WEBVTT

00:00:01.170 --> 00:00:04.030
Let's take a look at the Security Principles for the

00:00:04.030 --> 00:00:06.510
Certified in Cybersecurity domain.

00:00:06.900 --> 00:00:09.820
This one is entitled Risk Management.

00:00:10.660 --> 00:00:14.810
When we take a look at all of the areas of security principles,

00:00:14.890 --> 00:00:17.880
we set out a foundation of understanding the

00:00:17.880 --> 00:00:20.300
concepts and oversight or governance,

00:00:20.800 --> 00:00:24.600
but now we have to do risk management so we're able to

00:00:24.600 --> 00:00:27.120
determine what controls we should have.

00:00:27.400 --> 00:00:30.530
We will finish this off, of course, looking at the code of ethics.

00:00:31.760 --> 00:00:34.000
Let's take a look at some definitions.

00:00:34.500 --> 00:00:40.510
Risk is defined as the probability of an event and its consequence.

00:00:41.070 --> 00:00:45.410
Now for business, risk is an essential part of doing business.

00:00:45.570 --> 00:00:48.850
I start a new product, I do some research,

00:00:48.850 --> 00:00:52.610
I open a new office, there is a risk associated with that,

00:00:52.790 --> 00:00:56.160
but I'm looking for the reward or the gain I'll get by

00:00:56.160 --> 00:00:58.970
having that new product or that new office.

00:00:59.450 --> 00:01:03.640
So risk for business is very much both positive,

00:01:03.650 --> 00:01:08.330
but also negative because when I do take that risk,

00:01:08.340 --> 00:01:11.050
I could lose the investment I made as well.

00:01:11.600 --> 00:01:17.210
From an IT perspective, we often look at risk for more of the negative side,

00:01:17.410 --> 00:01:19.330
the things that can go wrong.

00:01:20.540 --> 00:01:26.790
So we see here how the ISO standard 27005 has defined information

00:01:26.970 --> 00:01:32.400
security risk as the potential that a given threat will exploit

00:01:32.400 --> 00:01:35.820
vulnerabilities of an asset or group of assets,

00:01:35.830 --> 00:01:39.110
and thereby, cause harm to the organization,

00:01:39.310 --> 00:01:42.420
so we see more of a negative view of risk,

00:01:42.750 --> 00:01:46.290
but it's important for us to remember that we shouldn't always see

00:01:46.290 --> 00:01:50.090
risk as negative because the people we're talking to may see it as

00:01:50.090 --> 00:01:52.470
very much a part of daily business.

00:01:53.750 --> 00:01:57.750
Risk management can be divided into four sections.

00:01:57.990 --> 00:02:02.700
The first, to frame the center is to understand the business,

00:02:02.930 --> 00:02:07.740
understand the competition, the laws, the culture,

00:02:07.910 --> 00:02:10.380
and all of the things about our business,

00:02:10.380 --> 00:02:12.700
including things like financial depth.

00:02:12.990 --> 00:02:15.140
Before I start looking at risk,

00:02:15.310 --> 00:02:18.520
I need to understand the business and what business we're in,

00:02:19.250 --> 00:02:21.930
but then when I have that understanding,

00:02:21.990 --> 00:02:27.230
I can assess the risk and the results of the assessment are fed back to

00:02:27.230 --> 00:02:31.530
management in that frame area so that management can say,

00:02:31.530 --> 00:02:33.390
do they agree with the assessment?

00:02:33.780 --> 00:02:37.970
Maybe that's a bit of an iterative process we might have to reassess.

00:02:38.690 --> 00:02:42.670
Then we take the results of that assessment and do risk

00:02:42.670 --> 00:02:45.630
response or sometimes called risk treatment.

00:02:45.870 --> 00:02:48.260
What are we going to do about the risk?

00:02:48.330 --> 00:02:52.550
Should we just accept it or should we cease that activity

00:02:52.550 --> 00:02:55.580
altogether or should we try to reduce the risk?

00:02:55.630 --> 00:02:58.010
These are some of the options we'll look at when we look

00:02:58.010 --> 00:02:59.870
at risk response and risk treatment.

00:03:00.690 --> 00:03:02.410
But risk is always changing.

00:03:02.660 --> 00:03:05.550
The business changes, there is new threats,

00:03:05.560 --> 00:03:08.320
equipment gets older, people change,

00:03:08.460 --> 00:03:12.190
so we need to continuously monitor for what is our current

00:03:12.190 --> 00:03:16.460
level of risk and that should go back to response and say

00:03:16.460 --> 00:03:18.560
maybe we need to adjust a control.

00:03:18.940 --> 00:03:21.310
It should maybe go up to assessment and say,

00:03:21.310 --> 00:03:24.030
hey, maybe we need to reassess this risk,

00:03:24.300 --> 00:03:28.510
but certainly it should feed back into that center management so

00:03:28.510 --> 00:03:31.160
management knows what our current risk is.

00:03:32.020 --> 00:03:36.470
We are going to spend a bit more time on risk than it's really we

00:03:36.470 --> 00:03:39.610
could say here worth from an exam perspective,

00:03:39.850 --> 00:03:44.910
but it's really important because this is a key concept we need to

00:03:44.910 --> 00:03:49.480
understand, and so I hope you'll bear with me a little bit on this as we

00:03:49.490 --> 00:03:53.500
take a look at what risk management really is.

00:03:53.830 --> 00:03:58.920
It starts with risk identification, that is to determine what

00:03:58.930 --> 00:04:00.870
are the things we're trying to protect?

00:04:01.010 --> 00:04:01.890
The assets.

00:04:02.250 --> 00:04:04.820
What are the threats to those assets?

