Cyber Risk Management

DRASInt® Risk Alliance
May 17, 2021
3 min read

Updated: 1 day ago

Team DRASInt

Background

Our experts have analyzed that the Security and Investigative functions are linked to Cyber domain in one way or the other. Intricate knowledge of Cyber security and related processes is mandatory. In an attempt to arm our students with sound knowledge in the field of Cyber-security, we will be evolving a Cyber security module exclusively to be used in Security domain. The contents, which are basic in nature will be introduced to the audience in a series of introductory articles by our team. You can log on to the blog page to offer your valuable comments for suggesting improvements.

What is Risk Management?

Risk Management (RM) is the process of identifying potential risks, assessing the impact of those risks, and planning how to respond if the risks become reality.

Setting Up your RM System

The Company needs to determine what assets it needs to protect and prioritize. As the US National Institute of Standards and Technology (NIST) points out in its Framework for Improving Critical Infrastructure Cyber security, there is no one-size-fits all solution. Different organizations have different technology infrastructures and different potential risks. Some organizations such as financial services firms and healthcare organizations have regulatory in addition to business concerns that need to be addresses in a Cyber security RM system. Cyber security should follow a layered approach, with additional protections for the most important assets, such as corporate and customer data.

ISO 27001

The ISO 27001 defines five steps that are needed for managing Cyber security Risk and seven steps that must be followed for carrying out a Risk Assessment. They are as follows:

Risk identification
Vulnerability reduction
Threat reduction
Consequence mitigation
Enable cyber security outcome

ISO 27001 requires the organization to define the risk acceptance criteria and the criteria for performing security risk assessments:

Identify risks associated with the loss of confidentiality, availability and integrity of information within the scope of the Information Security Management System (ISMS)
Identify the risk owners.
Assess the consequences that may result if an identified risk materializes.
Assess the likelihood of that risk occurring.
Determine the level of the risk.
Compare the results of the analysis against the risk criteria.
Prioritize the risks for treatment.

Analyzing and Fixing Risk through RM

There are few ways to approach and treat risk in RM. They are given below :

Avoidance

This entails changing plans to eliminate a risk. This strategy is good for risks that could potentially have a significant impact on a business or project.

Transfer

Transfer is applicable to projects with multiple parties. It is not used frequently and often includes insurance. Transfer is also known as “Risk Sharing”.

Mitigation

Mitigation is limiting the impact of a risk so that if a problem occurs it will be easier to fix. This is the most common and also known as “Optimizing risk” or “Risk reduction”.

Exploitation

Some risks are good; such as if a product is popular there is not enough staff to keep up with sales. In such a case, the risk can be exploited by adding more sales staff.

Management should ensure that these risk identification activities are performed to determine the Company’s information security risk profile.