CIS Risk Management Method (CIS RAM) overview

Xavier Briand
Feb 4, 2019 · 4 min read

Following the recommendation of the BHIS team, I’m diving in the twenty CIS Controls, using my household as a proxy of an organization.

The CIS Controls™ are a community-built set of prioritized cybersecurity guidance.

While I was browsing the CIS website, I also found their risk management tool, CIS RAM (Risk Assessment Method).
Controls are part of the risk mitigation phase of a broader risk management initiative:

Diagram from the “RITx: Cybersecurity Risk Management” on edX

Therefore, let’s start at the beginning of the circle and use CIS RAM to do a self-assessment.

CIS Risk Assessement Method (CIS RAM)

CIS RAM is an interesting method at many levels. It conforms and supplements standards like ISO 27005, NIST Special Publications 800–30, or RISK IT. It also bridges two different risk analysis methods: the well known method found is U.S. regulations and InfoSec standards: Risk = impact + likelyhood, and the less known “Calculus of Negligence” or “Learned Hand Rule” and as such incorporates principles and practices from Duty of Care Risk Analysis.

The Duty of Care Risk Analysis Standard[…] presents principles and practices for analyzing risks that addresses the interests of all parties potentially affected by those risks. […] the basis for determining whether the organizations bear responsibility and liability often centers on the concepts of a “duty of care” and “due care.” Duty of care risk analysis helps organizations determine whether they apply safeguards that appropriately protect others from harm while presenting a reasonable burden to themselves.

Caption from CIS RAM v1.0

CIS RAM puts emphasis on the multiple dimension of Impacts (in the classic Risk = Impact x Likelihood) , resulting in this definition of risk:
Risk = Max (Mission Impact, Objectives Impact, Obligations Impact) x Likelihood.

Safeguard risks

CIS RAM also replace the concept of Residual Risk, the reduced risk left after mitigation, by Safeguard Risk:

The purpose behind evaluating residual risk this way is to address the fact that new controls often have unintended consequences. […] Security controls may reduce the risk to security obligations by controlling access to data, but may increase the risk to the organization’s mission which requires sharing the
data. Legal decisions and regulations consider these excessive safeguards as “burdens” because they may harm the organization that is trying to protect the data.
By evaluating safeguard risk using the same criteria that are used to evaluate risks, organizations will be more cognizant of the true cost of controls […].

Furthermore:

The risk analysis provided in the CIS RAM is at its root a question of balance between the potential of future harm against the certain burden of a safeguard. Regulators and litigators have long considered this balance as key to acting as a “reasonable person.”

Here is an example:

Caption from CIS RAM v1.0

Information security controls are very often considered to be a hindrance to business. Users often complain that security controls get in the way of productivity, efficiency, ease of collaboration and communication, and other business-impacting concerns. Organizations should take these complaints seriously. Fortunately, regulators have provided organizations with a means to
evaluate these concerns. Moreover, courts consider the burden of safeguards in lawsuits and would understand the reasoning that this risk analysis provides.

By evaluating risks and their recommended safeguards using the same criteria, organizations ensure that risk analysis addresses the concerns of all parties within and outside of their organization, and provides evidence of their conscientious decision to regulators and judges.

Security management capability tiers

CIS RAM uses NIST Cybersecurity Framework Tiers. The Tiers indicate:

how an organization views cybersecurity risk and the processes in place to manage that risk.
— NIST Cybersecurity Framework

From NIST’s “An Introduction to the Components of the Framework

My journey into Cybersecurity

My experience trailblazing the practice of Cybersecurity

Xavier Briand

Written by

50% solution finder at @ExperiencePoint / 50% endurance cyclist. Will train for food and burn it for adventures.

My journey into Cybersecurity

My experience trailblazing the practice of Cybersecurity

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade