodeling how services are served,
revising technology deployment models, outsourcing to third-party organizations to save
costs and achieve efficiencies, purchasing insurance, or implementing service contracts
with providers.
Outsourcing, however, is not without its own risks. The owner of the information asset,
IT management, and the information security team must ensure that the disaster
recovery requirements of the outsourcing contract are sufficient and have been met
before they are needed.
For example, if NPF does not have the capability to secure its network, it can outsource
to an organization such as Microsoft or AWS, among others, to secure its network
perimeters, but it must carry out security assessments and ensure constant monitoring to
ensure that objectives are met.
43. Test of Knowledge
What is Risk Control?
Mention one tool for defending against intruders in your
organization's security network.
45. RISK CONTROL STRATEGY
Mitigate
The mitigation control strategy aims to reduce or eliminate the impact caused by the exploitation of
vulnerability through planning and preparation against cyber incidents. Cybersecurity professionals in
organizations ensure that these plans are followed:
the incident response plan,
the disaster recovery plan, and
the business continuity plan.
The success of these plans depends on the ability to detect, analyze, and treat an attack as quickly as
possible, the deployment of technological tools such as DLP and the Intrusion Detection System,
physical and administrative mitigants, and the reliance on the quality of the other plans.
Mitigation begins with early detection that an attack is in progress and a quick, efficient, and
effective response.
46. Plans that make mitigation effective
Incidence Response Plan
Disaster Recovery Plan
Business Continuity Plans
47. Plans that make mitigation effective
What should he or she document? Plans that make mitigation effective:
Incidence Response Plan
Disaster Recovery Plan
Business Continuity Plans
Incidence Response Plan
The IR plan provides answers to questions victims might pose in the midst of an
incident, such as:
"What do I do now?" For example, a systems administrator may notice that
someone is copying information from the server without authorization, indicating
a violation of policy by a potential hacker or an unauthorized employee.
48. Plans that make
mitigation effective
What should the administrator do first?
Who should he or she contact?
The IR plan supplies the answers. In the event of a serious virus or
worm outbreak, the IR plan can be used to assess the likelihood of
imminent damage and to inform key decision-makers [1]. makers
in the various communities of interest (IT, information security,
organization management, and users)
49. Test of Knowledge
Give me an example of an incident of cybersecurity in a criminal
justice organization.
51. DISASTER RECOVERY PLAN
After all is said and done in terms of putting in place the best risk controls, the
unexpected happens. The most common of the mitigation procedures in this instance is the
disaster recovery (DR) plan.
Although media backup strategies are an integral part of the DR plan, the overall program
includes the entire spectrum of activities used to recover from an incident.
DR plans normally contain all preparations for the recovery process.
strategies to limit losses during the disaster and detailed steps to follow when the smoke
clears, the dust settles, or the floodwaters recede. For example, if there is a breach of the
NPF data center, such as a fire outbreak, the next thing is to revert to backups.
52. BUSINESS CONTINUITY PLAN
The business continuity (BC) plan is the most strategic and long-term of
the three plans.
It encompasses the continuation of business activities if a catastrophic
event occurs, such as the loss of an entire database, building, or operations
center.
The BC plan includes planning the steps necessary to ensure the
continuation of the organization when the scope or scale of a disaster
exceeds the ability of the DR plan to restore it. This can include preparation
steps for the activation of secondary data centers, hot sites, or business
recovery sites.
53. Business Continuity and Disaster Recovery Plan in the
Animal Kingdom:
https://www.youtube.com/watch?v=gE273IJGzpg
54. BUSINESS CONTINUITY PLAN
Accept
There are times when risk in cybersecurity will be accepted, such that criminologists, cybersecurity experts,
etc. will accept doing nothing to protect a vulnerability and accepting the outcome of its exploitation.
This may or may not be a conscious business decision. For example, when attacks are made on data or
information assets that have been classified as public information and from which an organization does not
derive any value, the risk strategy might be to accept the attack.
But the experts and business leaders in such organizations must have done:
Determined the level of risk Assessed
The probability of attack Estimated the potential damage that could occur from attacks
Performed a thorough cost-benefit analysis.
Evaluated controls using each appropriate type of feasibility
Decided that the particular function, service, information, or asset did not justify the cost of protection.
55. BUSINESS CONTINUITY PLAN
For example, a record or database for all crimes and criminals already condemned for more than 100 years
The risk of protecting such data might be accepted if the cost of protecting it is higher than its value to The
Police.
Note that If every vulnerability in the organization is handled by means of acceptance, it may reflect an
inability to conduct proactive security activities and an apathetic approach to security in general.
58. BUSINESS CONTINUITY PLAN
Terminate
•The termination control strategy directs the organization to avoid
those business activities that introduce uncontrollable risks. For
example, it does not make sense to make a security budget for the
protection of an information asset list of armories that no longer
exist in the Nigerian Army or Police.
•If some IT infrastructure is set up for tracking Osama Bin Laden,
for example, since he has been captured and killed, the project
should be terminated.