00:04:05.220 --> 00:04:07.810
Do those assets have any vulnerabilities?

00:04:08.140 --> 00:04:09.480
And of course,

00:04:09.640 --> 00:04:15.550
know what controls we currently have in place to try to protect those assets.

00:04:16.130 --> 00:04:20.130
We need to understand how some type of risk event

00:04:20.240 --> 00:04:22.850
could impact or harm that asset.

00:04:23.440 --> 00:04:27.690
Could it harm us financially or reputationally, for example.

00:04:29.920 --> 00:04:36.240
The NIST Special Publication 800‑30r1 shows how these fit together.

00:04:36.920 --> 00:04:39.510
We have, as you can see in the bottom left corner,

00:04:39.800 --> 00:04:45.350
inputs from the risk framing step where we look at the risk management strategy,

00:04:45.350 --> 00:04:51.000
the approach, and any of the then risk factors that should be considered as well.

00:04:51.810 --> 00:04:53.050
We have a threat.

00:04:53.490 --> 00:04:57.600
The threat source could be a hacker, could be an employee,

00:04:57.840 --> 00:05:00.990
could be, for example, a natural event,

00:05:01.610 --> 00:05:05.020
and that threat source initiates a threat event.

00:05:05.450 --> 00:05:10.090
The storm, the malicious code, the deleting the wrong file,

00:05:10.280 --> 00:05:14.420
those are all threat events initiated by the threat source.

00:05:14.770 --> 00:05:17.820
We have to look at what is the likelihood of that happening?

00:05:18.760 --> 00:05:21.720
Untrained staff, for example, are much more likely to

00:05:21.720 --> 00:05:23.670
make a mistake than well‑trained staff.

00:05:24.490 --> 00:05:30.210
But then we see how that threat event will attempt to exploit a weakness,

00:05:30.530 --> 00:05:35.950
a vulnerability, a gap in the protection for that asset,

00:05:36.280 --> 00:05:40.930
and this is where we have to understand a threat is not limited to

00:05:40.930 --> 00:05:45.430
one vulnerability nor is a vulnerability only subject to one

00:05:45.430 --> 00:05:49.680
threat, so there is a many‑to‑many relationship here between

00:05:49.680 --> 00:05:51.910
threat events and vulnerabilities.

00:05:52.680 --> 00:05:58.490
We also have to look at a few other predisposing conditions such as morale,

00:05:58.900 --> 00:06:03.200
the financial depth of the company, can they even handle some type of a loss?

00:06:03.420 --> 00:06:06.640
We have to look at whether or not our controls are effective.

00:06:07.160 --> 00:06:11.980
But in the end, if that threat was able to exploit a vulnerability,

00:06:12.080 --> 00:06:16.860
we're going to have some level of consequence or impact, and that is

00:06:16.860 --> 00:06:20.310
going to be some type of impact on the business itself,

00:06:20.320 --> 00:06:23.510
or we could say organizational risk.

00:06:24.830 --> 00:06:28.790
Risk identification means we need to identify the threat source,

00:06:28.800 --> 00:06:33.110
maybe a hacker, then the threat event, the malware,

00:06:34.200 --> 00:06:39.340
the vulnerability, an unpatched system, the asset itself,

00:06:39.350 --> 00:06:40.910
the business process,

00:06:41.320 --> 00:06:46.670
and when we see this string of different things coming together,

00:06:47.240 --> 00:06:50.810
then we have a way to measure our level of risk.

00:06:51.990 --> 00:06:55.840
We identify risk by knowing what we're trying to protect,

00:06:56.050 --> 00:07:00.460
the assets, knowing the threats and vulnerabilities of those assets,

00:07:00.460 --> 00:07:03.470
but then we get into the hard part of this.

00:07:03.620 --> 00:07:08.060
How do we determine likelihood or the probability of something happening,

00:07:08.570 --> 00:07:12.860
and how do we determine impact or consequence if it does happen?

00:07:13.310 --> 00:07:16.970
Not all events will have the same impact.

00:07:18.230 --> 00:07:21.950
When we assess the risk, we then come out with priorities,

00:07:22.050 --> 00:07:25.810
which risks are more important and should be dealt with immediately.

00:07:26.810 --> 00:07:27.720
Hopefully,

00:07:27.850 --> 00:07:31.330
we come out with some recommendations of how we could respond

00:07:31.330 --> 00:07:34.030
or deal with that risk we've identified.

00:07:34.910 --> 00:07:38.910
An important part of this is determined who owns the risk,

00:07:38.920 --> 00:07:42.460
who's going to be responsible for fixing this problem?

00:07:43.110 --> 00:07:46.650
We generate a risk assessment report for management to

00:07:46.650 --> 00:07:49.110
see what our identified risk is,

00:07:49.200 --> 00:07:54.580
and we may even have a risk register that has all of our risk in one place

00:07:54.730 --> 00:07:58.560
so that people can see what our current risk profile is.

00:08:02.080 --> 00:08:03.420
The key points review.

00:08:04.700 --> 00:08:07.820
Risk management consists of several activities.

00:08:08.180 --> 00:08:12.400
These can be happening concurrently or consecutively.

00:08:14.140 --> 00:08:16.690
We need to understand the business first,

00:08:17.080 --> 00:08:20.290
establishing the frame or establishing the context

00:08:20.420 --> 00:08:24.880
in which the business operates, and then by doing risk assessment,

00:08:24.960 --> 00:08:28.160
we can identify and prioritize risk.

00:08:29.340 --> 00:08:32.570
When we measure risk to an IT system,

00:08:33.140 --> 00:08:39.010
the true measure of that risk is how much it would impact the organization,

00:08:39.380 --> 00:08:43.110
the business that relies on that IT system.