Risk management involves recognizing and minimizing risks to an organization’s information assets to protect against financial losses and operational disruptions. Key components include risk identification, assessment, and control, focused on vulnerability management and threat prioritization. An effective risk management plan aims to enhance compliance, customer trust, and overall organizational resilience.

1. RISK
MANAGEMENT
FOR SECURITY
CS 22/L

2. “ Once we know our
weaknesses, they cease to
do us any harm.”

3. WHAT IS RISK
MANAGEMENT?

4. RISK MANAGEMENT
• The process of recognizing risk to an organization’s information
assets and infrastructure, as represented by vulnerabilities, and
taking efforts to minimize that risk to an acceptable level.
• Protects against financial losses, reputational damage, and
operational disruptions.
• Enables informed decision-making and promotes long-term
sustainability.

5. RISK ASSESSMENT
• The determination of the extent to which the organization’s
information assets are exposed or at risk.

6. RISK CONTROL
• The application of controls to reduce the risks to an organization’s
data and information systems.

7. RISK
MANAGEMENT
“ You don’t have to be
afraid of the outcome of a
hundred wars if you know
your enemy and yourself.
If you know yourself but
not your opponent, every
victory will be followed by
a defeat. You will lose
every war if you don’t
recognize the adversary or
yourself.”

8. KEY TASK: RISK MANAGEMENT

9. RISK MANAGEMENT
• Know yourself
• Know the enemy
• The roles of communities of interests

10. RISK IDENTIFICATION

11. RISK IDENTIFICATION
PEOPLE,PROCEDURE AND DATA ASSET
IDENTIFICATION:
• People: Position name/number/ID (avoid names and stick to
identifying positions, roles, or functions); supervisor; security
clearance level; special skills
• Procedures: Description; intended purpose; relationship to software,
hardware, and networking elements; storage location for reference;
storage location for update
• Data: Classification; owner, creator, and manager; size of data
structure; data structure used (sequential or relational); online or
offline; location; backup procedures employee

12. RISK IDENTIFICATION
HARDWARE, SOFTWARE AND NETWORK ASSET IDENTIFICATION:
• Name
• IP address
• MAC Address
• Element type
• Serial number
• Manufacturer name
• Manufacturer’s model number
• Software version, update revision and FCO numbers
• Physical and logical location
• Controlling Entity

13. RISK IDENTIFICATION
DATA CLASSIFICATION AND MANAGEMENT:
• Data Classification scheme – help secure the confidentiality and integrity of information.
The information classifications are as follows:
• Confidential: Used for the most sensitive corporate information that must be tightly
controlled, even within the company. Access to information with this classification is strictly
on a need-to-know basis or as required by the terms of a contract. Information with this
classification may also be referred to as “sensitive” or “proprietary.”
• Internal: Used for all internal information that does not meet the criteria for the confidential
category and is to be viewed only by corporate employees, authorized contractors, and
other third parties.
• External: All information that has been approved by management for public release.

14. RISK IDENTIFICATION
IDENTIFYING AND PRIORITIZING THREATS:
Threat assessment – examination to assess the potential of a threat to
endanger the organization.

16. RISK IDENTIFICATION
TECHNIQUES
• Brainstorming sessions
• SWOT Analysis
• FMEA (Failure Mode and Effect Analysis)
• Scenario Planning
• Security Assessment
• Industry Best Practices and Threat Intelligence Report

17. RISK ASSESSMENT
• It assigns a risk rating score to each information asset.
• Likelihood – he probability that a specific vulnerability will be the
object of a successful attack.

18. RISK ASSESSMENT MATRIX

19. RISK ASSESSMENT MATRIX
• Used to assess and prioritize risks based on the likelihood and severity
of their consequences.
• The risk matrix is based on two intersecting factors: the likelihood the
risk event will occur and the potential impact the risk event will have.
• In other words, it’s a tool that helps you visualize the probability versus
the severity of a potent

20. SAMPLE SCENARIO
• A data breach occurs on the cloud storage platform used by a retail
store, potentially exposing customer payment information (credit
card details) and personal data (names, addresses).

21. DO AN ASSESSMENT
• A small accounting firm receives an email that appears to be from a
legitimate vendor, requesting urgent payment information update.
An employee, unaware of the phishing attempt, clicks a malicious
link in the email, potentially compromising the firm's financial data
and exposing client information.

22. DO AN ASSESSMENT
• A company salesperson loses their laptop containing unencrypted
customer credit card data while traveling. This data breach could
lead to fraudulent charges on customer accounts and significant
financial losses for both the company and its customers.

23. RISK CONTROL STRATEGIES
• DEFEND – attempts to prevent the exploitation of the vulnerability.
• TRANSFER – attempts to shift risk to other assets, other processes, or other
organizations.
• MITIGATE – attempts to reduce the impact caused by the exploitation of
vulnerability through planning and preparation.
• ACCEPT – the choice to do nothing to protect a vulnerability and to accept the
outcome if its exploitation.
• TERMINATE – directs the organization to avoid those business activities that
introduce uncontrollable risks.

26. SLE
• A single loss expectancy (SLE) is the calculation of the value associated with
the most likely loss from an attack. It is a calculation based on the value of the
asset and the exposure factor (EF), which is the expected percentage of loss
that would occur from a particular attack, as follows:
• SLE = asset value x exposure factor (EF)
• Web site has an estimated value of $1,000,000 (value determined by asset
valuation), and a deliberate act of sabotage or vandalism (hacker defacement)
scenario indicates that 10 percent of the Web site would be damaged or
destroyed after such an attack, then the SLE for this Web site would be
$1,000,000 X 0.10 = $100,000.

27. APPLY RISK TREATMENT
• Hackers launch a DoS attack on Zenith Bank's online banking
platform during peak business hours, overwhelming the system and
causing an outage. This prevents customers from accessing their
accounts, making transactions, and could lead to frustration and
potential loss of business.

28. RISK MANAGEMENT
• Residual risk – is the risk to the information asset that remains even
after the application controls.

29. RISK MANAGEMENT PLAN
• a comprehensive documentation of your organization’s risk management
process for special projects that offer opportunities to grow and reinvent.
• The purpose of a risk management plan is to help you identify, evaluate and
plan for possible risks that may arise within the project management process.

30. RISK MANAGEMENT PLAN
• Asset Identification
• Risk Identification
• Project Risk Assessment
• Risk Control

31. BENEFITS OF RISK
MANAGEMENT
• Reduced Risk of Data Breaches and Cyber Attacks
• Improved Compliance
• Enhanced Customer Trust and Confidence
• Improved Reputation
• Increased Efficiency
• Improved Risk Assessment and Decision-Making
• Improved Ability to Adapt and Respond to Change