59. BUSINESS CONTINUITY
PLAN
Terminate
In the core business world, if Alibaba studies the risks of deploying
business-to-consumer e-commerce operations and determines that the
risks are not sufficiently offset by the potential benefits, the
organization may seek an alternate mechanism to meet customer
needs—perhaps developing new channels for product distribution or
new partnership opportunities. By terminating the questionable
activity, the organization reduces its risk exposure.
60. Test of Knowledge
What DO you understand by Risk Control in Cybersecurity?
What are the connections between Criminology and Cybersecurity?
What are the major incidents in Cybersecurity?
61. Selecting A Risk
Control Strategy
Risk control involves selecting one of the five risk control strategies
for each vulnerability. For example, if there is a breach in the
databased where the name of drug cartel organisations is breached,
so much so that some of the secret files were copied. The control
strategy to select might be to encrypt all files in the database,
restrict logical and physical accesses to only authorised team leaders
and head of the department of Narcotics. However, there must be
regular review of these control strategies to ensure that they met
business and security objectives.
A=== Access Restriction to authorized users only
B === Encrypted Files
63. The 5 Major Strategies for risk control are:
1. Avoiding risks or defense. To avoid risks, organisations must first be aware of the potential for these risks
to occur
2. Risk Transfer
3. Mitigation
4. Accept
5. Terminate
66. Important Risk Control Strategies;
When a vulnerability (flaw or weakness) exists: Implement security controls to reduce.
The likelihood of a vulnerability being exercised.
When a vulnerability can be exploited: Apply layered protections, architectural designs, and
administrative controls to minimize the risk or prevent occurrence.
When the attacker’s cost is less than his or her potential gain: Apply protections to increase the attacker’s
cost (e.g., use system controls to limit what a system user can access and do, thereby significantly
reducing an attacker’s gain).
When potential loss is substantial: Apply design principles, architectural designs, and technical and
nontechnical protections to limit the extent of the attack, thereby reducing the potential for loss.
67. Feasibility Studies
Ideally, organizations will want to select the best control strategy that meets their
business, competitive, strategic, security, and regulatory objectives. To make such a
decision, there is a need to conduct feasibility studies.
In making a choice on the control strategy of defending, transferring, mitigating,
accepting, or terminating a specific vulnerability, threat, or risk, organizations such
as NDU, Harvard, and the University of Lagos, amongst others, must explore all the
economic and noneconomic consequences of the vulnerability facing the
information asset.
This is an attempt to answer the question, "What are the actual and
perceived advantages of implementing a control as opposed to the actual
and perceived disadvantages of implementing the control?“
68. Feasibility Studies
There are always challenges of cost and
resource constraints with security
organizations such as the NPF, NA, Civil
Defense Corps, and private security
organizations working for public or private
institutions. Selecting the best control strategy
must be productive and meet the needs of the
business of the organization, in
criminologists’ instances, fighting crimes and
making society safe through security in
cyberspace.
69. Advantages of Control Strategies
There are a number of ways to determine the advantage of a
specific control. For example, using CBA, Payback Period,
and Balanced Scorecard, amongst others
There are also many methods an organization can use to
identify the disadvantages of specific controls. For example,
the number of times crimes occurred in society, the number
of attacks on the information assets of the police force, the
number of brute force attacks on users’ profiles, etc.
Cost avoidance is the process of preventing the financial
impact of an incident by implementing controls.
70. Cost Benefit Analysis
Organizations where criminologists, forensic experts, etc. work should
consider the economic feasibility of implementing information security
controls, mitigations, and safeguards. This is because there are a few
alternatives for solving a problem, and each may not have the same
economic feasibility.
Most organizations can spend only a reasonable amount of time and
money on information security, and the definition of reasonable differs
from organization to organization and even from manager to manager.
For example, the security vote for the Nigeria Police is the same as the
New York Department of Police. For example, State and local
governments will spend $129 billion on corrections and courts in 2020
(Urban Institute, 2020). Now, these costs’ effectiveness must
sometimes be measured using cost-benefit analysis.
71. Items That Affect The Cost
of a Control Strategy
The first step in using CBA is to determine the value of the information to
be secured.
The second step is to determine the loss in value if those information
assets were compromised by the exploitation of a specific vulnerability.
Cost of development or acquisition (purchase cost) of hardware, software,
and services Training fees (cost to train personnel)
Cost of implementation (cost to install, configure, and test hardware,
software, and services)
Service costs (vendor fees for maintenance and upgrades)
Cost of maintenance (labor expense to verify and continually test,
maintain, and update)
72. Assets Valuation
Benefit is the value that an organization realizes by using controls to prevent
losses associated with a specific vulnerability.
The amount of the benefit is usually determined by valuing the information
asset or assets exposed by the vulnerability and then determining how much of
that value is at risk and how much risk there is for the asset.
A benefit may be expressed as a reduction in the annualized loss expectancy.
