Assessing Risk: Difference between revisions
From Cramsession
Jump to navigationJump to search
✍️ Verified Author: Mflavell • Click to view professional profile & credentials
No edit summary |
|||
| Line 69: | Line 69: | ||
Providing additional layers provides more protection. | Providing additional layers provides more protection. | ||
= The Goal of Risk Management in Cybersecurity = | = The Goal of Risk Management in Cybersecurity = | ||
Revision as of 23:50, 16 May 2025
Cybersecurity > Assessing Risk
The Risk Matrix
Provides a numerical assessment or risks posed by threats to the CIA triad.
| Impact ➡️
Likelihood ⬇️ |
Confidentiality | Integrity | Availability |
| high | 5 | 4 | 3 |
| Medium | 4 | 3 | 2 |
| Low | 3 | 2 | 1 |
| Theoretical | 2 | 1 | 0 |
Likelihoods:
- High - Easy, Well known exploit.
- Medium - Requires expert knowledge to implement, could be performed by state actor.
- Low - Requires insider knowledge to implement.
- Theoretical - No proven path at this time to exploit the venerability.
The numbers in this matrix will ultimately adjusted to an organizations tolerance to each factor of the CIA triad.
Swiss cheese model
When applied to cybersecurity the Swiss Cheese Model states that vulnerability can only be exploited if holes in the layers of defense are aligned.
For example:
- Poor coding practices.
- Not using an application firewall.
- Providing root access to the database.
When combined these provide a path for the attacker through "holes" in the cheese.
If any of these holes are patched, the vulnerability may be protected from exploitation.
Providing additional layers provides more protection.
The Goal of Risk Management in Cybersecurity
- Risk cannot be completely eliminated.
- Providing additional layers of security (layers of cheese) reduces the likelihood of an attack.
Additional layers however create additional problems:
- More room for configuration errors (most outages result from human error)
- More expertise and expense to manage the system
- More latency or outages.
