2 Risk Management
This chapter covers
- Risk management terminology
- Overview of the Risk management process
- Risk management methodologies
- Strategies for prioritizing risk
In the previous chapter we saw that assets have vulnerabilities and that the central goal of cybersecurity is to protect assets from threats by selecting and implementing adequate security controls. It became evident that assets have distinct value and importance (which is called sensitivity in the case of data assets).
Any organization that sets out to implement a cybersecurity program will realize that they are faced with a triangle where assets are too many (and expose too many vulnerabilities), security controls are never totally full-proof (threats are ever-evolving), and resources both financial and human are never enough. As a result, implementing the full range of security controls on all assets is unfeasible in practice due to cost.
Implementing expensive security controls for assets of low importance is an obvious inefficiency. In the same reasoning, implementing an expensive security control to mitigate a threat that may never materialize in practice is also an inefficient use of resources. Not all assets within an organization are equally important, and not all threats are equally likely to occur. This realization takes us to prioritizing security controls based on risk.