This is the process of assigning financial value or worth to all information
assets in transit, at rest, and in use within an organization. All your
information about crimes, logistics, strategies, investigations, and operations
stored in Databases, hard drives, or any electronic or hard drive must be
valued to determine how much security cost to invest in protecting them from
cybercriminals.
73. Assets Valuation
The value of information assets differs within and between
organizations, depending both on the characteristics of the
information and the perceived value of that information. If, for
example, the government gives free education up until university
level and spends N = 50 billion annually on Nigerian youths, And
there is a drug cartel peddling cocaine to university students in
Nigeria, such that it reduces the time commitment and academic
performance of students by 80%. The implication of this is that the
government will be losing value for her investment up to the tune of
$N=40 billion annually to this crime. The value of all information
assets for confronting this crime should be based on the perceived
value of the government’s investments in education (N40 billion).
74. Assets Valuation
The valuation of assets involves the estimation of real and perceived costs
associated with design, development, installation, maintenance, protection,
recovery, and defense against loss and litigation.
Other costs are almost impossible to determine accurately, for example, the
dollar value of the loss in market share if information on new product
offerings is released prematurely and a company loses its competitive edge.
A further complication is the value that some information assets acquire
over time that is beyond the intrinsic value of the asset under consideration.
In most cases, the higher the acquired value, the more appropriate it is.
Once an organization has estimated the worth of various assets, it can
begin to examine the potential loss that could occur from the exploitation of
a vulnerability or a threat occurrence.
75. Evaluation, Assessment,
and Maintenance of Risk
Controls
The selection and implementation of a control strategy
is not the end of a process; the strategy and its
accompanying controls must be monitored and
reevaluated on an ongoing basis to determine their
effectiveness and to more accurately calculate the
estimated residual risk.
76. Quantitative Versus Qualitative
Risk Control Practices
Quantitative Risk Control Practice is an assessment practice that uses
actual values and estimates to determine the cost and benefit of risk
control.
While Qualitative is where an organization cannot use specific
numbers of values and estimates to assess the cost of control, This
could be accomplished using scales rather than specific estimates. A
sample scale could include none, representing no chance of
occurrence, then low, medium.
For example, instead of estimating that a particular piece of
information is worth $1 million, you can value information on a scale
of 1–20, with 1 indicating relatively worthless information and 20
indicating extremely critical information.
78. Benchmarking and
Best Practices
Benchmarking is the practice of examining the process being used by peer
organizations to determine the financial value they place on their information
assets and implementing security as an acceptable percentage of that value
based on what the peer organizations do.
In other words, benchmarking is the process of seeking out and studying the
practices used in other organizations that produce results you would like to
duplicate in your organization.
Two Types of Measures For Benchmarking
When benchmarking, an organization such as NPF, NA, and some private
security organizations should typically use one of two types of measures to
compare practices: metrics-based measures or process-based measures. These
are metric-based measures and Process-based measures.
79. Benchmarking and
Best Practices
Metrics-based measures are comparisons based on numerical standards,
such as: Number of successful attacks Staff hours spent on system
protection Dollars spent on protection Numbers of security personnel
Estimated value in dollars of the information lost in successful attacks Loss
in productivity hours associated with successful attacks.
process-based measures. Process-based measures are generally less
focused on numbers and are more strategic than metrics-based measures.
For each of the areas the organization is interested in benchmarking,
process-based measures enable the organization to examine the activities an
individual company performs in pursuit of its goal rather than the specifics
of how goals are attained. The primary focus is on the method the
organization uses to accomplish a particular process, rather than the
outcome.
80. Risk Management
Discussion Points
Not every organization has the collective will or
budget to manage each vulnerability by applying
controls; therefore, each organization must define the
level of risk it is willing to live with.
81. Risk Appetite
Risk appetite defines the quantity and nature of risk that
organizations are willing to accept as they evaluate the
tradeoffs between perfect security and unlimited accessibility.
For instance, a financial services company, regulated by the
government and conservative by nature, may seek to apply
every reasonable control and even some invasive controls to
protect its information assets. Other nonregulated organizations
may also be conservative by nature, seeking to avoid the
negative publicity associated with the perceived loss of
integrity.
82. Residual Risk
Even when vulnerabilities have been controlled as much as
possible, there is often still some risk that has not been
completely removed, shifted, or planned for. This remainder
is called residual risk. To express it another way, "residual
risk is a combined function of (1) a threat less the effect of
threat-reducing safeguards, (2) a vulnerability less the effect
of vulnerability-reducing safeguards, and (3) an asset less the
effect of asset value-reducing safeguards.
83. Residual Risk
The significance of residual risk must be judged within
the context of the organization. Although it is
counterintuitive, the goal of information security is not
to bring residual risk to zero; it is to bring residual risk
into line with an organization’s comfort zone or risk
appetite. If decision-makers have been informed of
uncontrolled risks and the proper authority groups
within the communities of interest have decided to
leave residual risk in place, the information security
program has accomplished its primary goal.