Guide to:

Practical Cyber
Risk Management
2023

By, Tommy Babel, Co-Founder & CEO

www.cyzea.io
Table of Contents
Cyber Risk Management ................................................................................................2
Cyber Risk Quantification...............................................................................................3
Purpose of this paper ....................................................................................................4
Business Risk ................................................................................................................5
Other Risks ...............................................................................................................5
Cyber Risks ..................................................................................................................6
Inherent Risk ............................................................................................................6
Risk Velocity .............................................................................................................8
Current Risk..............................................................................................................9
Quantifying Risks ........................................................................................................ 10
Threat based Risk Assessment ...................................................................................... 11
Most common cyber-threats .................................................................................... 12
Most common Attack Vectors................................................................................... 13
Risk Assessment framework ......................................................................................... 14
NIST CSF ................................................................................................................. 14
NIST SP800-53 ........................................................................................................ 14
Threat based matrix ................................................................................................ 16
Control Effectiveness Assessment (CEA)..................................................................... 18
Control Maturity Assessment ................................................................................... 21
Capability Maturity Model Integration (CMMI)........................................................ 21
Back to Threat based Risk Assessment .......................................................................... 22
Weighted scoring model .......................................................................................... 23
Normal Distribution model ................................................................................... 25
Business impact analysis .............................................................................................. 27
Appendix A – Inherent Risk matrix ................................................................................ 29
Appendix B – Residual Risk matrix ................................................................................ 30

1
Cyber Risk Management
Cyber risk management is a crucial process for any organization that has digital assets to
protect. With the growing threat of cyber-attacks, it is important to have a comprehensive
and effective cyber security posture that is based on a solid risk management framework.

The purpose of cyber risk management is to identify potential cyber risks, assess their
likelihood of occurring, and develop strategies to mitigate those risks. This involves identifying
the organization's most critical assets, evaluating the potential impact of cyber-attacks on
those assets, and developing a plan to manage those risks. The ultimate goal is to reduce the
organization's exposure to cyber threats and minimize the potential impact of any cyber
incidents that may occur.

Cyber risk management is significant to any organization that relies on digital assets to
conduct its operations. This includes businesses, government agencies, and non-profit
organizations. The consequences of a cyber-attack can be severe, including loss of sensitive
data, financial loss, reputational damage, and legal liability. By implementing effective cyber
risk management practices, organizations can reduce their exposure to these risks and protect
themselves from potential financial and legal consequences.

Effective cyber risk management requires a combination of technical expertise, risk

management knowledge, and business acumen. It involves a range of activities, including risk
assessment, threat analysis, control identification, control implementation, and ongoing
monitoring and evaluation. These activities must be aligned with the organization's overall
business objectives and must consider the specific cyber threats that are relevant to the
organization's industry, size, and location.

There are several frameworks and methodologies that can be used to guide cyber risk
management practices. The NIST Cybersecurity Framework is a widely recognized framework
that provides a comprehensive approach to managing cyber risks. It includes five key
functions: identify, protect, detect, respond, and recover. Other frameworks, such as ISO
27001, COBIT, and CIS Controls, provide additional guidance on specific aspects of cyber risk
management, such as risk assessment, control implementation, and compliance.

Effective cyber risk management requires a commitment to ongoing improvement and

adaptation. The cyber threat landscape is constantly evolving, and organizations must be
prepared to adapt their cyber risk management practices to address new and emerging

2
threats. This requires ongoing monitoring of the threat landscape, continuous evaluation of
existing controls, and regular updates to the organization's cyber risk management strategy.

In conclusion, cyber risk management is a critical process that enables organizations to

identify, assess, and manage potential cyber risks. It is essential for any organization that relies
on digital assets to conduct its operations. By implementing effective cyber risk management
practices, organizations can reduce their exposure to cyber threats and protect themselves
from potential financial and legal consequences. To achieve this, organizations must commit
to ongoing improvement and adaptation, and must stay up to date with the latest
developments in the cyber threat landscape.

Cyber Risk Quantification

Cyber risk quantification is the process of assigning numerical values to potential cyber risks
and estimating their potential impact on an organization. This process involves identifying
potential threats and vulnerabilities, assessing their likelihood of occurrence, and determining
their potential impact on an organization's operations, finances, and reputation.

The primary goal of cyber risk quantification is to enable organizations to make informed
decisions about how to allocate resources to mitigate their risks. By quantifying risks,
organizations can prioritize their risk mitigation efforts, justify their investments in
cybersecurity, and communicate their risk profile to stakeholders.

However, there are several challenges associated with cyber risk quantification. One of the
biggest challenges is the lack of reliable data. Cyber risks are constantly evolving, and it can
be difficult to gather accurate and up-to-date data on the likelihood of specific cyber threats
and their potential impact on an organization.

Another challenge is the complexity of cyber risk. Cyber risks are multifaceted and can arise
from a wide range of sources, including external attackers, insiders, and technical failures. This
complexity makes it difficult to accurately quantify risks and can result in uncertainty and
ambiguity in the risk assessment process.

Finally, there is the challenge of accurately assessing the effectiveness of risk mitigation
measures. It can be difficult to determine the extent to which controls are effective in reducing
the likelihood and impact of cyber risks, which can result in inaccurate risk quantification.

Despite these challenges, cyber risk quantification is an essential tool for organizations looking
to effectively manage their cybersecurity risks. By understanding the potential impact of cyber

3
risks and prioritizing their risk mitigation efforts, organizations can reduce their exposure to
cyber threats and protect themselves from the potentially catastrophic consequences of a
cyber-attack.

Purpose of this paper

This guide offers a simple methodology to help cybersecurity consultants, advisors, and
managers to effectively quantify cyber risks and make informed risk management decisions.

The purpose of this guide is to provide a practical and effective methodology for cybersecurity
consultants, advisors, and managers to quantify cyber risks. The guide is designed to help
these professionals navigate the challenges associated with cyber risk quantification,
including the lack of reliable data, the difficulty of assessing the effectiveness of controls, and
the uncertainty and variability of cyber risks. By using this methodology, cybersecurity
professionals can gain a better understanding of their organization's cyber risks and develop
more effective risk management strategies.

4
Business Risk
Business risk refers to the possibility that a company's operations, strategies, or investments
may result in financial loss or failure. This risk arises from both internal and external factors
that can affect a company's performance and profitability.

Internal factors that can increase business risk include poor management decisions,
operational inefficiencies, inadequate financial controls, and insufficient resources. External
factors that can increase business risk include changes in market conditions, economic
downturns, regulatory changes, natural disasters, and competition.

Business risk is an inherent part of any business activity, and managing it effectively is essential
to ensure long-term success. Companies can mitigate business risk by implementing sound
risk management practices, diversifying their operations and investments, maintaining
financial flexibility, and staying attuned to changes in the market and industry.

Other Risks
A company may face various other types of risks besides business risk. Some of the most
common types of risks that companies face include:

 Financial Risk: This type of risk relates to a company's ability to meet its financial
obligations, including debt repayment, cash flow management, and investment
decisions.
 Operational Risk: This type of risk is associated with the day-to-day operations of a
company, including supply chain disruptions, employee fraud, technology failures,
and other operational challenges.
 Strategic Risk: This type of risk is associated with a company's strategic decisions and
may arise from market shifts, changes in customer preferences, or competitive
pressures.
 Legal and Regulatory Risk: This type of risk is associated with potential legal and
regulatory actions, including lawsuits, fines, penalties, and reputational damage.
 Environmental and Social Risk: This type of risk is associated with a company's impact
on the environment and society, including environmental disasters, public perception,
and changing consumer preferences.

