Risk Context, Analysis, and Evaluation

00:01

Welcome back to CyberRays. This, of course.

00:03

I'm your instructor. Bread Roads. Let's now jump into risk context, analysis and evaluation.

00:12

We've got a lot to cover in this video. We're gonna talk about context. We're gonna talk about identifying risk. We're gonna talk about analysis. We'll talk about the all important thing of prioritizing risk. Because if you don't prioritize, everything is important. And then nothing is important.

00:26

We're gonna talk about risk response strategies, and we're gonna talk about why we need to monitor, evaluate and adjust.

00:34

So risk context is incredibly important. Ah, lot of risk context comes from these two areas. What industry vertical you're in. So, for example, if you are in the health care industry, your risk context is different than if you are in the energy industry or, say the services industry. So

00:52

you need to understand context in terms of your industry vertical

00:55

and and and that also drives laws and regulations and rules that you might have to follow. So you gotta pay attention to that,

01:00

then the other area of context is critical infrastructure. Are you a critical infrastructure provider? If you're an ISI working for an organization that provides like power, water, sewer, those kinds of things, right? Your risk context is very different because you actually are delivering capabilities to the general consumer. The general public

01:18

that is absolutely critical. And so your

01:21

risk context is different.

01:22

Each of those drives and organizations risk attitude and appetite. So attitude is what do they think about risk? Some organizations are very risk averse, while others are very loose when it comes to risk. Additionally, we have appetite, right? Which is how much risk are you willing to take on?

01:38

If an organization has, ah, high appetite for risk, they're going to do a lot of risky things.

01:42

If there are low appetite for risk, they're going to be very risk averse. And so those things go hand in glove. You need to understand what it is for your organization.

01:53

When we identify risk. We look at these six areas, right? The technical areas. That's pretty obvious, right? Can we actually, is it feasible to do something? Can we test it? Um, cost. We've seen cost before, right? Are we meeting estimates or is the actual costs so high are going to be so high that we're gonna have a problem schedule. Right.

02:12

Are we going to meet our schedule requirements? Is there a way to track version

02:15

programmatic? Well, this is interesting. This is where we talk about contracts and personnel and resource is right. If we don't have, the resource is we're gonna find risk. Uh, many organizations say they want to do the greatest thing since sliced bread. They actually don't have the money to do it when they don't have the money to do it. It causes problems.

02:31

Obviously, there's laws and regulations we have to follow. And then, of course, guess who else gets a vote?

02:37

Adversaries. Those internal on an external threat, Actors right internal Could be the the malicious insider or the inadvertent insider. And then external threat actors out there be they advanced. Persistent threats, script, kiddies, cybercriminals, activists. You name it right. Those external actors get a vote when it comes to your risks.

02:57

So we analyze risk using the two formulas we talked about earlier. Probability of occurrence times the consequence of occurrence or threat times vulnerability divided by our controls and consequence. Second one, I think is better and more accurate. So we want to keep that in mind.

03:10

But here's the thing I want you to remember.

03:13

If you don't have a threat or vulnerability, then that risk is not existent. It's not that you don't have risk. It's just that specific risk area that you're looking at doesn't exist. So don't try to assign risk where there are none.

03:25

Okay, when it comes to probability, if there is a no probability of occurrence of a risk, right like say, for example, if you live in Florida, the probability of occurrence of a blizzard is near zero. So maybe you don't even think about that, Okay, so we have to prioritize our risk. If we don't prioritize our risk,

03:44

then we're going to make everything an important thing. And then nothing is an important thing. And priorities of risk

03:49

is really tied back to your organizational context and then your attitude and appetite, right? If you are in organization, that accepts a lot of risk. Well, guess what, then Your priority listing is very different than an organization that is very risk averse.

04:04

So here's how we talk about planning and executing risk response strategies, right? We look at control solutions, decisions and analysis, so controls are pretty straightforward. You've got technical control. So think technology.

04:16

You have operational controls and those could be policies, processes, procedures. Right. And then you have management controls. And those are kind of a mix of both technical operational,

04:25

which allows us to track what's going on with the control controls are a great way to respond and mitigate risk.

04:31

Um, security solutions. Well, maybe, instead of that is part of your controls. The technical side of house. You go out and buy something. It could be God's government off the shelf. It could be caused commercial shelf. You might actually build it. Now, when you bill something custom, guess what if there's a zero day you own the zero day, so just keep that in mind

04:47

decisions. We have to make decisions about risk, and that's all tied back to our context, attitude and appetite. Um,

04:55

I would say is, it sees you're going to spend a fair amount of your time pushing for decisions to protect your systems on. If you're not willing to communicate that stuff right, probably not the right spot for you to be in. And then, of course, we look at the analysis process. We look at the quantitative and qualitative aspects of things, right?

05:12

Quantitative is something measurable? Can I actually count the beans and the bullets, if you will,

05:16

that allow us to understand our risk, right? Or its qualitative right. Maybe I'm going to describe the risk is high, medium or low. But as part of our response, we need to understand what that is so that we can communicate that properly

05:31

when we monitor, evaluate and adjust. We do that based on our organizational tears, right from a risk management tractors perspective at the enterprise level. So obviously a tier one, Tier two and tier three tier three, I'm gonna tell you right is is really tied to the decisions of tier two and tier one

05:49

right here, too, is tied to the decisions of tier one. And Tier one makes the decisions many of the case, right?

05:54

And so obviously, at each of those different levels, right, we need to understand how we share those triggers up and down this chain, right?

06:03

Monitoring, evaluating adjustment is a continuous monitoring process. Conman, you're gonna hear me talk about this later, but we have to do

06:13

continuous monitoring of our risk via the available data and tools, or we're going to miss a risk and we're going to cause a problem for our organization. So if you take anything away from this chart is one. We're continuously monitoring risk at each of the levels of systems, mission, business process and organization to support

06:32

managing enterprise risk.

06:34

So in this lesson, what did we cover? We talked about identifying risk and that pieces and parts of context and how important that is. We talked about identifying risk. Where do they come from? We did some analysis discussion. We reviewed how that how important it is to prioritize your risk, because if we don't do that, everything is important than nothing is important. We then look at our

06:55

our risk response strategies and those could be controls. This could be based on decisions.

06:59

This could be based on on different metrics. Right then we talked about the fact how important it is to monitor, evaluated and adjust throughout the course of the life cycle of our systems.

07:08

As I said before,

07:10

risk management is a continuous process. We don't just do it once, and if we just do it once, we're going to expose our organizations.