Skip to content

Risk Management In Cybersecurity: Facts To Note

Risk management in cybersecurity involves the selection and specification of security controls for an organization. It is part of an ongoing organization-wide information security program that involves the management of the risk to the organization or to individuals associated with the operation of a system.
The image is a diagram of the Risk Management Process. There are five small circles, arranged in a circle representing the risk management process. Each circle is connected to the next by arrows pointing clockwise.
Within the top circle is Risk Identification: identify assets, vulnerabilities, threats. The second circle is Risk Assessment: score, weigh, prioritize risks. In the third circle is Risk Response Planning: determine risk response, plan actions. In the fourth circle is Response Implementation: implement the response. In the fifth circle is Monitor and Assess Results: continuous risk monitoring and response evaluation. The arrow points back to the first box.

Risk is determined as the relationship between threat, vulnerability, and the nature of the organization. It first involves answering the following questions as part of a risk assessment:

  • Who are the threat actors who want to attack us?
  • What vulnerabilities can threat actors exploit?
  • How would we be affected by attacks?
  • What is the likelihood that different attacks will occur?

NIST Special Publication 800-30 describes risk assessment as:
…the process of identifying, estimating, and prioritizing information security risks. Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur.
The full publication is available for download from NIST.
A mandatory activity in risk assessment is the identification of threats and vulnerabilities and the matching of threats with vulnerabilities in what is often called threat-vulnerability (T-V) pairing. The T-V pairs can then be used as a baseline to indicate risk before security controls are implemented. This baseline can then be compared to ongoing risk assessments as a means of evaluating risk management effectiveness. This part of risk assessment is referred to as determining the inherent risk profile of an organization.
After the risks are identified, they may be scored or weighted as a way of prioritizing risk reduction strategies. For example, vulnerabilities that are found to have corresponded with multiple threats can receive higher ratings. In addition, T-V pairs that map to the greatest institutional impact will also receive higher weightings.
The table lists the four potential ways to respond to risks that have been identified, based on there weightings or scores.

Risk Description
Risk avoidance
  • Stop performing the activities that create risk.
  • It is possible that as a result of a risk assessment, it is determined that the risk involved in an activity outweighs the benefit of the activity to the organization.
  • If this is found to be true, than it may be determined that the activity should be discontinued.
Risk reduction
  • Decrease the risk by taking measures to reduce vulnerability.
  • This involves implementing management approaches discussed earlier in this chapter.
  • For example, if an organization uses server operating systems that are frequently targeted by threat actors, risk can be reduced through ensuring that the servers are patched as soon as vulnerabilities have been identified.
Risk sharing
  • Shift some of the risks to other parties.
  • For example, a risk-sharing technique might be to outsource some aspects of security operations to third parties.
  • Hiring security as a service (SECaaS) CSIRT to perform security monitoring is an example.
  • Another example is to buy insurance that will help to mitigate some of the financial losses due to a security incident.
  • Accept the risk and it’s consequences.
  • This strategy is acceptable for risks that have a low potential impact and relatively high cost of mitigation or reduction.
  • Other risks that may be retained are those that are so dramatic that they cannot really be avoided, reduced, or shared.

Vulnerability Management

According to NIST, vulnerability management is a security practice that is designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. The expected result is to reduce the time and money spent dealing with vulnerabilities and the exploitation of those vulnerabilities.
Proactively managing vulnerabilities of systems will reduce or eliminate the potential for exploitation and involve considerably less time and effort than responding after exploitation has occurred.
Vulnerability management requires a robust means of identifying vulnerabilities based on vendor security bulletins and other information systems such as CVE.
Security personnel must be competent in assessing the impact, if any, of vulnerability information they have received. Solutions should be identified with effective means of implementing and assessing the unanticipated consequences of implemented solutions. Finally, the solution should be tested to verify that the vulnerability has been eliminated.
Image is a diagram of the Vulnerability Management Life Cycle. There are six small circles, arranged in a larger circle representing phases in the Vulnerability Management Lifecycle.
Each circle is connected to the next by arrows pointing clockwise. The phases shown in the circles are Discover, Prioritize Assets, Assess, Report, Remediate, and Verify. The last arrow points back to the Discover phase.