It's important for companies to identify and manage these risks effectively to minimize their
impact on the company's financial performance and reputation. Companies can use risk

5
management techniques such as risk assessments, risk mitigation strategies, and risk
monitoring to manage these risks.

Cyber Risks
Cyber risk is a type of operational risk that arises from the use of technology and the internet
in business operations. Cyber risk refers to the potential financial loss or damage to a
company's reputation due to a cyber-attack, data breach, or other malicious cyber activity.

Cyber risks can take many forms, including hacking, malware, phishing, social engineering,
ransomware, and other forms of cybercrime. These risks can result in the theft of sensitive
data, financial loss, disruption of business operations, and damage to a company's reputation.

Cyber risk is an increasingly significant concern for companies of all sizes and in all industries,
as more business operations move online and rely on digital technology.

Inherent Risk
Inherent risk is the level of risk that exists in an organization's operations, systems, or
processes without any controls or mitigation measures in place. It is the risk that exists
inherently in an activity or operation, regardless of any risk management efforts.

Inherent risk is influenced by various factors such as the nature of the business, the complexity
of the operations, the external environment, and the quality of management. Inherent risk is
typically assessed at the beginning of the risk management process and is used to determine
the level of risk that an organization is exposed to.

Once inherent risk has been identified, organizations can then develop risk management
strategies to reduce the level of risk to an acceptable level. The effectiveness of these
strategies is then monitored and evaluated over time to ensure that the level of risk remains
at an acceptable level.

Inherent risk is an important concept in risk management, as it provides a baseline for

determining the level of risk that an organization faces. By understanding inherent risk,
organizations can develop effective risk management strategies that are tailored to their
specific risk profile and business operations.

Risk General Formula

Risk = Probability of an Event Occurring x Impact of the Event

where:

6
  Probability is the likelihood that an event will occur.
 Impact is the potential loss or damage that could result from the event.

The risk formula is often used to assess the potential impact of various types of risks, including
financial risk, operational risk, strategic risk, and other types of risks that organizations may
face.

To calculate risk, organizations must first determine the probability of the event occurring and
the potential impact of that event. They can then multiply these two values to calculate the
overall risk associated with that event.

 For example, if there is a 30% chance of a cyber-attack occurring and the potential
impact of the attack is estimated at $1 million, the overall risk associated with the
cyber-attack would be: Risk = 0.3 x $1,000,000 = $300,000

In this example, the risk associated with the cyber-attack is $300,000. This calculation can help
organizations prioritize risk management efforts and allocate resources to mitigate the risks
that pose the greatest threat to their operations.

Inherent Risk Formula

The inherent risk formula is a critical tool for assessing the level of risk that an organization
faces from an activity or operation. In the traditional formula, the probability of an event
occurring is multiplied by the impact of that event to determine the overall risk. However, it's
possible to use a frequency factor instead of a probability factor in the inherent risk formula.

The frequency factor is a measure of how often an event has occurred in the past. It is useful
in situations where the probability of an event is difficult to estimate or where historical data
is available to estimate the frequency of the event.

To use the frequency factor in the inherent risk formula, the frequency of the event is
multiplied by the impact of the event. The resulting product is the inherent risk associated
with that event. The formula for inherent risk using the frequency factor is:

Inherent Risk = Frequency of an Event x Impact of the Event

where:

 Frequency is the number of times an event has occurred within a specific time frame.
 Impact is the potential loss or damage that could result from the event.

7
It's important to note that the frequency factor is just one aspect of the inherent risk
calculation. The potential impact of an event should still be considered, as the impact of an
event can vary even if the frequency of the event is known. Additionally, the accuracy and
relevance of the frequency data should be carefully evaluated to ensure that it is an
appropriate measure of the likelihood of an event occurring.

Risk Velocity
Risk velocity is a term used to describe how quickly a risk event can impact a company's
operations, finances, or reputation. It is a measure of the speed with which a Risk event can
escalate and cause damage to an organization.

