What is Cybersecurity Risk Management?
Organizations face many varieties of risk. The Office of Management and Budget (OMB) defines risk as “the effect of uncertainty on objectives”.1 “Enterprise risk” refers to the effect of uncertainty on enterprise mission and business objectives, and managing these risks is referred to as enterprise risk management (ERM). ERM is a type of process management strategy that seeks to identify, understand, and prepare for the kinds of dangers, hazards, and other potential deviations from standard operating procedures that could be perceived as risks. Some examples of risks include financial, legal, legislative, operational, privacy, reputational, safety, strategic, supply chain, and cybersecurity risks.
Cybersecurity risk is an important type of risk for any type of organization. The OMB has developed a framework for risk management that integrates cybersecurity risk management and ERM. The risk management life cycle includes six steps
- Identify the context. Context is the environment in which the enterprise operates and is influenced by the risks involved. The risk context includes two factors:
- External context involves the expectations of outside stakeholders that affect and affected by the organization.
- Internal context relates to many of the factors within the organization and relevant cybersecurity considerations across the enterprise.
- Identify the risks. This means identifying the comprehensive set of positive and negative risks—determining which events could enhance or impede objectives, including the risks of failing to pursue an opportunity. Cybersecurity risk identification is comprised of:
- Identification of the organization’s mission-supporting assets and their valuation
- Determination of potential threats that might jeopardize the confidentiality, integrity, and availability of those assets and potential information and technology opportunities that might benefit the organization
- Consideration of vulnerabilities of those assets
- Evaluation of the potential consequences of risk scenarios
- Analyze the risks. This involves estimating the likelihood that each identified risk event will occur, and the potential impact of the consequences described.
- Prioritize the risks. The exposure is calculated for each risk, based on likelihood and potential impact, and the risks are then prioritized based on their exposure. When prioritizing risk response, consider the following:
- How to combine calculations of likelihood and impact to determine exposure
- How to determine and measure the potential benefits from pursuing a particular risk response
- When to seek additional guidance on how to evaluate risk exposure levels, such as while evaluating exposures germane to risk tolerance statements
- Plan and execute risk response strategies. The appropriate response is determined for each risk, with the decisions informed by risk guidance from leadership. There are four types of actions available for responding to negative cybersecurity risks: accept, transfer, mitigate, and avoid. Examples of controls to apply to achieve an acceptable level of risk include preventative, deterrent, detective, corrective, and compensating.
- Monitor, evaluate, and adjust. Continual monitoring ensures that enterprise risk conditions remain within the defined risk appetite levels as cybersecurity risks change.
1 OMB, 2019, OMB Circular No. A-11
2 NIST, 2020, “NISTIR 8286: Integrating Cybersecurity and Enterprise Risk Management (ERM)”