SOT

SOT

SOAR
Security Orchestration, Automation and Response

Automation of response to information security incidents using dynamic playbooks and information security tools, building an attack chain and with an object-oriented approach

NG SOAR
Next Generation SOAR

Automation of response to information security incidents with built-in basic correlation (SIEM), vulnerability Scanner (VS), collection of raw events directly from information security tools, dynamic playbooks, building an attack chain and an object-oriented approach. AM and VM are included

AM
Asset Management

Description of the IT landscape, detection of new objects on the network, categorization of assets, inventory, life cycle management of equipment and software on automated workstations and servers of organizations

VS
Vulnerability Scanner

Scanning information assets with enrichment from any external services (additional scanners, The Data Security Threats Database and other analytical databases) to analyze the security of the infrastructure.

VM
Vulnerability Management

Building a process for detecting and eliminating technical vulnerabilities, collecting information from existing security scanners, update management platforms, expert external services and other solutions

FinCERT
Financial Computer Emergency Response Team

Bilateral interaction with the Central Bank, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

GovCERT
Government Computer Emergency Response Team

Bilateral interaction with the state coordination center for computer incidents, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

Mail us to sales@securityvision.ru or get demo presentation

SDA

SDA

TIP
Threat Intelligence Platform

Cybersecurity threat data collection, analysis, enrichment, infrastructure detection, investigation and response.

UEBA
User and Entity Behavior Analytics

Building behavior models and detecting deviations from them using several dozen built-in static analysis rules.

AD + ML
User and Entity Behavior Analysis

Dynamic behavioral analysis to search for anomalies using machine learning and to search for possible incidents.

Mail us to sales@securityvision.ru or get demo presentation

GRC

GRC

RM
Risk Management

Formation of a register of risks, threats, protection measures and other control parameters, assessment using the chosen methodology, formation of a list of additional measures to change the level of risk, control of execution, periodic reassessment.

ORM
Operational Risk Management

Accounting and recording of operational risk events, monitoring of key risk indicators and self-assessment/control

CM
Compliance Management

Audit of compliance with various methodologies and standards

BCP
Business Continuity Plan

Automation of ensuring continuity and restoration of activities after emergencies.

OTS
Operational Technology Security

Operational Technology Security

Mail us to sales@securityvision.ru or get demo presentation

DEMO
presentation

SOT

Technology
SOAR

Security Orchestration, Automation and Response
NG SOAR

Next Generation SOAR
AM

Asset Management
VS

Vulnerability Scanner
VM

Vulnerability Management
FinCERT

Financial Computer Emergency Response Team
GovCERT

Government Computer Emergency Response Team

GRC

Processes
RM

Risk Management
ORM

Operational Risk Management
CM

Compliance Management
BCP

Business Continuity Plan
OTS

Operational Technology Security

SDA

Analytics
TIP

Threat Intelligence Platform
UEBA

User and Entity Behavior Analytics
AD + ML

User and Entity Behavior Analysis

All products

SOT

Technology

SOAR

Security Orchestration, Automation and Response

NG SOAR

Next Generation SOAR

AM

Asset Management

VS

Vulnerability Scanner

VM

Vulnerability Management

FinCERT

Financial Computer Emergency Response Team

GovCERT

Government Computer Emergency Response Team

GRC

Processes

RM

Risk Management

ORM

Operational Risk Management

CM

Compliance Management

BCP

Business Continuity Plan

OTS

Operational Technology Security

SDA

Analytics

TIP

Threat Intelligence Platform

UEBA

User and Entity Behavior Analytics

AD + ML

User and Entity Behavior Analysis
All products
Clients FAQ

CyBOK. Chapter 2: Risk Management and IS Governance. Part 1.

CyBOK. Chapter 2: Risk Management and IS Governance. Part 1.
20.03.2025

Ruslan Rakhmetov, Security Vision


2.1 Introduction


This chapter explains the fundamental principles of cyber risk assessment and management. Risk assessment is discussed from both a domestic perspective and from the perspective of managing complex systems, and a number of risk assessment methodologies are described, highlighting their possible applications and limitations. This chapter shows how and why effective cyber risk management enables cyber security, and considers the impact of human factors on risk assessment. It also discusses the importance of responding correctly to a cyber incident if the risk could not be prevented from occurring.


