According to NIST SP 800-60 volume 1 revision 1, Cybersecurity risks relate to the loss of confidentiality, integrity, or availability of information, data, or information (or control) systems and reflect the potential adverse impacts on organizational operations (i.e., mission, functions, image, or reputation) and assets, individuals, other organizations, and the Nation.
Cybersecurity risk is the probability of exposure, and loss of critical assets and sensitive information, as a result of a cyberattack or breach within an organization’s network. Simply put, cybersecurity risk is when a threat actor takes advantage of a vulnerability within the system.
Risk = Threats + Vulnerability
Threat can be anything that can take advantage of a vulnerability that exists within the system. Such threats have the potential to steal or damage data, disrupt business processes, or create harm. Threats may include, DoS and DDoS attacks, advanced persistent threats (APTs), etc.
Vulnerability: refers to a weakness, flaw, or error in a system that can be exploited by attackers to gain unauthorized access either to steal or damage data, disrupt the business process, or create harm. Vulnerabilities may include, broken authentication, SQL injection, out-of-date or unpatched software, misconfiguration, etc. Vulnerabilities can be taken advantage of in several ways which are why vulnerability management is crucial for staying ahead of criminals.
Cybersecurity Risk Management
It’s a known fact that organizations cannot eliminate or block all cyberattacks. Cybersecurity risk management is a strategic approach to threats prioritizing. Cybersecurity risk management is an ongoing process of identifying, analyzing, evaluating, and addressing an organization’s cybersecurity threats. Implementing the cybersecurity risk helps address threats based on the potential impact each threat poses to the organization.
Broadly speaking, the cybersecurity risk management process involves four stages:
Identifying risk involves evaluating the cybersecurity vulnerabilities around the organization’s environment to identify current or potential threats that might affect business operations.
Assessing risk for each identified risk, and analyzing the severity level will help the organization in assessing how likely it is to occur and what the impact could be to the organization.
Control risk methods, procedures, technologies, or other measures that can help the organization mitigate the risks are defined. Organizations can decide how to respond to each risk either to accept, mitigate, remediate, transfer or terminate the risk.
Review controls through an audit, controls evaluation should be on an ongoing basis, to review how effective controls are at mitigating risks, and adding or adjusting controls as necessary.
Cybersecurity risk management is a continual process that involves constant monitoring of risks to ensure they are still acceptable, reviewing controls to ensure they are still fit for purpose, and making changes where required. Risks continually change as the cyber threat landscape evolves, and your systems and activities change.