Risk Management

Miguel Sampaio da Veiga
Hacker Toolbelt
Published in
3 min readJul 14, 2023

Risk is a part of our lives and that applies to cybersecurity as well. In cybersecurity risk is the probability of loss due to a threat that damages information systems or organizational assets. The damaged caused by the event is the risk impact. Risk management are all the activities to recognize and reduce those threats to an acceptable level.

About Risk

Risk levels

  • High risk — the threat is very high and the impact and cost of an event can be catastrophic
  • Lower risk — the risk is present but actions can be made to lower the impact
  • Acceptable risk — although the risk of an event exists, controls are implemented to prevent loss

Risk source

  • Internal
  • External

Risk Management

Risk cannot be eliminated but can be managed to an acceptable level. This a 4 step process:

  1. Frame the risk. Identify threats that include loss or damage of processes and products, attacks, potential failure or disruption of services.
  2. Assess the risk. Determine the severity of the threat either by finantial impact — quantitative analysis — or by impact on operations — qualitative analysis.
  3. Respond. Develop an action to reduce overall risk exposure by eliminating it, mitigate it, transfer it or accept it.
  4. Monitor. Review risk reduction measures and keep a log with details about the risk, implemented controls and response strategies.

Risk Assessment

Risk assessment is an act of rational thinking and has four goals:

  1. Identify assets and their value.
  2. Identify vulnerabilities and threats.
  3. Quantify the probability and impact of those threats.
  4. Balance the impact of the threats against the cost of the countermeasure.

Quantitative analysis

In this approach, the objective is to quantify the cost of the risk using the following parameters:

  • Asset Value (AV). It can be the cost of fixing or replacing the asset or the value gained by its use.
  • Exposure Factor (EF). It’s a percentage representing the lost due to the risk, being 100% total loss.
  • Single Loss Expectancy (SLE). The amount lost due to a single occurrence (AC x EV).
  • Annualized Rate of Occurrence (ARO). The probability of a loss during a year.
  • Annual Loss Expectancy (ALE). The expected cost if the risk occurs (SLE x ARO).
Quantitative analysis

Qualitative analysis

With this approach scenarios and opinions are used to plot the likelihood of a threat and its impact. A risk matrix is used to categorize the risk.

Qualitative analysis

Risk Mitigation

This implies the reduction of likelihood or severity of a loss from threats. Organizations can use several ways to mitigate risk:

  • Accept the risk and periodically reassess.
  • Reduce the risk by implementing controls.
  • Avoid the risk by totally changing the approach.
  • Transfer the risk to a third party.

--

--