< All Chief Information Security Officer (CISO) Notes

richardb8006 | Chief Information Security Officer (CISO) | Module 3 - Risk Management

By: richardb8006 | Related Course: Chief Information Security Officer (CISO) | Published: February 4, 2018 | Modified: February 4, 2018
Join Cybrary

NotepadModule 3 - Ongoing monitoring

This lesson covers the importance of risk management as an ongoing activity.  Risks to data security must be monitored constantly to detect if new risks have arisen or if mitigation strategies are no longer effective. Strategies must be in place to address new risks as they are discovered.  Risks can never be eliminated, only minimized to levels acceptable to senior management.

  • Risk management is an ongoing activities
  • Risks should be continuously monitored to detect if new risks have arisen or if mitigation strategies are no longer effective
  • Strategies should be in place for addressing new risks

NotepadModule 3 - Risk analysis

This lesson will explain the difference between qualitative and quantitative risk analysis and the benefits of each analysis method.

Qualitative analysis:

  • The subjective analysis to help prioritize probability and impact of risk events
  • May use the Delphi technique to solicit objective opinions

Quantitative analysis:

  • Provides a dollar value to a particular risk event
  • Is much more sophisticated in nature, a quantitative analysis is much more difficult and requires a special skill set
  • Business decisions are made on a quantitative analysis
  • A quantitative analysis can’t exist on its own.  A quantitative analysis depends on qualitative information

Furthermore, a qualitative analysis is subjective in nature and uses words such as; “high” “medium” and “low” to describe the likelihood and severity of a threat exposing a vulnerability.

A quantitative analysis will require much more experience than a qualitative analysis.  In addition a quantitative analysis will:

  • Involve more calculations to determine a dollar value associated with each risk event
  • Business decisions will be made on the basis of quantitative analysis
  • The goal of this analysis will be to determine the dollar value of a risk and use that amount to determine what the best control for a particular asset is

A quantitative analysis is necessary for a cost/benefit analysis

Quantitative analysis formulas and definitions

AV –> Asset Value: Dollar figure that represents what the asset is worth to the organization

EF –> Exposure Factor: The percentage of loss that is expected to result in the manifestation of a particular risk event.

SLE –> Single Loss Expectancy: Dollar figure that represents the cost of a single occurrens of a threat instance

ARO –> Annual Rate of Occurrence: How of the threat is expected to materialize

ALE –> Annual Loss Expectancy: Cost per year as a result of the threat

TCO –> Total Cost of Ownership: The total cost of implementin a safeguard. Often in addition to initial costs, there are ongoing maintenance fees as well.

ROI –> Return on Investment: Amount of money saved by implementation of a safeguard. Sometimes referred to as the value of the safeguard/control.




TCO=Initial cost of control + yearly fees


ALE (before implementing controle) – ALE (after implementing control) – Cost of control = ROI (value of control)

NotepadModule 3 - Risk assessment

In this lesson, instructor Kelly Handerhan will detail the specifics of effective risk management as a whole.  You will find out what risk management is and what elements make up risk management.

Risk management consists of four main components:

  • Risk assessment: identifying assets, threats, and vulnerabilities
  • Risk analysis: the value of potential risks
  • Risk mitigation: the response to risk
  • Risk monitoring: risk is forever!

You will become familiarized with important risk assessment methodologies such as:

  • OCTAVE: an approach where analysts identify assets and their criticality, identify vulnerabilities and threats and base the protection strategy to reduce risk.
  • FRAP: Facilitated Risk Analysis Process.  Qualitative analysis is used to determine whether or not to proceed with a quantitative analysis.
  • NIST-800-30: is the risk management guide for information technology systems

Learn about the NIST 800-30 9 step process:

  • System characterization
  • Threat identification
  • Vulnerability identification
  • Control analysis
  • Likelihood determination
  • Impact analysis
  • Risk determination
  • Control recommendations
  • Results documentation

Discover the benefits of using the NIST 800-30 9 step risk assessment activities process to establish an effective and thorough risk assessment protocol.  The NIST 800-30 process will go far to improve your data security while ensuring that limited resources are dedicated where they can do the most good.

NotepadModule 3 - Risk management intro

In this lesson, instructor Kelly Handerhan re-introduces the student to the basic concepts of Risk Management as covered in the previous modules and the importance of a through understanding of the importance of risk management in the data security environment.

NotepadModule 3 - Risk mitigation

This lesson is a review of the risk management process that will cover the main concepts that were taught in this module.

Risk assessment is usually the most difficult assessment to conduct.  Even though there are many unknowns it is necessary to make an effort to collect the right data.

Risk assessment can be done qualitatively or quantitatively. Each method of risk assessment comes with its own strengths and objectives.  Used together qualitative and quantitative risk assessment will result in the most effective information security management policy.

Risk mitigation is the process of reducing risk to acceptable levels and maintaining that risk level.  You must remember that risk must be managed because it can never be totally eliminated from your data environment.

A quantitative analysis leads to the proper risk mitigation strategy:

  • Reduce
  • Accept
  • Transfer
  • Avoidance
  • Rejection

Cost/benefit analysis will help you decide the correct mitigation strategy.

Risk transference shares the risk someone else; the use of SLAs or insurance would be an example of risk transference.  When we accept a risk in our environment as a result of cost-benefit analysis; we are using the logical solution when the cost of mitigation is higher than the potential for loss.

Additional risk terms:

Total risk –> The risk that exists before any control is implemented

Residual risk –> Leftover risk after applying a control

Secondary risk –> When one risk response triggers another risk event

Threats * Vulnerability * Asset value = Total risk

Total risk * Controls gap = Residual risk

< All Chief Information Security Officer (CISO) Notes
Join Cybrary

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?