Risk velocity is an important consideration in risk management because it can help

organizations prioritize their risk management efforts and allocate resources accordingly. By
understanding the speed with which a risk event can escalate and cause damage,
organizations can develop risk management strategies that are tailored to the specific risks
they face.

For example, if a company operates in a region that is prone to natural disasters, such as
earthquakes or hurricanes, the company may prioritize risk management efforts that focus on
quickly responding to and recovering from these types of events. Similarly, if a company is
highly dependent on a single supplier, it may prioritize risk management efforts that focus on
ensuring continuity of supply in the event of a disruption.

Overall, risk velocity is an important concept in risk management, as it helps organizations to

identify and manage risks that can quickly escalate and cause significant damage to their
operations, finances, or reputation.

Formula including Risk Velocity

The formula for risk that incorporates risk velocity would include an additional factor that
represents the speed with which a risk event can escalate and cause damage. One possible
formula for risk that incorporates risk velocity is:

Risk = Probability x Impact x Velocity

where:

 Probability is the likelihood that an event will occur.

 Impact is the potential loss or damage that could result from the event.
 Velocity is the speed with which the risk event can escalate and cause damage.

8
The inclusion of the velocity factor in the risk formula highlights the importance of considering
the speed with which a risk event can escalate and cause damage. By including the velocity
factor in the formula, organizations can more accurately assess the potential impact of a risk
event and prioritize their risk management efforts accordingly.

For example, if a company operates in a highly regulated industry and is at risk of violating
regulations, the risk velocity of a regulatory violation could be high if the violation would
quickly escalate and cause significant financial or reputational damage. In this case, the risk
formula would consider not only the probability and impact of the regulatory violation but
also the speed with which the violation could escalate and cause damage.

Overall, incorporating risk velocity into the risk formula can provide a more comprehensive
understanding of the potential risks that an organization faces and can help organizations
develop risk management strategies that are tailored to the specific risks they face.

Current Risk
Current risk refers to the level of risk that an organization faces at a given point in time. It
considers both the inherent risk associated with the organization's operations, as well as any
risk management measures that have been implemented to mitigate that risk.

Current risk is influenced by various factors, such as changes in the external environment, the
effectiveness of risk management measures, and the quality of the organization's operations
and management. As a result, the level of current risk can change over time as new risks
emerge, risk management measures are implemented or updated, or the external
environment changes.

Assessing current risk is an important part of risk management, as it enables organizations to

identify and address new or emerging risks in a timely manner. To assess current risk,
organizations can conduct regular risk assessments, evaluate the effectiveness of existing risk
management measures, and stay up to date on changes in the external environment that may
impact the level of risk they face.

By monitoring current risk, organizations can develop and implement risk management
strategies that are tailored to their current risk profile and can ensure that their risk
management efforts are effective in reducing the level of risk to an acceptable level.
Ultimately, the goal of assessing and managing current risk is to minimize the potential impact
of risks on the organization's operations, finances, and reputation.

9
Quantifying Risks
Quantifying the effectiveness of risk management measures in mitigating risk is a critical part
of risk management. The following steps can be taken to quantify the degree to which risk
management measures are mitigating risk:

