Dr.M.Florence Dayana - Risk Management.pdf

Dr.M.Florence Dayana, Assistant Professor in CS,
Bon Secours College for Women (Autonomous), Thanjavur, Tamil Nadu.
1
24PCS108: Cyber Security and Ethical Hacking
Unit III: Risk Management
1. Fundamentals of Risk Management in Cyber Security
Introduction:
Cybersecurity risk management is the process of identifying,
evaluating, and addressing risks associated with digital assets
and IT systems. It is a critical component of an organization’s
overall risk management strategy.
A foundational concept in cybersecurity is the CIA Triad as
 Confidentiality, Integrity, and Availability - These three principles form the core
objectives of all security practices.
 Confidentiality ensures that sensitive data is accessed only by authorized individuals.
 Integrity guarantees that information remains unaltered and trustworthy.
 Availability ensures that data and systems are accessible when needed.
Risk in cybersecurity typically involves the interaction between assets, threats, and
vulnerabilities.
 An asset is anything of value to an organization, such as data, hardware, or software systems.
 A threat is any potential cause of an unwanted incident, which may result in harm to the
system or the organization. Threats can be external (e.g., hackers, malware, natural
disasters) or internal (e.g., disgruntled employees, human errors).
 A vulnerability is a weakness or flaw in a system that can be exploited by a threat, such as
outdated software, weak passwords, or misconfigured firewalls.
Risk Management Life cycle:
To manage cyber risks effectively, organizations typically follow a Risk Management
Lifecycle that includes four main phases:
 Identify Risks
 Assess Risks
 Mitigate Risks
 Monitor and Review

2
a) Identify the Risk (Red Section – Step 1)
This is the first and foundational step in the risk management process.
 It involves discovering potential threats and vulnerabilities within an organization.
 Examples include identifying outdated software, unauthorized access points, or
external threats like malware.
 This step sets the stage for further analysis and treatment.
Symbol: An exclamation mark in a red circle, signifying alertness or detection.
Example:
 Consider a scenario where an organization stores sensitive customer data on a web server.
In this case, the key asset is the customer database, which contains personally identifiable
information.
 A potential threat is an external hacker attempting to carry out a SQL injection attack to
gain unauthorized access to the database. The associated vulnerability lies in the
unvalidated input fields on a web form, which the attacker can exploit to inject malicious
SQL commands.
 The resulting risk is a serious data breach that could lead to significant legal and financial
consequences, including loss of customer trust and regulatory penalties. Upon assessment,
the likelihood of this risk occurring is considered high, as SQL injection is a common and
well-known attack vector.
 Similarly, the impact is also high, due to the sensitivity of the data involved. To mitigate
this risk, the organization should implement input validation, deploy a web application
firewall (WAF), and conduct regular code reviews to identify and fix vulnerabilities early.
b) Assess the Risk (Yellow Section – Step 2)
 Once risks are identified, the next step is to analyze their likelihood and potential
impact.
 This can be done qualitatively (e.g., high/medium/low) or quantitatively (e.g.,
financial loss estimates).
 The goal is to prioritize risks based on their severity and urgency.
Symbol: A checklist on a clipboard, representing evaluation and documentation.
Example:
 In an IT company, one significant risk identified is the possibility of phishing emails being
used to steal employee login credentials. In this scenario, the asset at risk is the employees'
login information, which provides access to internal systems and sensitive data.

