Welcome back to Cyber is it's of course I'm your instructor. Bread Roads. Let's talk about risk findings and decisions
in this video. We're gonna look at a risk model. We're gonna talk about risk assessments in general, and then we're going to review and talk about risk based decisions that the different management tears.
So this is the risk model as shown to us from the National Institute of Standards and Technologies. I really like this chart. I'm gonna highlight some important stuff on it. One, this is based on different systems. So this could be a systems of our approach. This could be a requirements level approach. We start with a threat source on. We're looking at intent. So if there's
intent, that's obviously a threat, right?
We're gonna look a threat event. That could be something that happens, right? And as you can see, a threat source has to initiate the threat event right? And then they have to exploit something here. They have to exploit the vulnerability and vulnerability is tied to severity
of some conditions predisposing And then what are the controls and how effective they are? And I want to stick on this middle chart here for just a second.
Predisposing conditions. If you deploy a Windows XP as your primary operating system, you know that it comes with a large chunk of vulnerabilities out of the gate. So you have predisposing conditions, so your security controls hopefully are pretty darn good. Um, but again,
we know that there are some security controls that can actually be implemented in that case, because the operating system is so old.
And so it's important to understand the vulnerabilities of your systems as you use them.
Right? And then, obviously the threat source event and a vulnerability that's been exploited causes some sort of adverse impact, right, And that's what produces risk for our organizations. So each one of these factors or areas can have a direct linkage or impact on how
risk is viewed or how risk is assessed in an organization.
So when we talk about risk assessments, there are four steps right? We're gonna prepare. We're going to look at the organizational risk frames, so that's the attitude and appetite. We are then going to conduct the risk assessment. So using our model, we're gonna look at sources and events. We're gonna identify those vulnerabilities on, we're gonna determine
likelihood of occurrence and the magnitude of impact. And this is really a lot of times, especially in the commercial space comes down to dollars,
and they were going to determine what is our risk. An important step here is communicating the results as an ISI. When you're working on risk assessments, right, if you come across a severe risk. Ah, high risk item, right? Don't sit on it. You need to communicate those results so that we can make decisions faster and better at the leadership level.
And then, of course, step forward. Just like everything else. We've talked about risk. It's a continuous process. You maintain that assessment. If a system changes significantly because of, say, a technology stack swap out right, you have to go back and guess what? Redo that risk assessment based on new vulnerabilities, new predisposing conditions and new likelihoods and magnitudes. And so
this is really meant to demonstrate that
risk assessments are a continuous process like everything else we do and risk management.
So let's talk about risk based decisions or responses, and that's done in the frame of our three tier model. We're gonna start at the bottom three. Tier three is our system. Owners are folks that are hands on keyboard. They don't make decisions or do things with their systems unless they have guidance from above. From Tier two and Tier one.
Here, too, is obviously our mission. Our business process owners. That's our departments,
right? And then Tier one is our executives or organization enterprise frame well at the tier two level. That's where we're looking at those functions, right? What are the assumptions, constraints, priorities, trade offs right that have been directed to Tier two from Tier one,
Tier one. Our executives think R C suite, and this is a lot of times Where is to spend their times Discussing the decisions that need to be made about risk is with the executive level. Well, the executive levels remember, do that strategic frame. They define what is an organization's mission and vision and where they're going to go. And ultimately that drives
attitude and appetite in the context of the organization. And so you can see all of these are listed right, and you can see we do assessments we do responsibly monitor. This is a continuous cycle across the triangle of our organizational risk areas of Tier One organization, Tier two, Mission Business process, two or three information systems.
We've touched on this triangle multiple times,
so it's probably include to you that you should keep track of that and value that that's important in the context of the ESOP content.
So what do we cover in this lesson? We looked at a risk model. It's great model. You need to know that model for the content. UH, risk assessments, right, continuous right key thing and risk assessments. Communication early off high risk items and then, of course, risk based decisions, which vary depending on where you're at in the triangle.
If you're an executive, you make a different set of decisions from mission and business.
From then from our system owners, right, these areas are going to be driven based on organizational context, and those risk based decisions are going to have a direct impact on how an organization work through issues when it comes to vulnerabilities.
We'll see you next time