Assessing Risk: Difference between revisions
From Cramsession
Jump to navigationJump to search
✍️ Verified Author: Mflavell • Click to view professional profile & credentials
No edit summary Tag: Reverted |
No edit summary |
||
| (16 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
= The | [[Cybersecurity]] > Assessing Risk | ||
= The Risk Matrix = | |||
Provides a numerical assessment or risks posed by threats to the CIA triad. | Provides a numerical assessment or risks posed by threats to the CIA triad. | ||
{| | {| | ||
|Impact ➡️ | |Impact ➡️ | ||
Likelihood ⬇️ | |||
| Confidentiality | | Confidentiality | ||
| Integrity | | Integrity | ||
| Availability | | Availability | ||
|- | |- | ||
| high | | high | ||
| Line 30: | Line 33: | ||
| 0 | | 0 | ||
|} | |} | ||
==Likelihoods:== | |||
* High - Easy, Well known exploit. | |||
* Medium - Requires expert knowledge to implement, could be performed by state actor. | |||
* Low - Requires insider knowledge to implement. | |||
* Theoretical - No proven path at this time to exploit the venerability. | |||
The numbers in this matrix will ultimately adjusted to an organizations tolerance to each factor of the CIA triad. | |||
= Swiss cheese model = | |||
When applied to cybersecurity the [https://en.wikipedia.org/wiki/Swiss_cheese_model Swiss Cheese Model] states that vulnerability can only be exploited if holes in the layers of defense are aligned. | |||
For example: | |||
* Poor coding practices. | |||
::* Not using an application firewall. | |||
:::* Providing root access to the database. | |||
When combined these provide a path for the attacker through "holes" in the cheese. | |||
If any of these holes are patched, the vulnerability may be protected from exploitation. | |||
Providing additional layers provides more protection. | |||
[[The Goal of Risk Management]] | |||
[[Where does risk originate]] | |||
Latest revision as of 23:57, 16 May 2025
Cybersecurity > Assessing Risk
The Risk Matrix
Provides a numerical assessment or risks posed by threats to the CIA triad.
| Impact ➡️
Likelihood ⬇️ |
Confidentiality | Integrity | Availability |
| high | 5 | 4 | 3 |
| Medium | 4 | 3 | 2 |
| Low | 3 | 2 | 1 |
| Theoretical | 2 | 1 | 0 |
Likelihoods:
- High - Easy, Well known exploit.
- Medium - Requires expert knowledge to implement, could be performed by state actor.
- Low - Requires insider knowledge to implement.
- Theoretical - No proven path at this time to exploit the venerability.
The numbers in this matrix will ultimately adjusted to an organizations tolerance to each factor of the CIA triad.
Swiss cheese model
When applied to cybersecurity the Swiss Cheese Model states that vulnerability can only be exploited if holes in the layers of defense are aligned.
For example:
- Poor coding practices.
- Not using an application firewall.
- Providing root access to the database.
When combined these provide a path for the attacker through "holes" in the cheese.
If any of these holes are patched, the vulnerability may be protected from exploitation.
Providing additional layers provides more protection.
