Cyber Risks and Controls

STEP 4: Cyber Risks and Controls – defines cyber risks and their corresponding controls by presenting a customized National Institute of Standards and Technology (NIST) 800 Risk Model. A graphical representation of threats, vulnerabilities, risk categories, and controls shows how all these factors interact.

Cyber risk can be defined as risk of financial loss and/or disruption or damage to the reputation of an organization from a failure of its information technology systems. The following typical business risks should be considered when constructing an enterprise-wide cyber risk profile: Security and Resiliency, Information Technology, Operational, Reputational, Compliance, Legal, Program, and Strategic.

Risk appetite, as defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), is the broad-based amount of risk a company or other entity is willing to accept in pursuit of its mission or vision. Risk tolerance is defined as the boundaries of risk taking outside of which the organization is not prepared to venture in the pursuit of its long-term objectives. Risk tolerance and risk appetite are closely connected and should be determined at the enterprise level.

Traditionally speaking, there are two classes of controls: General controls and Application Controls. Controls can also be defined in terms of the functions they perform. The four main types control functions are deterrent, preventative, detective, and corrective. Mappings of cyber incidents to controls as well sample threats to Center for Internet Security (CIS) critical security controls are provided together with a discussion of control maturity with respect to the NIST Cybersecurity Framework (CSF). A quantitative NIST 800-30 Cyber Risk Assessment methodology together with NIST Adversarial Threat Ratings is presented so that it can be used as a more practical application of the standard, and also as a measure of performance of the strategy. The following well-known Cyber Risk assessment methodologies are reviewed:

NIST Special Publication 800-30 Revision 1 (September 2012)

Information Systems Audit and Control Association (ISACA) Risk Framework – Risk IT

The International Organization for Standardization/International Electrotechnical Commission's (ISO/IEC) 27005

A Guide to the Project Management Body of Knowledge (PMBOK® Guide)

Open Web Application Security Project^TM (OWASP)

COSO 2013 Framework

Factor Analysis of Information Risk (FAIR)

Carnegie Mellon^® Risk Quantification Method (CM RQM)

Auditing of IT controls (a controls assessment) is a critical process that assesses the organization's controls maturity posture which identifies gaps and areas for improvement.

Cyber risk or cyber liability insurance covers (to a limit) a business' liability for a data breach where the company's customer information is exposed, stolen, or ransomed. Cyber insurance can help protect businesses from major expenses, including business losses, regulatory fines, and penalties.