3
 The threat is the phishing attack itself—malicious emails designed to trick employees into
revealing their usernames and passwords. The associated vulnerability lies in the lack of
employee awareness or training regarding email security and phishing detection.
 This leads to a serious risk of unauthorized access to the company’s internal systems,
potentially resulting in data breaches, financial fraud, or operational disruptions. Upon
assessment, the likelihood of this risk is considered high, as phishing is a widespread attack
method that exploits human error.
 The impact is assessed as medium to high, depending on what systems or data are accessed.
To mitigate this risk, the company should take proactive actions such as conducting regular
cybersecurity awareness training for staff, implementing advanced email filtering tools, and
enabling multi-factor authentication (MFA) to strengthen login security.
c) Treat the Risk (Green Section – Step 3)
 This stage involves deciding on and implementing appropriate actions to manage
the risk. Common strategies include:
 Avoiding the risk (eliminating the activity).
 Mitigating the risk (using controls like firewalls or access restrictions).
 Transferring the risk (e.g., through insurance or outsourcing).
 Accepting the risk (if it's within tolerance limits).
Symbol: A gear surrounded by arrows, representing action and implementation.
Example:
 A financial services company identifies a critical risk involving unauthorized access to
confidential client data, primarily due to weak password policies across its systems. To
address this, the company chooses to mitigate the risk by implementing stronger access
control measures.
 These include enforcing complex password requirements, introducing two-factor
authentication (2FA) for all user accounts, and conducting regular security audits to
detect and address vulnerabilities proactively.
 In addition to mitigation, the company also opts to transfer part of the risk by purchasing
cybersecurity insurance, which offers financial protection in case of a data breach. This
dual approach—combining preventive controls with risk transfer—helps reduce the
likelihood of unauthorized access and ensures the organization is prepared for any residual
risks that may remain.
d) Monitor the Risk (Teal Section – Step 4)
Risk management is not a one-time activity. This step ensures continuous observation of the
risk environment.
 Track existing risks, detect new ones, and evaluate the effectiveness of treatments.
 Helps adapt the strategy as systems and threats evolve.

4
Example:
 An e-commerce company implements 2FA to protect user accounts but continues to monitor
login patterns and incident reports over time. Through continuous risk monitoring, the
company discovers a new pattern of credential stuffing attacks from overseas IP addresses.
 Although 2FA has been effective in stopping unauthorized access, the monitoring team
identifies that these attacks are increasing in frequency. As a result, they update the firewall
rules, add geolocation-based access restrictions, and enhance alerting mechanisms.
 This adaptive strategy ensures the company stays ahead of evolving cyber threats and
maintains robust security.
2. Risk Assessment Frameworks (e.g., NIST, ISO 27001)
Risk assessment frameworks are structured guidelines that help organizations systematically
identify, evaluate, and manage risks related to cybersecurity. Two widely recognized and
adopted frameworks are NIST (National Institute of Standards and Technology) and
ISO/IEC 27001 (International Organization for Standardization).
NIST Risk Management Framework (RMF):
 The NIST Risk Management Framework (RMF) is primarily used in the United States,
especially by government agencies and contractors.
 It is outlined in documents such as NIST SP 800-30 (Guide for Conducting Risk
Assessments) and NIST SP 800-37 (Risk Management Framework for Information
Systems).
 The NIST framework includes six main steps: categorize information systems, select
security controls, implement the controls, assess them, authorize the system for
operation, and monitor the controls continuously.
 This framework emphasizes continuous monitoring, real-time risk assessment, and
integration with the system development lifecycle.
 It is known for its technical depth and flexibility, allowing organizations to tailor controls
to their specific risk environment.
ISO/IEC 27001:
 ISO/IEC 27001 is a globally recognized standard for establishing, implementing,
maintaining, and continually improving an Information Security Management System
(ISMS). Unlike NIST, ISO 27001 adopts a more organizational and process-oriented
approach.
 It requires the organization to conduct a formal risk assessment to identify potential
threats and vulnerabilities to information assets, determine the likelihood and impact of
risks, and select appropriate controls from Annex A of the standard (which lists 93 controls
grouped into 4 themes in the latest version).

