Cybersecurity Risk Management and Asset Valuation Concepts

Asset Valuation
Assigning financial value to information assets in transit, at rest, or in use.

Benchmarking
Comparing security processes with peer organizations to determine acceptable standards and asset valuation practices.

Business Continuity (BC) Plan
Long-term strategy that keeps business operations running when disasters exceed the capabilities of the Disaster Recovery plan.

Confidentiality, Integrity, and Availability (CIA Triad)
Three core pillars of information security.

Cost Avoidance
Preventing financial loss by putting controls in place.

Cost-Benefit Analysis (CBA)
Determining if a security control is economically worth implementing.

Cybersecurity (Information Security)
The complete set of controls created to protect an organization’s information assets.

Cybersecurity Risk
Risks arising from losing confidentiality, integrity, or availability of information assets.

Cybersecurity Risk Mitigation
Using prevention, detection, and remediation processes to reduce cybersecurity threats.

Disaster Recovery (DR) Plan
Steps and strategies for restoring operations after an incident.

Impact
Total damage incurred if a threat exploits a vulnerability.

Incident Response (IR) Plan
Guides immediate actions during an incident—what to do and who to contact.

Information Risk
Likelihood that unauthorized access or actions will compromise data confidentiality, integrity, or availability.

IT Risk Management
Policies, procedures, and technologies used to reduce IT threats and vulnerabilities.

Likelihood
Probability that a threat will occur.

Personally Identifiable Information (PII)
High-risk data like name, birth date, social security number, or IP address.

Residual Risk
Risk that remains after controls are applied.

Risk
Potential for negative business outcomes.
Formula: Risk = Threat × Vulnerability × Asset

Risk Appetite
Level and type of risk an organization is willing to accept.

Risk Assessment
Process of identifying and evaluating risks to assets.

Risk Control
Identifying, analyzing, prioritizing, and monitoring risks to organizational information.

Risk Control Strategies
Five approaches to handling risk: Defend, Transfer, Mitigate, Accept, Terminate.

Risk Identification
Identifying, classifying, and prioritizing information assets.

Threat
Any event that could harm an organization’s people or assets.

Two-Factor Authentication (2FA)
Additional login security that protects against phishing, password attacks, and social engineering.

Vulnerability
A weakness that could be exploited by a threat.