Risk Management

An incident where an unauthorized party successfully gains access to systems, networks, or sensitive data.

Breach

Discovering potential threats and vulnerabilities that could harm an organization before they are exploited

Risk identification

A quick, informal risk evaluation performed when an unexpected issue or change occurs, rather than as part of a scheduled process. Occurs only when needed/on the spot.

Risk assessment - Ad Hoc

Type of risk assessment that is conducted at regular intervals, such as quarterly or annually.

Risk assessment - Recurring

Are conducted for specific scenarios, such as before launching a new product, or implementing a new IT system. They are focused and are typically not repeated, unless there are significant changes to initial condition conditions.

Risk assessment - One-Time

Involves ongoing monitoring and analysis of the risk of landscape. Uses real-time data and automated tools to constantly evaluate risk levels. It is extremely important as technology continues to advance.

Risk assessment - Continuous

The process of measuring risk using numerical values (money, percentages, or probabilities) to calculate the potential impact of a threat.

Quantitative

Dollar value of an asset.How much something is worth to the company in money terms.

Asset Value (AV)

The percentage of loss that an organization would experience if a specific asset were violated.

Exposure factor

The estimated monetary loss an organization would suffer if a single security incident occurs and an asset is fully or partially compromised.

Single loss expectancy (SLE)

Asset Value (AV) × Exposure Factor (EF)

What is the formula for Single loss expectancy (SLE)

The expected frequency with which a specific threat or risk will occur within a single year.

Annualized rate of occurrence (ARO)

It calculates the expected total yearly financial loss from a specific risk or threat based on how often it happens.

Annualized loss expectancy (ALE)

Single Loss Expectancy (SLE) × Annual Rate of Occurrence (ARO)

What is the formula for Annualized loss expectancy (ALE)

Involves assessing risks based on subjective criteria (opinions), such as expert opinions, scenario analysis, and industry best practices. Typically categorize his risks into levels, such as low, medium, or high based on their perceived severity and likelihood.

Qualitative

A document or tool used to record, track, and manage identified risks, including their likelihood, impact, priority, and mitigation plans.

Risk Register

Are metrics used to measure and monitor the likelihood and impact of risks. They provide early warning signs that a risk may be increasing or decreasing in severity.

Key risk indicators (KRI)

Someone in a management role who has the authority and knowledge to implement risk responses. It is someone who is responsible for managing and mitigating that specific risk.

Risk Owners

The level of risk an organization is willing to accept before it takes action to reduce, avoid, or mitigate that risk.

Risk threshold

Refers to the risk that an organization is prepared to pursue, retain, or take in its operations. It reflects the organizations attitude towards risks and is shaped by factors like business goals, or market conditions, etc. Think “How spicy you like your food overall”

Risk appetite

Is the amount of risk the organization is willing to take before action is required. Think “How much spice you can handle in this specific meal before stopping.”

Risk tolerance

Indicates a willingness to take on higher levels of risk and pursuit of greater rewards. Organizations with this appetite are often in growth, phases, seeking competitive advantage, and willing to invest in new opportunities.

Expansionary Risk appetite

This appetite implies a preference for lower risk and a focus on stability and predictability. Organizations with this appetite, prioritize, protecting assets and minimizing potential losses over seeking high risk opportunities.

Conservative Risk appetite

This appetite strikes a balance between expansionary and conservative approaches. Organizations with this appetite are willing to accept some level of risk for reasonable returns, but are not inclined to pursue high risk opportunities.

Neutral Risk appetite

Involves changing plans or procedures to eliminate the risk or to remove the organizations exposure to it. This might mean, not implementing a certain system or technology that introduces high risk.

Risk Avoidance

Refers to taking steps to reduce the likelihood or impact of a risk. This can involve implementing security controls, updating software, and improving user training. However, it doesn't necessarily remove the risk completely.

Risk Mitigation

This means shifting the impact of a risk to a third-party. This often is done through insurance policies, where a company transfers, the financial risk to an insurance provider or through outsourcing where certain IT services or processes are managed by external vendors.

Risk Transfer

Is a conscious decision to not take any action at all against a particular risk. This strategy is chosen when the cost of mitigating the risk is greater than the potential loss from the risk itself or if the likelihood of the risk is low.

Risk Acceptance

A rule does NOT apply to you at all from the start.

Exemption

The rule normally applies, but you are allowed to break it in a special case.

Exception

Involves taking advantage of the potential positive impacts of a risk. While this is less common in cyber security, it could involve leveraging a risky, technological innovation that could place the organization at a competitive advantage.

Risk Explotation

Involves understanding the process of communicating information about identified risks, their analysis, and mitigation strategies to relevant stakeholders. It ensures transparency and informs decision-making.

Risk Reporting

The process of identifying critical business functions and determining the impact on the organization if those functions are disrupted. Example: If a bank’s payment system goes down for 1 hour → lost transactions and revenue

Business impact analysis

The maximum acceptable time a system can be down before it must be restored. (Downtime) Simple meaning: How fast do we need to be back online?

Recovery Time Objective (RTO)

The maximum acceptable amount of data loss measured in time.(Dataloss) Simple meaning: How much data can we lose?

Recovery Point Objective (RPO)

The average time it takes to fix and restore a failed system. Simple meaning: How long does it take to fix something?

Mean Time to Repair (MTTR)

The average time a system runs before it fails again.Simple meaning: How reliable is the system?

Mean Time Between Failures (MTBF)