Welcome to CyberPhorm tips for security exams (CTS 3). The name has now been changed from ‘CISSP Tips series’ to ‘CyberPhorm Tips Series’ to indicate the tips are valid for many other security exams as well, and not just the CISSP. This episode aims to simplify major concepts under risk management. Bullet points have been used to aid assimilation. We are very confident our CTS series would go a long way in supporting your preparation for security exams.
Introduction
- Risk: risks could be determined based on two major factors- likelihood and impact.
- Likelihood talks about the chances of something happening; e.g., are the chances very low, low, high, or very high?
- Impact talks about the potential effect if the incident occurs. What would be the effect if something happens? Would it be severe, minor, moderate, major etc.? (See fig. 1 below)
- Bringing likelihood and impact together with an example: If you are about to walk down the stairs, there are chances that you may fall but the chances may be very low (i.e., very unlikely). If the staircase was wet, the chances could be just low (i.e., unlikely). If it was dark and wet, the chances could become high (i.e., likely). If it was dark, wet and you had to run down the stairs, then the chances of you falling may become very high (i.e., very likely).
- Annex E of the ISO27005 standard provides a framework/guideline for conducting a risk assessment.
Figure 1. Sample risk assessment chart. (Credit: Israel Kalenga on Pinterest)
- As could be seen from the sample chart above, the higher the likelihood and impact, the higher the risk. However, if the likelihood is rare or unlikely but the impact is severe, the risk is medium. This is because the incident may cause a serious problem if it occurs but the chances of it occurring are very low; hence the low or medium risk. Any further questions about this can be posted in the comments below or sent as a DM on Twitter/Instagram @cyberphorm.
- So, if for example, you had a database server facing the public network without a firewall or Intrusion detection system, the chances of a successful ransomware attack could be way higher than if you had a firewall and other layers of security in place. Having appropriate security in place reduces the chances of a successful attack, and having business continuity policies and disaster recovery plans in place reduce the potential impact of security incidents if/when they occur.
- A risk does not necessarily mean an incident would occur but it helps to determine the chances of occurrence and the possible impact if an incident occurs.
- In addition, Risk Assessments inform other decisions made as a company or organisation. E.g., the kind of security protocols, technology, policies to put in place and many other strategic decisions.
- The ability to determine likelihood and possible impact are referred to as Risk Assessment.
- Controls could then be put in place to either eliminate or reduce the likelihood/impact of the identified risks.
- There are Risk Management techniques or Control strategies that could be applied once risks are identified and they include: Avoidance, Acceptance, Mitigation, Transference, Sharing.
Risk Management Strategies
- Risk Acceptance: The risk is accepted by the decision makers probably because it is a key component of the business and can’t be done without; or because the benefits outweigh the potential impact (money, time or other resources).
- Risk Avoidance: The process or product that poses the risk is discontinued or terminated.
- Risk Mitigation: Implementing controls to reduce the likelihood of a disaster occurring or the potential impact should it occur. For example, implementing layered security to reduce the chances of a successful cyberattack.
- Risk Transference: This could be transferring a risk to a third party. For example, you could subcontract online payment services for your website to a trusted third part to take away the liability of storing & protecting credit card information, or the cost of complying with necessary credit card standards such as PCIDSS. Obtaining insurance is also a form of risk transference.
To be continued...
Check out and follow our TikTok to get video tips, tricks and tutorials.
Je voudrais savoir si vous pouvez modifier votre site Web et comment je peux m’abonner à un site de blog. Le compte rendu m’a beaucoup aidé, car j’étais un peu au courant de ce sujet et votre émission m’a offert un concept clair et lumineux.
Thank you for the good writeup It in fact was a amusement account it Look advanced to far added agreeable from you However how could we communicate
Their posts always leave us feeling informed and entertained. We’re big fans of their style and creativity.
I was recommended this website by my cousin I am not sure whether this post is written by him as nobody else know such detailed about my difficulty You are wonderful Thanks
Elevate your website’s quality with Toolifygo! Our suite of SEO, text, and image tools is designed to enhance every aspect of your online presence. Make your site irresistible to both search engines and audiences. Experience the uplift with Toolifygo today.
Elevate your website’s quality with Toolifygo! We have designed our suite of SEO, text, and image tools to enhance every aspect of your online presence. Make your site irresistible to both search engines and audiences. Experience the uplift with Toolifygo today.
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article.