5
 The ISO 27001 framework operates under the Plan-Do-Check-Act (PDCA) cycle,
promoting continuous improvement of the ISMS.
Both frameworks support structured and repeatable methods for assessing risk but cater to
different types of organizations and compliance needs. NIST is more technical and suited for
U.S. federal systems and highly regulated environments, whereas ISO 27001 is ideal for
organizations seeking international certification and alignment with global standards.
3. Risk Mitigation
What is Risk Mitigation?
 Cybersecurity risk mitigation is a set of methods and best practices to reduce the risks
associated with cyber threats.
 More sophisticated and frequent cyber attacks are making organizations realize how
important it is to have good cybersecurity measures in place to protect their operations
and data.
 Successful risk mitigation strategies protect against losses in financial terms,
operational downtime, and the resulting reputational damage from cyber incidents.
Risk Mitigation Strategies
The following are some of the key approaches organizations can take to improve their risk
management practices and further bolster their cybersecurity stance:
1. Risk Avoidance
Risk avoidance consists of the evasion of
activities or processes involving a high
level of risk. By avoiding high-risk
situations, organizations have chances to
considerably reduce their level of
exposure to all kinds of threats. It is the
method wherein consideration of all the
operational elements is accurately
depicted and included in giving a proper
analysis for the evaluation of any new
project or venture.
2. Risk Reduction
Organizations can employ various
controls and measures that can lower the
probability of occurrence or reduce the
impact of risks. This can be done by the implementation of best practices, regular training, and
investment in advanced security technologies. A security-aware culture within the organization
can go a long way in threat mitigation.

6
3. Risk Transfer
Risk transfer is shifting parts of the risk to other parties, such as insurance companies or
outsourcing partners. With risk sharing, organizations can hedge against potential loss while
reserving internal teams for the primary operational goals. This could be an effective strategy
to deal with large risks that may financially overwhelm an organization.
4. Risk Acceptance
Organizations can accept risk in areas where mitigation costs are higher than the potential
impact. The accepted risk has to be rightly evaluated and continuously monitored. For instance,
a company might deem a minor data leakage threat acceptable, rendering mitigation costs
unjustified. However, a significant risk would necessitate a comprehensive mitigation plan.
4. Business Continuity Planning (BCP) in Cybersecurity Risk Management
1. Definition and Purpose
 BCP is a proactive process that prepares an organization to maintain critical business
operations during and after disruptive cyber events (e.g., ransomware attacks, data
breaches, system outages).
 It aims to minimize downtime and operational disruption while protecting the
organization’s reputation and financial stability.
2. Key Components of BCP
 Business Impact Analysis (BIA):
Identify and prioritize critical business functions and processes, and evaluate the
impact of disruption on these.
 Risk Assessment:
Identify cyber threats and vulnerabilities that could disrupt operations (e.g., malware,
insider threats, phishing).
 Continuity Strategies:
Develop strategies to maintain business operations under adverse conditions. For
example:
o Remote work capabilities for employees.
o Alternate communication channels if primary systems are compromised.
o Manual workarounds when IT systems are down.
 Roles and Responsibilities:
Define the business continuity team and assign responsibilities clearly, including
decision-making authority during a crisis.
 Communication Plan:
Develop protocols for internal and external communication during an incident,
including notifying customers, regulators, and partners.

7
 Training and Awareness:
Regularly train staff on their roles in the BCP, including recognizing and reporting
cyber incidents.
 Testing and Maintenance:
Conduct regular drills and simulations to test the BCP’s effectiveness. Update the
plan based on lessons learned and changes in the business or threat landscape.
Disaster Recovery (DR) in Cybersecurity Risk Management
1. Definition and Purpose
 DR is a subset of BCP focused on the technical response and recovery after a cyber
incident that impacts IT infrastructure.
 It ensures the restoration of critical systems and data with minimal downtime and data
loss.
2. Key Components of DR
 Recovery Time Objective (RTO):
The maximum acceptable time that a system can be down after a disruption.
 Recovery Point Objective (RPO):
The maximum acceptable amount of data loss measured in time (e.g., losing only 1
hour of data).
 Backup Strategy:
Regular, secure backups of critical data and systems. Best practices include:
o Using the 3-2-1 rule: 3 copies of data, on 2 different media, with 1 copy
offsite/cloud.
o Encryption of backup data to prevent tampering or theft.
 Incident Response Integration:
DR should align with incident response plans, ensuring fast detection and containment
of cyber threats.
 Restoration Procedures:
Step-by-step technical instructions to restore hardware, software, networks, and data
from backups.
 Testing and Validation:
Routine DR testing (e.g., tabletop exercises, full recovery drills) to verify recovery
times and processes.
How BCP and DR Work Together in Cybersecurity
Aspect Business Continuity Planning (BCP) Disaster Recovery (DR)
Focus
Keeping business functions running
during disruption
Restoring IT systems and data
after disruption
Scope
Business-wide (people, processes,
facilities, tech)
IT infrastructure and
applications