2.2 What is risk?


In general, risk is a high-level philosophical concept that can be defined in this way:


Risk is the probability that events or someone's actions will lead to consequences that will affect a person's values (interests, assets).


To measure risk, values must be measured and indicators must be assessed to help measure and manage the level of risk. This will require three abstract high-level elements:

  • consequences that will affect values;

  • probability of consequences (as a measure of uncertainty);

  • A formula that links consequences and probability.


The main difficulty in risk management is the challenge of making explicit assumptions and finding a balance between subjective risk perception and objective evidence. Thus, risk assessment is the process of gathering observations and assumptions that can be justified by logical reasoning or comparisons with actual consequences. On the other hand, risk management is the process of developing and evaluating options to address risk in a way that is acceptable to people whose values (interests, assets) may be affected, recognizing that different options for addressing risk may receive different levels of support or disapproval from stakeholders. Risk management is a set of continuous processes and principles that ensure that individuals are responsible and aware of the possible risks that may be realized in the case of performing certain actions. Risk management is a framework for collective decision-making that encompasses risk assessment and management, including consideration of the legal, social, organizational and economic contexts of risk assessment.


2.3 Why is risk assessment and management important?


There are three main components to a risk assessment:

  • Identifying the hazard and calculating its level (if possible);

  • An assessment of the level of vulnerability and/or exposure;

  • calculating the level of risk taking into account its probability and severity.


Hazard identification involves identifying negative events and the results of their occurrence. Hazard calculation involves determining the severity of the impact of the results of negative events. Exposure refers to aspects of the system (e.g., system users, devices, databases) that are accessible to attackers. Vulnerability refers to the attributes of these aspects that can be targeted (e.g., flaws, bugs, exploits). The calculation of the risk level can be quantitative (e.g., probabilistic) or qualitative (e.g., scenario-based). The result of the risk level calculation will be the expected negative impact that could result from the occurrence of negative events. When assessing risk, it is important to use analytical and structured processes to obtain information that relates to the values (interests, assets) being protected, the likelihood of the realization of desirable and undesirable events, and an assessment of the likely outcomes of the occurrence of negative events and their impact. An important and often underestimated part of risk assessment is the assessment of the level of concern of the company's stakeholders about likely hazards, the consequences of risk exposure, the fears and prejudices of managers, and the level of trust in risk managers.


Risk management involves evaluating the information gathered during the risk assessment phase, which forms the basis for selecting one of three verdicts for each risk under consideration:

  • Intolerable: the risky aspect of the system should be eliminated or replaced, and if this is not possible, the number of vulnerabilities and exposure should be reduced.

  • Tolerable: Using reasonable and appropriate methods, risks are reduced to As Low As Reasonably Possible (ALARP) or As Low As Reasonably Allowable (ALARA) levels. The methods of reduction can be mitigation, risk sharing or risk transfer - their choice will depend on the company's risk appetite.

  • Acceptable: Risk mitigation is not necessary and no impact can be made on the risk. Moreover, risk can be used to exploit opportunities ( "positive risk" or "upside risk"), so the result of a risk decision will be to accept and exploit risk, not to reduce it.


In addition to the approach described above, separate risk management techniques should be applied to the following four risk types:

  • Regular risks: These are handled in accordance with the company's standard decision-making process. Necessary data and statistics are provided, desired outcomes and tolerance levels are defined, and risk mitigation measures are implemented and applied.

  • Complex risks: if the risks are not obvious, it may be necessary to include a broader set of evidence and use comparative approaches such as cost-benefit analysis or cost-effectiveness analysis.

  • Uncertain risks: if a high degree of uncertainty is present, a continuous and managed approach to system design should be adopted where negative side effects can be contained and rolled back. It is important to ensure that the system is resilient to uncertain outcomes of events.

  • Ambiguous risks: if a large number of stakeholders interpret the risk in different ways (e.g. there are different views or lack of agreement on management issues), then risk management should include dealing with the reasons for the different views.