1. Determine the level of inherent risk: The first step is to assess the level of inherent
risk associated with the activity or operation in question. This involves estimating the
frequency and potential impact of the risk event without any risk management
measures in place.
2. Identify risk management measures: The next step is to identify risk management
measures that can be implemented to reduce the level of risk. This can include
measures such as risk avoidance, risk reduction, risk transfer, and risk acceptance.
a. Risk Reduction: Risk reduction is a risk management strategy that aims to
reduce the likelihood or potential impact of a risk event. This strategy involves
implementing controls or measures to prevent the risk event from occurring,
or to minimize its impact if it does occur.
b. Risk Transfer: Risk transfer is a risk management strategy that involves
transferring the potential financial impact of a risk event to another party.
This strategy is often used when the cost of managing a risk is higher than the
cost of transferring the risk. Common examples of risk transfer include
purchasing insurance policies.
c. Risk Acceptance: Risk acceptance is a risk management strategy that involves
accepting the potential impact of a Risk event and deciding not to take any
further action to prevent or mitigate it. This strategy is often used when the
cost of managing a risk is too high, or when the risk is considered low or
manageable. Risk acceptance is often used when the potential impact of a risk
event is relatively low and can be absorbed by the organization's financial
resources.
3. Assess the effectiveness of risk management measures: Once risk management
measures have been implemented, the effectiveness of those measures can be
assessed. This involves evaluating the degree to which the measures have reduced
the likelihood and potential impact of the risk event.

Quantify the degree of risk reduction: The effectiveness of risk management measures can be
quantified by calculating the degree to which the measures have reduced the level of risk.

10
There are several methodologies that organizations can use to identify risk management
measures and quantify current risk levels. Here are some commonly used methodologies:

 Risk Assessment: A risk assessment is a structured approach to identifying, evaluating,

and prioritizing risks that an organization faces. The assessment typically involves
identifying potential risks, assessing the likelihood and potential impact of those risks,
and prioritizing risks based on their level of importance to the organization. From the
assessment, risk management measures can be developed, such as risk reduction, risk
transfer, and risk acceptance strategies.
 Business Impact Analysis (BIA): A BIA is a method for identifying critical business
processes and determining the potential impact of a disruption to those processes.
The analysis helps organizations to identify risks and develop appropriate risk
management measures, such as implementing controls to reduce the likelihood of
disruptions or developing contingency plans to mitigate the impact of disruptions.
 Quantitative Risk Analysis: Quantitative risk analysis is a method for quantifying the
level of risk faced by an organization. It typically involves using mathematical models
and statistical analysis to estimate the likelihood and potential impact of risk events,
and to quantify the effectiveness of risk management measures in reducing risk. The
results of the analysis can be used to identify appropriate risk management measures,
such as risk reduction, risk transfer, and risk acceptance strategies.

Threat based Risk Assessment

A risk assessment is a systematic process of identifying, analyzing, and evaluating potential
risks to an organization. It involves identifying threats, vulnerabilities, and the potential impact
of risks on the organization's assets, operations, and objectives. The purpose of a risk
assessment is to develop a comprehensive understanding of the risks facing the organization
and to develop appropriate risk management strategies to mitigate those risks.

A threat-based risk assessment, on the other hand, is a specific type of risk assessment that
focuses on identifying and evaluating specific threats to an organization. It involves identifying
the types of threats that may pose a risk to the organization, as well as the likelihood and
potential impact of those threats. The purpose of a threat-based risk assessment is to develop
a more targeted approach to risk management that focuses on addressing specific threats.

The main difference between a risk assessment and a threat-based risk assessment is the level
of specificity. A risk assessment is a broad evaluation of all potential risks facing the
organization, while a threat-based risk assessment is a more targeted evaluation that focuses

11
on specific threats. While both types of assessments are important for effective risk
management, a threat-based risk assessment can be particularly useful for organizations that
face specific and well-defined threats, such as those in the cybersecurity or physical security
fields.

Most common cyber-threats

Cyber threats can take many forms, and new threats are constantly emerging as technology
evolves. However, here are five common types of cyber threats that organizations should be
aware of:

1. Ransomware: Ransomware is a type of malware that encrypts an organization's files

or data, making them inaccessible until a ransom is paid to the attacker. Ransomware
attacks have become increasingly common in recent years, with high-profile attacks
targeting organizations in a variety of industries.
2. Supply chain attacks: Supply chain attacks involve compromising a third-party vendor
or supplier in order to gain unauthorized access to an organization's digital assets.
These attacks can be particularly damaging, as they can give attackers access to
sensitive data or systems without directly targeting the organization.
3. Social engineering attacks: Social engineering attacks involve manipulating individuals
into revealing sensitive information or performing actions that compromise the
security of an organization's digital assets. Common types of social engineering
attacks include phishing, spear phishing, and pretexting.
4. Insider threats: Insider threats are risks that originate from within an organization,
such as employees or contractors who intentionally or unintentionally cause harm to
the organization's systems or data. Insider threats can be particularly difficult to
detect and prevent, as they often involve individuals who have authorized access to
the organization's systems and data.
5. Cloud-based attacks: Cloud-based attacks target cloud infrastructure, such as servers
and storage systems, and can be used to steal or compromise sensitive data. Common
types of cloud-based attacks include denial of service (DoS) attacks, data breaches,
and account hijacking.

12
Most common Attack Vectors
1. Software vulnerabilities: Software vulnerabilities can be exploited by attackers to gain
unauthorized access to an organization's systems or data. Common software
vulnerabilities include unpatched or outdated software, weak passwords, and
misconfigured systems.
2. Email: Email is a common attack vector for phishing and spear phishing attacks, which
attempt to trick users into clicking on a malicious link or downloading a malicious
attachment.
3. Third-party vendors: Third-party vendors can provide attackers with a way to gain
unauthorized access to an organization's systems or data. This may include exploiting
vulnerabilities in a vendor's software or network, or compromising a vendor's
credentials.
4. Social engineering: Social engineering attacks rely on manipulating individuals into
revealing sensitive information or performing actions that compromise the security
of an organization's systems or data. Common social engineering attack vectors
include phishing, pretexting, and baiting.
5. Lateral Movement: Lateral movement is a technique used by attackers to move
through an organization's network and gain access to sensitive data or systems.
Lateral movement involves moving laterally from one system or network to another,
using compromised credentials or other techniques to gain access to additional
systems and data.

13
Risk Assessment framework
There are several frameworks that can be used for risk assessment and management in the
context of cyber threats and attack vectors. One framework that may be particularly useful
for focusing on specific controls for these threats is the NIST Cybersecurity Framework.

The NIST Cybersecurity Framework provides a set of standards, guidelines, and best practices
for managing cybersecurity risk. The framework is organized around five core functions:
identify, protect, detect, respond, and recover. These functions provide a structured approach
to risk assessment and management that can be customized to meet the specific needs of an
organization.

Within each of these core functions, the NIST Cybersecurity Framework provides a set of
subcategories that are designed to address specific types of cyber threats and attack vectors.
For example, within the "protect" function, the framework includes subcategories related to
access control, awareness and training, and data security.

By using the NIST Cybersecurity Framework, organizations can identify the specific controls
that are most relevant for addressing the cyber threats and attack vectors that they face. The
framework can also help organizations prioritize their cybersecurity efforts and allocate
resources more effectively.

NIST CSF
The NIST CSF provides a framework for organizations to manage their cybersecurity risk by
identifying, protecting, detecting, responding to, and recovering from cyber-attacks. The
framework is organized around five core functions: identify, protect, detect, respond, and
recover. These functions provide a structured approach to risk assessment and management
that can be customized to meet the specific needs of an organization.

The NIST CSF also includes a set of categories and subcategories that provide specific guidance
and recommended practices for implementing cybersecurity controls and processes. The
framework is designed to be flexible and adaptable, so that organizations of all sizes and types
can use it to manage their cybersecurity risk.

NIST SP800-53
NIST SP 800-53, "Security and Privacy Controls for Information Systems and Organizations," is
a publication that provides a catalog of security and privacy controls that organizations can
implement to protect their information systems and data.

14
The publication includes a set of 20 control families, each of which addresses a specific area
of cybersecurity, such as access control, incident response, and system and communications
protection. Within each control family, there are specific security and privacy controls that are
designed to address specific security objectives.

