Risk Intro and Risk Assessment Template

Reliably Achieving Objectives

Author

Steve McMichael
May 07, 2024

Table of Contents

Risk Management is Your Opportunity to Make an Outsized Impact

What you need more now more than ever, is a risk approach to managing your Security program, because you can't do everything at once. You have limited resources, limited budget, potentially unlimited attack surface that’s expanding all the time.

The Risk aspect of GRC can make a massive difference when you help prioritize the right programs and remediation work. If you can't do this, then you're going to spin your wheels on things that will be less effective than something closer to the root cause.

Ayoub Fandi, Host of the GRC Engineering Podcast

To reliably achieve objectives, organizations need cyber risk guard rails and due diligence in place. Not to slow you down but to help you avoid driving off a cliff. The fastest cars have the best brakes.

Start Here: Understanding a More Intense “What Could Go Wrong (WCGW)” Mindset

One of the first foundational concepts that was explained to me when I came to Cybesecuirty from Finance was a difference in mindset between COSO (Committee of Sponsoring Organizations of the Treadway Commission) in commercial industry compliance and the Rainbow Series of cyber controls that came from the Department of Defense.

It’s a bit more intense, so buckle up.

Grounded in this mindset, where to start?

Next, Anchor on the NIST SP800-30 Guide for Conducting Risk Assessments

From the alphabet soup of Risk literature you’ll see out there, this is my favourite guide that’s highly respected and happens to be free:

SP 800-30 Rev. 1, Guide for Conducting Risk Assessments | CSRC

csrc.nist.gov/pubs/sp/800/30/r1/final

It’s a great read from cover to cover. To spark your curiosity and get you started, here are some core concepts I apply most commonly to my daily work:

  • Risk = function of Asset Value x Threats x Vulnerabilities

  • What Could Go Wrong in cybersecurity?

    • Critical data could be disclosed, altered, or denied access to

    • This can include a threat actor stealing your money that’s online, stealing or spoofing your identity to commit crimes or exfiltrate your secrets, typically for financial gain by a professional criminal organization, but it could also be from other actors and reasons listed in NIST 800-30

  • The bottom-line of what matters is “Residual Risk.” This is the risk left over after security controls have been applied. So focus more on that than Inherent Risk which is just an input to your assessment

  • Figure 3 below provides a nice 10,000 ft view of the process. from which you can jump to Appendices D through I for practical examples and guidance on

    • D. Threat sources,

    • E. Threat events,

    • F. Vulnerabilities,

    • G. Likelihood,

    • H. Impact

    • I. Risk determination

NIST SP800-30 Guide for Conducting Risk Assessments

Rolling various risk assessments up at the end of the month or quarter for an executive scorecard, apply the 5×5 residual risk matrix from Appendix I.

This example from my previous blog post/video hon to make a Personal Cyber Safety Scorecard

Your First Cyber Risk Scorecard: For Home And For GRC

www.cpatocybersecurity.com/p/cyber-risk-scorecard

Helpful Resource: create_threat_model

To advance your career development both by getting more technical and getting hands on experience with risks assessments, check out this awesome AI prompt by Daniel Miessler grounded in his Everyday Threat Modelling essay. It’s a great read from a seasoned 20 year practitioner and a powerful tool for risk assessments.

Fabric Pattern Demo: create_threat_model

Practical assessment and advice for an average family in Toronto

www.cpatocybersecurity.com/p/create-threat-model

Another Helpful Resource: You Are a Target Poster

Another great resource to help make your comprehension of cybersecurity risk assessments more applied and specific to everyday life is this poster from SANS, based on the work by journalist Brian Krebs.

Most people don't think of themselves as a target for hackers or cybercriminals. We imagine we're too unimportant, or that our data and assets aren't valuable enough to attract interest. But the reality is, nearly everyone is a potential target in today's hyper-connected digital world. This important work is another reason that makes GRC careers compelling.

Question: What’s the Most Important Input to the Cybersecurity Risk Assessment Process?

Answer: An understanding of the information system.

Ideally you’ve operated or designed one. If you haven’t, load up technical competencies in your Career Development Plan.

Career Development Plan Template

Interested in cybersecurity career crossover, getting technical, speaking the language of business, elevating GRC or cyber safety? Let's get after it!

www.cpatocybersecurity.com/p/cdp

Risk Assessment Template

Subscribe to keep reading

This content is free, but you must be subscribed to CPA to Cybersecurity to continue reading.

I consent to receive newsletters via email. Terms of Use and Privacy Policy.

Already a subscriber?Sign In.Not now