Vulnerability Management Life Cycle

Inventory all assets across the network and identify host details, including operating systems and open services, to identify vulnerabilities. Develop a network baseline. Identify security vulnerabilities on a regular automated schedule.

Asset Management

Asset management involves the implementation of systems that track the location and configuration of networked devices and software across an enterprise. As part of any security management plan, organizations must know what equipment accesses the network, where that equipment is within the enterprise and logically on the network, and what software and data those systems store or can access.
Asset management not only tracks corporate assets and other authorized devices but also can be used to identify devices that are not authorized on the network.
NIST specifies in publication NISTIR 8011 Volume 2, the detailed records that should be kept for each relevant device. NIST describes potential techniques and tools for operationalizing an asset management process:


  • Automated discovery and inventory of the actual state of devices
  • Articulation of the desired state for those devices using policies, plans, and procedures in the organization’s information security plan
  • Identification of non-compliant authorized assets
  • Remediation or acceptance of device state, possible iteration of desired state definition
  • Repeat the process at regular intervals, or ongoing

Mobile Device Management

Mobile device management (MDM), especially in the age of BYOD, presents special challenges to asset management. Mobile devices cannot be physically controlled on the premises of an organization. They can be lost, stolen, or tampered with, putting data and network access at risk. Part of an MDM plan is acting when devices leave the custody of the responsible party.
Measures that can be taken include disabling the lost device, encrypting the data on the device, and enhancing device access with more robust authentication measures.
Due to the diversity of mobile devices, it is possible that some devices that will be used on the network are inherently less secure than others. Network administrators should assume that all mobile devices are untrusted until they have been properly secured by the organization.
MDM systems, such as Cisco Meraki Systems Manager, shown in the figure, allow security personnel to configure, monitor and update a very diverse set of mobile clients from the cloud.
The image is a screenshot of the Cisco Meraki management dashboard. The screenshot displays information about a wireless client. Information shown includes Status: date last seen, SSID, Access point, splash screen, signal strength, device type and capabilities. There is a map showing the client location, a graph showing the usage for the last day. At the bottom of the screenshot, there is a section for policies in effect for the client, network information including IPv4, IPv6, and MAC addresses. At the far right of the screen is a graph of ping response times.

Configuration Management

Configuration management addresses the inventory and control of hardware and software configurations of systems. Secure device configurations reduce security risk. For example, an organization provides many computers and laptops to it’s workers. This enlarges the attack surface for the organization, because each system may be vulnerable to exploits.
To manage this, the organization may create baseline software images and hardware configurations for each type of machine. These images may include a basic package of required software, endpoint security software, and customized security policies that control user access to aspects of the system configuration that could be made vulnerable. Hardware configurations may specify the permitted types of network interfaces and the permitted types of external storage.
Configuration management extends to the software and hardware configuration of networking devices and servers as well. As defined by NIST, configuration management:
Comprises a collection of activities focused on establishing and maintaining the integrity of products and systems, through control of the processes for initializing, changing, and monitoring the configurations of those products and systems.
NIST Special Publication 800-128 on configuration management for network security is available for download from NIST.
For internetworking devices, software tools are available that will backup configurations, detect changes in configuration files, and enable bulk change of configurations across a number of devices.
With the advent of cloud data centres and virtualization, the management of numerous servers presents special challenges. Tools like Puppet, Chef, Ansible, and SaltStack enable efficient management of servers that are used in cloud-based computing.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training. 

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.


Fact Check Policy

CRMNIGERIA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.


Fact Check Policy

Leave a Reply

Your email address will not be published. Required fields are marked *