Understanding Risk Management In Cybersecurity

Understanding Risk Management In Cybersecurity

Risk management in cybersecurity involves the selection and specification of security controls for an organization. It is part of an ongoing organization-wide information security program that involves the management of the risk to the organization or to individuals associated with the operation of a system.


Image is a diagram of the Risk Management Process. There are five small circles, arranged in a circle representing the risk management process. Each circle is connected to the next by arrows pointing clockwise. Within the top circle is Risk Identification: identify assets, vulnerabilities, threats. The second circle is Risk Assessment: score, weigh, prioritize risks. In the third circle is Risk Response Planning: determine risk response, plan actions. In the fourth circle is Response Implementation: implement the response. In the fifth circle is Monitor and Assess Results: continuous risk monitoring and response evaluation. The arrow points back to the first box.

A Risk Management Process

Risk is determined as the relationship between threat, vulnerability, and the nature of the organization. It first involves answering the following questions as part of a risk assessment:

  • Who are the threat actors who want to attack us?
  • What vulnerabilities can threat actors exploit?
  • How would we be affected by attacks?
  • What is the likelihood that different attacks will occur?

NIST Special Publication 800-30 describes risk assessment as:

…the process of identifying, estimating, and prioritizing information security risks. Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur.

The full publication is available for download from NIST.

A mandatory activity in risk assessment is the identification of threats and vulnerabilities and the matching of threats with vulnerabilities in what is often called threat-vulnerability (T-V) pairing. The T-V pairs can than be used as a baseline to indicate risk before security controls are implemented. This baseline can than be compared to ongoing risk assessments as a means of evaluating risk management effectiveness. This part of risk assessment is referred to as determining the inherent risk profile of an organization.

After the risks are identified, they may be scored or weighted as a way of prioritizing risk reduction strategies. For example, vulnerabilities that are found to have corresponded with multiple threats can receive higher ratings. In addition, T-V pairs that map to the greatest institutional impact will also receive higher weightings.

The table lists the four potential ways to respond to risks that have been identified, based on there weightings or scores.

Risk Description
Risk avoidance
  • Stop performing the activities that create risk.
  • It is possible that as a result of a risk assessment, it is determined that the risk involved in an activity outweighs the benefit of the activity to the organization.
  • If this is found to be true, than it may be determined that the activity should be discontinued.
Risk reduction
  • Decrease the risk by taking measures to reduce vulnerability.
  • This involves implementing management approaches discussed earlier in this chapter.
  • For example, if an organization uses server operating systems that are frequently targeted by threat actors, risk can be reduced through ensuring that the servers are patched as soon as vulnerabilities have been identified.
Risk sharing
  • Shift some of the risk to other parties.
  • For example, a risk-sharing technique might be to outsource some aspects of security operations to third parties.
  • Hiring a security as a service (SECaaS) CSIRT to perform security monitoring is an example.
  • Another example is to buy insurance that will help to mitigate some of the financial losses due to a security incident.
Risk retention
  • Accept the risk and it’s consequences.
  • This strategy is acceptable for risks that have low potential impact and relatively high cost of mitigation or reduction.
  • Other risks that may be retained are those that are so dramatic that they cannot realistically be avoided, reduced, or shared.

Vulnerability Management

According to NIST, vulnerability management is a security practice that is designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. The expected result is to reduce the time and money spent dealing with vulnerabilities and the exploitation of those vulnerabilities. Proactively managing vulnerabilities of systems will reduce or eliminate the potential for exploitation and involve considerably less time and effort than responding after exploitation has occurred.


Vulnerability management requires a robust means of identifying vulnerabilities based on vendor security bulletins and other information systems such as CVE. Security personnel must be competent in assessing the impact, if any, of vulnerability information they have received. Solutions should be identified with effective means of implementing and assessing the unanticipated consequences of implemented solutions. Finally, the solution should be tested to verify that the vulnerability has been eliminated.


Image is a diagram of the Vulnerability Management Life Cycle. There are six small circles, arranged in a larger circle representing phases in the Vulnerability Management Lifecycle. Each circle is connected to the next by arrows pointing clockwise. The phases shown in the circles are Discover, Prioritize Assets, Assess, Report, Remediate, and Verify. The last arrow points back to the Discover phase.

Vulnerability Management Life Cycle

Prioritize Assets

Inventory all assets across the network and identify host details, including operating systems and open services, to identify vulnerabilities. Develop a network baseline. Identify security vulnerabilities on a regular automated schedule.

Asset Management

Asset management involves the implementation of systems that track the location and configuration of networked devices and software across an enterprise. As part of any security management plan, organizations must know what equipment accesses the network, where that equipment is within the enterprise and logically on the network, and what software and data those systems store or can access. Asset management not only tracks corporate assets and other authorized devices, but also can be used to identify devices that are not authorized on the network.