8
Timeline
Immediate and ongoing during the
incident
Post-incident recovery phase
Examples of
Activities
Alternate work locations, manual
processes, communications
Data backup restoration,
system rebuilds
Outcome Minimized operational downtime
Full restoration of IT
capabilities
Example Cybersecurity Risks Addressed by BCP & DR
 Ransomware attack:
o BCP ensures critical business operations continue (e.g., manual order
processing).
o DR enables restoring encrypted data from backups.
 DDoS attack:
o BCP prepares alternative communication and transaction channels.
o DR focuses on network recovery and mitigation.
 Data breach:
o BCP activates communication plans to notify stakeholders and regulators.
o DR assists in restoring system integrity and eradicating malware.
Benefits of BCDR
1. Minimizes Downtime
o Ensures critical business functions keep running during disruptions.
o Enables faster recovery of IT systems and data, reducing operational
interruptions.
2. Protects Revenue and Reduces Financial Loss
o Avoids costly production halts or lost sales caused by downtime.
o Helps prevent penalties from regulatory non-compliance after breaches.
3. Safeguards Reputation and Customer Trust
o Demonstrates reliability and preparedness to clients and partners.

9
o Maintains communication during crises, preserving stakeholder confidence.
4. Improves Risk Management and Preparedness
o Identifies vulnerabilities and threats before incidents occur.
o Provides a structured approach to handle cyberattacks and disasters.
5. Ensures Regulatory Compliance
o Meets legal and industry requirements for data protection and business
continuity.
o Helps avoid fines and legal issues associated with data breaches.
6. Enhances Organizational Resilience
o Builds a culture of readiness and quick response to unexpected events.
o Encourages cross-department collaboration for crisis management.
7. Protects Data Integrity and Availability
o Regular backups and secure recovery processes prevent data loss.
o Ensures data is accurate and accessible when needed post-incident.
8. Supports Decision-Making During Crises
o Clear plans and roles reduce confusion and speed up response efforts.
o Facilitates coordinated actions between IT, management, and external parties.
9. Cost-Effective Over Time
o Investing in BCDR reduces long-term costs related to data loss, downtime, and
recovery.
o Prevents expensive emergency fixes and unplanned expenditures.
5. Case studies of risk management failures and successes
Risk Management Failures
In July 2024, a faulty software update from CrowdStrike, a major cybersecurity company,
caused computers around the world to crash. This affected airlines, hospitals, banks, and other
critical services. The issue happened because the update wasn’t properly tested before release.
This case highlights how even trusted companies can cause huge problems if software updates
aren’t carefully managed.
In February 2024, Change Healthcare, which handles billing for many U.S. hospitals, was
hit by a ransomware attack. Hackers used stolen login details to get into the system and stole
a large amount of patient data. The company didn’t use two-factor authentication, which would
have made it harder for the attackers to get in. This incident shows the importance of basic
security measures like secure logins.
The Sellafield nuclear site in the UK was fined for years of poor cybersecurity. About 75% of
its servers were not properly protected, which could have led to a serious national security risk.
While there was no actual cyberattack, the case shows that ignoring cybersecurity can lead to
dangerous situations—even if nothing bad has happened yet.

10
Cybersecurity Successes
In 2024, Fortinet quickly responded to a serious security flaw in its software after hackers tried
to exploit it. They informed their users right away and provided updates to fix the issue. Their
quick action helped prevent further attacks and showed the value of being transparent and
prepared when things go wrong.
The U.S. Department of the Treasury also handled a cyberattack very well in December
2024. A group of hackers from China got in using a stolen access key. The department
responded quickly by disabling the key and blocking access. Their quick response limited the
damage and showed how important it is to have a good cybersecurity plan in place.

Dr.M.Florence Dayana - Risk Management.pdf

More Related Content

Similar to Dr.M.Florence Dayana - Risk Management.pdf

More from Dr.Florence Dayana

Recently uploaded

Dr.M.Florence Dayana - Risk Management.pdf