The authors of the book emphasize that it is important to assess risks adequately and objectively, especially given cognitive distortions, lack of expert knowledge and subjective perception of potentially dangerous situations. For example, people tend to attach greater importance to extremely dangerous but rare situations (e.g., airplane crashes or man-made accidents), while the probability of realization of more common risks is much higher (car accident or household trauma). In the context of the business environment, sound risk management enables decision makers to make risk-oriented decisions based on transparent and understandable information about the status of risks. In addition to managers, the importance of risk management must be communicated to the rank and file, who must understand the goals and objectives of the risk management plan being implemented, including the safe configuration of the systems for which they are responsible. However, risks cannot always be eliminated completely, so some level of residual risk will remain. Decision makers who are responsible for risk handling errors determine the level of risk tolerance and choose how the risk is handled (acceptance, avoidance, mitigation, separation, transfer). However, executives and rank-and-file employees (administrators and operators of specific IT systems) may have different perceptions of the criticality and value of the system, its risks, and how to protect it, so as part of risk assessment and management, it is important to communicate the decisions made to all responsible parties, which will increase their level of involvement in the risk management process. In addition, it is important that the risk management process is not based only on compliance requirements and ticking off questionnaires - such a formal approach will not benefit the company and will only give a false sense of security.


2.4 What is cyber risk assessment and management?


In the previous paragraphs, we discussed general concepts that apply to any type of risk. Cyber risks are described in terms of their components:

  • Threats and hazards: threats refer to intruders (external and internal perpetrators) and hazards refer to events that can occur and cause damage to values (interests, assets).

  • Threat components: capabilities (attackers' skills, techniques, resources), objectives (what the attacker wants to accomplish - from stealing data to disrupting technological processes), motivation (what drives the attacker - e.g., desire for illicit enrichment, vanity, or political statement), capabilities (e.g., availability of the attack method, vulnerability, legal access of the insider to the system).

  • Probability: the possibility of something bad happening.

  • Vulnerability: a weakness in a system that can be exploited by an attacker or affected by a hazard.

  • Protection measure: technical and non-technical methods used to mitigate identified risks. Measures are: procedural (organizational), physical, personnel, technical.

  • Business impact: the consequences of the realization of a risk, which may include compromising the integrity, confidentiality, availability of information, or other harm (e.g., equipment failure or reputational damage).

  • Risk appetite: the amount of risk that a company is willing to accept in order to achieve its objectives (a notional level above which risk should not rise).

  • Risk assessment: identification of risk components (threats, hazards, vulnerabilities, probability of realization), analysis of potential risk impact on the business, identification of possible ways of risk treatment and selection of the most appropriate ones, transfer of results and recommendations to stakeholders.



2.5 Strategic risk management


2.5.1 What is strategic risk management and why is it necessary?


Risk assessment and management procedures will only be effective if a strategic risk governance model is in place. There are different models of strategic risk management:

  • Technocratic: risk management policies are based on scientific data and objective evidence;

  • Decisionistic: risk management policies rely not only on objective data but also on other factors (e.g. social and economic);

  • Transparent: the context for risk management relies on a wide range of different inputs from different stakeholder groups.


Participants rely on four elements when making decisions to assess risk perceptions:

  • Intuitive judgments about probabilities and damage levels;

  • Contextual factors of perceived risk characteristics (e.g., understanding of the nature of risk, ability to control risk);

  • Meaningful associations related to the source of risk, people, circumstances of encountering risk;

  • Trust and competence of those involved in the risk discussion.


The authors conclude that in order to develop a correct policy of strategic risk management, the discussion group should be represented by employees of different stakeholder departments, and the policy itself should be transparent and understandable. The risk management process should become commonplace and understandable, just like typical business processes, and become firmly embedded in the corporate culture.


2.5.2 Human Factors and Risk Communication


Certain human factors can affect cybersecurity management, e.g., people may not understand how to use antimalware, may not understand the importance of software and data, may not believe a cyberattack is possible, or may not realize that their irresponsible or negligent behavior could result in damage to the company. If staff perceive cyber risk as something abstract and think that assets cannot be attacked, even despite arguments and statistics of cyber incidents, then there is a problem with the company's cybersecurity culture. In general, employees will take the path of least resistance or look for ways to solve a work problem as quickly as possible. As a rule, employees do not comply with cybersecurity rules either because they cannot work in accordance with IS requirements (e.g., there is no technical capability or IS policies and procedures are too extensive and unclear) or because they do not see the point in behaving correctly from an IS perspective (e.g., it is easier for them to bypass imposed resource-intensive rules or they do not agree in principle with the established IS policy). Thus, risk cannot be minimized by technology alone, so it is important to train employees and implement a culture of cybersecurity.


