22.3.6. Risk management process to prioritize cyber defense

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/17

flashcard set

Earn XP

Description and Tags

22.3 Governance Risk and Compliance

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

18 Terms

1
New cards

Risk Identification

The process of finding out "what bad things could happen?" by listing all your valuable stuff, the threats that could harm it, and any weaknesses that could be exploited.

2
New cards

CISA

(Cybersecurity and Infrastructure Security Agency)

catalog of known vulnerabilities

the main U.S. government agency focused on protecting critical infrastructure (like power grids, water systems, communications) and federal networks from cyber and physical threats. They act as a central hub for cybersecurity information and assistance for both government and private industry.

3
New cards

US-CERT

(United States Computer Emergency Readiness Team)

alerts on cyber threats

part of CISA that specifically focuses on responding to major cyber incidents, analyzing threats, and sharing vital cybersecurity information with the public and private sectors in the U.S.

4
New cards

ISAC

(Information Sharing and Analysis Centers)

industry-specific threat sharing

industry-specific organizations where companies in the same critical infrastructure sector (like finance, energy, healthcare) share cyber threat information and best practices with each other. It's a way for competitors to collaborate on security to protect the whole industry.

5
New cards

OSINT

(open source intelligence):

blogs, news, reports (e.g., Krebs on Security)

OSINT is cybersecurity information collected from publicly available sources on the internet. This includes things like news articles, social media, public government reports, company websites, forums, and even things like Google Maps or public records.

6
New cards

Risk Assessment

Identify assets & what risks could affect them

7
New cards

Qualitative Risk Assessment

(subjective - can vary based on who's assessing.):

- Uses rating scales (e.g., high/medium/low)

- Uses heat maps (impact vs. likelihood)

8
New cards

SLE

(Single Loss Expectancy):**

Asset Value (AV) x Exposure Factor (EF)

The monetary loss you expect from a single occurrence of a risk.

9
New cards

ARO

(Annualized Rate of Occurrence):**

How many times a year an event is expected.

10
New cards

ALE

(Annualized Loss Expectancy):**

SLE x ARO

The total estimated monetary loss from a specific risk over a year.

11
New cards

AV

(Asset Value):

The worth of the asset being protected.

12
New cards

EF

(Exposure Factor):

The percentage of the asset's value that would be lost if the risk occurs.

13
New cards

Quantitative Risk Assessment

(objective):

- Uses numerical values, like $ loss

- Example: “40% chance of $10M ransomware loss”

- Uses FAIR model (Factor Analysis of Information Risk)

- [[SLE]] (Single Loss Expectancy): Asset Value ([[AV]]) x Exposure Factor ([[EF]])

- [[ARO]] (Annualized Rate of Occurrence): How many times a year an event is expected.

- [[ALE]] (Annualized Loss Expectancy): SLE x ARO

14
New cards

NIST SP 800-30

It's a U.S. government guideline (from NIST) that provides a standard, step-by-step way for organizations to conduct security risk assessments.

15
New cards

Risk Mitigation

Choose how to deal with each risk._

- 4 Risk Response Strategies:

1. Accept – Do nothing if risk is low or cost is too high to fix

2. Mitigate – Add controls to reduce likelihood or impact

3. Transfer – Shift risk (e.g., buy cyber insurance)

4. Avoid – Stop the risky activity altogether

- Cost-Benefit Analysis is critical

- Don’t spend more to fix a risk than what it would cost to accept it

- Match risk decisions with risk appetite (acceptable level)

16
New cards

4 Risk Response Strategies

  • Accept:

    • When: Low risk, or cost to fix is higher than potential loss.

    • Example: A very minor bug on a non-critical internal webpage.

  • Mitigate:

    • When: Risk is significant and can be reduced. This is often the most common strategy.

    • How: Implementing new security controls (e.g., adding a firewall, patching systems, encrypting data, providing security awareness training, deploying a Cloud WAF like AWS WAF).

    • Goal: Decrease the likelihood of the threat occurring, or reduce the impact if it does.

  • Transfer:

    • When: You want to shift the financial burden or responsibility to a third party.

    • How:

      • Cyber Insurance: The most common example. If a breach occurs, the insurance company covers some or all of the financial loss.

      • Outsourcing/Third-Party Agreements: Transferring the responsibility for security to a cloud provider (though the ultimate accountability for data often remains with the organization).

  • Avoid:

    • When: The risk is too high to accept or mitigate, and you decide the activity isn't worth the risk.

    • How: Stopping a particular business activity, discontinuing a problematic service, or not implementing a new technology.

    • Example: Deciding not to store sensitive customer data online if the risk of breach is too great for your current security capabilities.

17
New cards

Cost-Benefit Analysis

Don’t spend more to fix a risk than what it would cost to accept it

18
New cards

Risk Monitoring

Watch for changes in threats, assets, and vulnerabilities._