Risks are an unavoidable aspect of life, and we are all immediately aware of them. A risk is the chance of something going wrong and having a bad outcome. Risk management is at the center of most businesses and the core of many sectors, including insurance. To gain a competitive advantage, good organizations identify and manage risks efficiently.
In this session, we’ll look at some fundamental risk concepts and how they relate to cybersecurity.
Risk value = Consequence x Likelihood
The impact and accompanying damages are referred to as the consequence.
The likelihood of a risk impact is the frequency with which it occurs.
For mathematical reasons, it would be ideal if we had accurate statistical data for each risk. If we know that one out of every ten cars will have a flat tire in a given year, we can readily calculate the related risk value.
The following is an example of the risk value equation applied to the prior flat tire scenario. A flat tire on the way to work can cost an individual a day’s worth of productivity. One day’s worth of work would be lost as a result of this risk. While this result is inconvenient, keep in mind that the danger is tiny – one out of every ten autos in a given year. As a result, we may consider the overall risk to be modest.
Because of the ongoing growth of technology and the involvement of outside adversaries, it’s difficult to quantify the likelihood of cybersecurity. As a general rule, the likelihood of an organization being attacked is influenced by three factors.
Likelihood = Adversary capability x Adversary motivation x Vulnerability severity
An opponent is a broad phrase that refers to any entity that seeks to undermine an information system. You will learn more about adversary classification later in this course. You’ll be able to assign values to their abilities and motives as a result of this.
Vulnerabilities are flaws in a system that could be exploited to compromise it. A vulnerability could, for example, be a webpage that does not properly authenticate a user.
The following is an example of the second equation. Consider a bank that is being targeted by a criminal group looking to steal users’ financial login information and passwords.
Because criminals might utilize a variety of tools and design their own if necessary, the adversary capability could be classified as a medium.
Because they may attempt many attacks over a period of time, their motivation could be considered high.
Because it is relatively straightforward to exploit, a discovered vulnerability could be rated as high. Certain vulnerabilities, for example, have publicly available descriptions that allow attackers to readily mimic assaults.
Note: Using the phrases “low,” “medium,” and “high” to rate risk is an example of qualitative risk analysis. In a perfect world, we’d utilize exact numbers or percentages; nevertheless, these can be difficult to come by, thus estimates are frequently the only option.
Response to a threat
The emphasis is then placed on risk management, or response, once a business has analyzed all of its risks. In general, an organization has four options for dealing with risk. They are listed in the table below.
| Accept | The organization accepts the risk in its current form. This is a decision that will be made by a senior individual within the organization, referred to as a “risk owner”. |
| Reduce | The organization could decide a risk is too large to accept and aim to have it reduced in some fashion. This could either be through reducing the likelihood or consequence. |
| Transfer | The organization may want a third party to accept the risk, or part of it, instead of accepting it themselves. This is done via insurance. |
| Reject | The organization could decide a risk is too high and may withdraw from being affected by it. This will have significant business impacts such as shutting down sites or avoiding markets. |
EXAMPLE
Let’s take a look at these four risk reactions. Assume you’re thinking of launching a home-based cake baking business. If you set your oven on fire while baking, you run the danger of causing damage to your kitchen. Here are a few options for dealing with this danger.
Acceptance: You might assess the risk and, confident in your baking skills, take the chance that nothing will go wrong. If something goes wrong with your baking, you know how to fix it and are prepared to do so.
Reduction: You determine that putting your kitchen and oven at high risk is not something you want to do, so you lessen the risk. Installing a smoke detector to provide early warning could lessen the likelihood of fire-related events. By installing a fire suppression system, you can lessen the impact of a fire. Both solutions will cost a little money, but you think they’re worth it.
Transference: You contact your insurance company and request that your policy be upgraded to include coverage for fires caused by home cooking. They carry out their own risk assessment. You and your partner agree on a price to pay them to offset the risk. They will cover the charges if your oven catches fire. This arrangement comes at a price at first, but it limits your liability.
Rejection: You determine that the risk of an oven fire is too great. You might alter recipes to bake cakes without using an oven, or you could choose not to start your business at all.
Even a simple example, as you can see from this example, even a simple example Ashas a lot to think about. Businesses that use quickly changing IT technology are exposed to a variety of dangers that are constantly changing. In many firms, risk management is a full-time job that informs many strategic and tactical decisions.
Risk Appetite
A company’s risk appetite is the amount of risk it is willing to take.
If a company is willing to take a high amount of risk, it is said to have a high-risk appetite.
If a company does not like taking risks, it is considered to have a low-risk appetite.
ALSO READ:
- WHAT IS CYBER-SECURITY?
- 10 WAYS TO PREVENT CYBER-ATTACKS
- TOP 6 CYBER-SECURITY CERTIFICATIONS
- TRAINING ON CYBER-SECURITY
- WHAT ARE THE DIFFERENT ROLES WITHIN CYBER-SECURITY