Here are the 20 control families listed in NIST SP 800-53:

1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Configuration Management
5. Contingency Planning
6. Identification and Authentication
7. Incident Response
8. Maintenance
9. Media Protection
10. Physical and Environmental Protection
11. Planning
12. Personnel Security
13. Risk Assessment
14. Security Assessment and Authorization
15. System and Communications Protection
16. System and Information Integrity
17. Program Management
18. Supply Chain Risk Management
19. Privacy Controls
20. Security Continuous Monitoring

15
Threat based matrix
Create a multi-dimensional matrix, however, please note that the matrix will be quite large,
as there are many NIST SP 800-53 controls, NIST CSF categories, and potential threats and
attack vectors. Here is an example of how the matrix might be structured:

NIST CSF Most Common Most Common

800-53 Controls Category Threats Attack Vectors

AC-1 Access Control Policy and Email, Social

Procedures Identify Phishing, Malware Engineering

Phishing, Email, Malicious

AC-2 Account Management Identify Ransomware Downloads

Insider Threats, Physical Access,

Unauthorized Exploited
AC-3 Access Enforcement Protect Access Vulnerabilities

Remote Access,
AC-4 Access Permissions and Data Theft, Network
Authorizations Protect Espionage Eavesdropping

Insider Threats,
Data Manipulation, Exploited
AC-5 Separation of Duties Protect Fraud Vulnerabilities

AC-1 Access Control Policy and Phishing, Social Email, Malicious

Procedures Identify Engineering Websites

16
 NIST CSF Most Common Most Common
800-53 Controls Category Threats Attack Vectors

Ransomware, Email, Malicious

AC-2 Account Management Identify Malware Downloads

Insider Threats, Physical Access,

Unauthorized Exploited
AC-3 Access Enforcement Protect Access Vulnerabilities

Remote Access,
AC-4 Access Permissions and Data Theft, Network
Authorizations Protect Espionage Eavesdropping

Insider Threats,
Data Manipulation, Exploited
AC-5 Separation of Duties Protect Fraud Vulnerabilities

Email, Social
AT-1 Asset Management Identify Phishing, Malware Engineering

Ransomware, Email, Malicious

AT-2 Awareness Training Identify Phishing Downloads

CA-1 Security Assessment and

Authorization Policy and Ransomware, Email, Malicious
Procedures Respond Malware Downloads

17
 NIST CSF Most Common Most Common
800-53 Controls Category Threats Attack Vectors

Insider Threats, Physical Access,

Unauthorized Exploited
CA-2 Security Assessments Respond Access Vulnerabilities

Remote Access,
Data Theft, Network
CA-3 System Interconnection Respond Espionage Eavesdropping

This is just an example, and the matrix could be customized to meet the specific needs and
risks of your organization. The matrix can be used as a tool to help identify the NIST SP 800-
53 controls and NIST CSF categories that are most relevant for mitigating the most common
threats and attack vectors.

Control Effectiveness Assessment (CEA)

One specific method for evaluating the effectiveness of controls in mitigating threats or attack
vectors is to use a Control Effectiveness Assessment (CEA). The CEA is a structured process for
assessing the effectiveness of controls.

The CEA typically involves the following steps:

1. Identify the controls that are relevant to the specific threats or attack vectors being
evaluated.
2. Analyze the results to determine the effectiveness of each control in mitigating the
identified threats or attack vectors.
3. Assign a rating or score to each control based on its effectiveness.

A 1 to 5 rating system can be a useful way to evaluate the effectiveness of controls, but it's
important to ensure that the ratings are meaningful and consistent. To achieve this, it's
recommended to establish clear criteria for each rating level and to ensure that the criteria
are aligned with the specific risks, threats, and attack vectors that you are evaluating.

18
For example, you might use a rating system that includes the following criteria:

1. Control is not effective or does not exist.

2. Control is minimally effective or partially implemented.
3. Control is moderately effective and implemented as designed.
4. Control is highly effective and well-implemented.
5. Control is extremely effective and exceeds requirements.