Risk communication plays an important role in strategic risk management and may include the following aspects:

  • Training: it is important to raise staff awareness in the context of day-to-day risk management, including risk assessment and management;

  • Prepare and induce behavioral change: the risk knowledge gained during training should lead to changes in internal practices and processes to comply with IS policies;

  • Building confidence: confidence in risk management processes and key individuals should be built and maintained through effective risk handling;

  • Involvement: Stakeholders should be involved in risk decision-making processes by involving them in risk assessment, conflict resolution, and assessing the level of concern of the company's stakeholders;

  • Applying risk management rules and principles to everyone without exception: the obvious involvement of top managers in the implementation of IS policies and risk management rules will have a beneficial effect on the cybersecurity culture in the company.


2.5.3. IS culture and awareness


It is important to combine responsibility and accountability for IS compliance with continuous learning and improvement of the company's security posture. It is important that employees can always report concerns, problems or mistakes without fear of reprisal or judgment - the ultimate goal of employees should be to help keep the company safe. Unfortunately, it is often the case that IS policy makers cannot always foresee how these requirements will be met in the real world, and cyber incidents can be caused by ill-conceived IS processes and practices, among other things. An independent team can be formed to handle reports of potential IS breaches or cyber incidents from employees directly (without involving the employee's immediate supervisor). In addition, understanding how to respond and the possible consequences of cyber incidents will reduce staff anxiety and increase the openness of the company's cybersecurity culture.


Implementing the following IS metrics can help assess the level of IS awareness and cybersecurity culture:

  • Percentage of new employees receiving IS training;

  • Percentage of current employees who have undergone IS retraining;

  • Percentage of IS professionals with professional certifications;

  • Indicator of new skills and knowledge acquired by IS specialists (e.g. average number of IS skills acquired per IS team member, results of seminars and trainings attended by IS specialists);

  • A measure of the effectiveness of IS training for employees (e.g., the percentage of employees clicking on test phishing links a few days after training).


2.5.4 Adoption of an IS policy


The risk assessment should identify all the goals and objectives of the system being assessed, listing the relevant business processes. The risk description should list the relationships between vulnerabilities, threats, probabilities and consequences (causes and effects) for each risk. The IS policy should list the individuals and their actions to minimize the identified risks. In order for the IS policy to really work, it is required that the necessary actions be interconnected with the company's operational management processes (similar to financial and human resources processes). A list of risks accepted by the relevant risk owners responsible for risk management should be part of the outcome of the risk assessment and management process.

Recommended

Mathematical risk modelling: shamanism or cybernetics?
Mathematical risk modelling: shamanism or cybernetics?

26.12.2024

CyBOK. Chapter 2. Risk management and information security management. Part 2
CyBOK. Chapter 2. Risk management and information security management. Part 2

30.04.2025

Features of the new version of the Vulnerability Management (VM) product on the Security Vision 5 platform
Features of the new version of the Vulnerability Management (VM) product on the Security Vision 5 platform

11.10.2024

Deep Packet Inspection (DPI) - what is it?
Deep Packet Inspection (DPI) - what is it?

05.05.2025

CyBOK. Chapter 2: Risk Management and IS Governance. Part 1.
CyBOK. Chapter 2: Risk Management and IS Governance. Part 1.