NIST specifies in publication NISTIR 8011 Volume 2, the detailed records that should be kept for each relevant device. NIST describes potential techniques and tools for operationalizing an asset management process:

  • Automated discovery and inventory of the actual state of devices
  • Articulation of the desired state for those devices using policies, plans, and procedures in the organization’s information security plan
  • Identification of non-compliant authorized assets
  • Remediation or acceptance of device state, possible iteration of desired state definition
  • Repeat the process at regular intervals, or ongoing

Mobile Device Management

Mobile device management (MDM), especially in the age of BYOD, presents special challenges to asset management. Mobile devices cannot be physically controlled on the premises of an organization. They can be lost, stolen, or tampered with, putting data and network access at risk. Part of an MDM plan is acting when devices leave the custody of the responsible party. Measures that can be taken include disabling the lost device, encrypting the data on the device, and enhancing device access with more robust authentication measures.

Due to the diversity of mobile devices, it is possible that some devices that will be used on the network are inherently less secure than others. Network administrators should assume that all mobile devices are untrusted until they have been properly secured by the organization.

MDM systems, such as Cisco Meraki Systems Manager, shown in the figure, allow security personnel to configure, monitor and update a very diverse set of mobile clients from the cloud.

The image is a screenshot of the Cisco Meraki management dashboard. The screenshot displays information about a wireless client. Information shown includes Status: date last seen, SSID, Access point, splash screen, signal strength, device type and capabilities. There is a map showing the client location, a graph showing the usage for the last day. At the bottom of the screenshot, there is a section for policies in effect for the client, network information including IPv4, IPv6, and MAC addresses. At the far right of the screen is a graph of ping response times.

Configuration Management

Configuration management addresses the inventory and control of hardware and software configurations of systems. Secure device configurations reduce security risk. For example, an organization provides many computers and laptops to it’s workers. This enlarges the attack surface for the organization, because each system may be vulnerable to exploits. To manage this, the organization may create baseline software images and hardware configurations for each type of machine. These images may include a basic package of required software, endpoint security software, and customized security policies that control user access to aspects of the system configuration that could be made vulnerable. Hardware configurations may specify the permitted types of network interfaces and the permitted types of external storage.

Configuration management extends to the software and hardware configuration of networking devices and servers as well. As defined by NIST, configuration management:

Comprises a collection of activities focused on establishing and maintaining the integrity of products and systems, through control of the processes for initializing, changing, and monitoring the configurations of those products and systems.

NIST Special Publication 800-128 on configuration management for network security is available for download from NIST.

For internetworking devices, software tools are available that will backup configurations, detect changes in configuration files, and enable bulk change of configurations across a number of devices.

With the advent of cloud data centres and virtualization, the management of numerous servers presents special challenges. Tools like Puppet, Chef, Ansible, and SaltStack enable efficient management of servers that are used in cloud-based computing.

Enterprise Patch Management

Patch management is related to vulnerability management. Vulnerabilities frequently appear in critical client, server, and networking device operating systems and firmware. Application software, especially internet applications and frameworks like Acrobat, Flash, and Java, also are frequently discovered to have vulnerabilities. Patch management involves all aspects of software patching, including identifying required patches, acquiring, distributing, installing, and verifying that the patch is installed on all required systems. Installing patches is frequently the most effective way to mitigate software vulnerabilities. Sometimes, they are the only way to do so.


Patch management is required by some compliance regulations, such as Sarbanes Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA). Failure to implement patches in a systematic and timely manner could result in audit failure and penalties for non-compliance. Patch management depends on asset management data to identify systems that are running software that requires patching. Patch management software is available from companies such as SolarWinds and LANDesk. Microsoft System Center Configuration Manager (SCCM) is an enterprise-level tool for automated distribution of patches to a large number of Microsoft Windows workstations and servers.

Image is a screenshot of the SolarWinds Patch Manager summary screen. Shown in the screenshot are a list of Nodes Managed by WSUS Servers, a pie chart showing the Operating System Overview, by vendor and type, a pie chart showing an overview of Desktop Note Health, a list of all patches available grouped by company titles and severity. A pie chart showing the Top Ten Patches Missing, with a list of the patch names and the number of nodes missing the updates.

Patch Management Techniques

This requires a software agent to be running on each host to be patched. The agent reports whether vulnerable software is installed on the host. The agent communicates with the patch management server, determines if patches exist that require installation, and installs the patches. The agent runs with sufficient privileges to allow it to install the patches. Agent-based approaches are the preferred means of patching mobile devices.

Action Point

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.

Download Our App.


CEHNigeria On Google Playstore

Download Our Blog App On Google Playstore.




Have a deeper understanding of Google Search Console. Joint SEOPOZ for free.

Joint Our Whatsapp Group Here


Joint Our Whatsapp Group

Follow Us On Twitter and I will Follow Back


Follow Us On Twitter

Kindly follow me on Twitter and I promise I will follow back. Aside you will get updated when we post new articles.

About Adeniyi Salau 896 Articles
I am an IT enthusiast and a man of many parts. I am a Certified Digital Marketer, Project Manager and a Real Estate Consultant. I love writing because that's what keeps me going. I am running this blog to share what I know with others. I am also a Superlife Stem Cell Distributor. Our Stem Cell Products can cure many ailments.

Be the first to comment

Leave a Reply

Your email address will not be published.


CommentLuv badge