Risk Matrix
>90% |
|||||
50% - 90% |
|||||
10% - 50% |
|||||
3% - 10% |
|||||
<3% |
What does each impact level mean?
Minor problem easily handled by normal day-to-day processes
Some disruption possible. e.g. damage equal to $500K, DDoS attacks, lost sales, server damage
Significant time/resources required. e.g. damage equal to $1 million, low-level phishing, end-user malware, small environmental disaster
Operations severly damaged. e.g. damage equal to $10 million, ransomware, system intrusions, APTs, severe environmental disaster, loss of privacy data
Business survival is a risk. e.g. damage is equal to $25 million, all sites are down, backups fail, nuclear war
Perform a Cyber Risk Analysis
Citations
Chapple, M., Stewart, J. M., & Gibson, D. (2018). (ISC)² CISSP Certified Information Systems Security Professional: Official study guide (8th ed.). John Wiley & Sons.
Kost, E. (2022, September 19). 5 step guide: How to perform a cyber risk analysis in 2022: Upguard. UpGuard. Retrieved December 10, 2022, from https://www.upguard.com/blog/how-to-perform-a-cyber-risk-analysis
Cyber risk is calculated by considering the identified security threat, its degree of vulnerability, and the likelihood of exploitation.
Specify Acceptable Level of Risk
Addressing all security risks is an inefficient use of security resources and in many cases unnecessary.
Risk Responses
Putting security controls in place to attenuate the possible impact and/or likelihood of a specific risk. Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.
Paying an external party to accept the financial impact of a given risk.
Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.
The process of implementing deterrents to would be violators of security and policy.
Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.
Denying or ignoring that a risk exists and hoping that it will never be realized. This is not a valid or prudent due-care response to risk.