20.03.2025

Scenarios of untyped UEBA attacks
Scenarios of untyped UEBA attacks

23.09.2024

Spam protection for companies and households
Spam protection for companies and households

17.03.2025

No - code development and ML assistants are the next generation of SOC analyst tools
No - code development and ML assistants are the next generation of SOC analyst tools

19.06.2025

Secure development without barriers: How to build an SSDLC that actually works
Secure development without barriers: How to build an SSDLC that actually works

03.07.2025

Basics of Cryptography: what is encryption, hash sum, digital signature
Basics of Cryptography: what is encryption, hash sum, digital signature

03.02.2025

ARP spoofing (ARP spoofing, ARP poisoning): what it is
ARP spoofing (ARP spoofing, ARP poisoning): what it is

24.02.2025

Security Vision SOAR and NG SOAR Upgrade Capabilities
Security Vision SOAR and NG SOAR Upgrade Capabilities

15.05.2025

Recommended

Mathematical risk modelling: shamanism or cybernetics?

26.12.2024

Mathematical risk modelling: shamanism or cybernetics?
CyBOK. Chapter 2. Risk management and information security management. Part 2

30.04.2025

CyBOK. Chapter 2. Risk management and information security management. Part 2
Features of the new version of the Vulnerability Management (VM) product on the Security Vision 5 platform

11.10.2024

Features of the new version of the Vulnerability Management (VM) product on the Security Vision 5 platform
Deep Packet Inspection (DPI) - what is it?

05.05.2025

Deep Packet Inspection (DPI) - what is it?
CyBOK. Chapter 2: Risk Management and IS Governance. Part 1.

20.03.2025

CyBOK. Chapter 2: Risk Management and IS Governance. Part 1.
Scenarios of untyped UEBA attacks

23.09.2024

Scenarios of untyped UEBA attacks
Spam protection for companies and households

17.03.2025

Spam protection for companies and households
No - code development and ML assistants are the next generation of SOC analyst tools

19.06.2025

No - code development and ML assistants are the next generation of SOC analyst tools
Secure development without barriers: How to build an SSDLC that actually works

03.07.2025

Secure development without barriers: How to build an SSDLC that actually works
Basics of Cryptography: what is encryption, hash sum, digital signature

03.02.2025

Basics of Cryptography: what is encryption, hash sum, digital signature
ARP spoofing (ARP spoofing, ARP poisoning): what it is

24.02.2025

ARP spoofing (ARP spoofing, ARP poisoning): what it is
Security Vision SOAR and NG SOAR Upgrade Capabilities

15.05.2025

Security Vision SOAR and NG SOAR Upgrade Capabilities

Other articles

What is Bruteforce and how can I protect myself from it?
What is Bruteforce and how can I protect myself from it?

17.02.2025

Education in IS. Expectation vs Reality
Education in IS. Expectation vs Reality

19.09.2024

What goals do attackers set for VPOs
What goals do attackers set for VPOs

02.12.2024

The two pillars of Linux monitoring
The two pillars of Linux monitoring

12.12.2024

Flooding: from harmless noise to cyberattack
Flooding: from harmless noise to cyberattack

24.03.2025

What is a cyber incident - in simple words about a complex threat
What is a cyber incident - in simple words about a complex threat

26.05.2025

Incident investigation and use of specialised tools
Incident investigation and use of specialised tools

27.01.2025

Browser fingerprint - what is it
Browser fingerprint - what is it

19.05.2025

Next Generation Firewall (NGFW) – what is it and what does it protect against
Next Generation Firewall (NGFW) – what is it and what does it protect against

30.06.2025

Other articles

What is Bruteforce and how can I protect myself from it?

17.02.2025

What is Bruteforce and how can I protect myself from it?
Education in IS. Expectation vs Reality

19.09.2024

Education in IS. Expectation vs Reality
What goals do attackers set for VPOs

02.12.2024

What goals do attackers set for VPOs
The two pillars of Linux monitoring

12.12.2024

The two pillars of Linux monitoring
Flooding: from harmless noise to cyberattack

24.03.2025

Flooding: from harmless noise to cyberattack
What is a cyber incident - in simple words about a complex threat

26.05.2025

What is a cyber incident - in simple words about a complex threat
Incident investigation and use of specialised tools

27.01.2025

Incident investigation and use of specialised tools
Browser fingerprint - what is it

19.05.2025

Browser fingerprint - what is it
Next Generation Firewall (NGFW) – what is it and what does it protect against

30.06.2025

Next Generation Firewall (NGFW) – what is it and what does it protect against

This website uses cookies to ensure you get the best experience.