This is just an example, and the specific criteria used may vary depending on the organization's
needs and the specific risks and threats being evaluated. The important thing is to establish
clear and consistent criteria that allow for meaningful comparisons and assessments of
control effectiveness.

Control
NIST SP 800-53 NIST CSF Most Common Most Common Effectiveness
Controls Category Threats Attack Vectors Rating

AC-1 Access Control Phishing, Social Email, Malicious 3 - Moderately

Policy and Procedures Identify Engineering Websites Effective

AC-2 Account Ransomware, Email, Malicious 4 - Highly

Management Identify Malware Downloads Effective

Insider Threats, Physical Access,

AC-3 Access Unauthorized Exploited 4 - Highly
Enforcement Protect Access Vulnerabilities Effective

AC-4 Access Remote Access,

Permissions and Data Theft, Network 3 - Moderately
Authorizations Protect Espionage Eavesdropping Effective

19
 Control
NIST SP 800-53 NIST CSF Most Common Most Common Effectiveness
Controls Category Threats Attack Vectors Rating

Data Insider Threats,

AC-5 Separation of Manipulation, Exploited 5 - Extremely
Duties Protect Fraud Vulnerabilities Effective

AT-1 Asset Phishing, Email, Social 2 - Minimally

Management Identify Malware Engineering Effective

AT-2 Awareness Ransomware, Email, Malicious 5 - Extremely

Training Identify Phishing Downloads Effective

CA-1 Security
Assessment and
Authorization Policy Ransomware, Email, Malicious 4 - Highly
and Procedures Respond Malware Downloads Effective

Insider Threats, Physical Access,

CA-2 Security Unauthorized Exploited 3 - Moderately
Assessments Respond Access Vulnerabilities Effective

Remote Access,
CA-3 System Data Theft, Network 4 - Highly
Interconnection Respond Espionage Eavesdropping Effective

20
This is just an example, and the effectiveness ratings may vary based on the specific controls,
attack vectors, and risks of your organization. It's important to establish clear and consistent
criteria for evaluating control effectiveness, and to use multiple evaluation methods to
provide a comprehensive assessment of control effectiveness.

Control Maturity Assessment

To determine how well a control is implemented or whether implementation is complete, you
can use a control implementation assessment. This involves evaluating whether the control is
operating as intended and whether it is being used consistently across the organization.

A control maturity assessment can be broken down into several steps:

1. Define the scope of the assessment: This involves determining which controls will be
assessed, and which areas of the organization will be included in the assessment.
2. Develop a maturity model: This involves creating a model that defines the maturity
levels of the control, and the criteria that are used to determine the maturity level of
the control.
3. Assess the control maturity level: This involves evaluating the control against the
criteria in the maturity model to determine its maturity level.

Capability Maturity Model Integration (CMMI)

The Capability Maturity Model Integration (CMMI) is a process improvement framework that
can be applied to a wide range of industries, including software engineering, systems
engineering, and cybersecurity. CMMI provides a structured approach to improving the
effectiveness and efficiency of an organization's processes, with a focus on continuous
improvement.

CMMI consists of five levels of maturity, with each level building upon the previous level:

1. Initial - The organization's processes are ad-hoc and chaotic, with little or no process
control.
2. Managed - The organization has established basic process controls, such as project
planning, requirements management, and quality assurance.
3. Defined - The organization has established a standard process for all projects, with a
focus on continuous process improvement.
4. Quantitatively Managed - The organization has established quantitative process
objectives and uses data analysis to improve processes.

21
 5. Optimizing - The organization focuses on continuous process improvement based on
quantitative data analysis and is able to adapt quickly to changing business needs.

CMMI provides a comprehensive framework for process improvement, with a focus on best
practices and measurable process objectives. By implementing CMMI, organizations can
improve the quality and effectiveness of their processes, which can lead to improved
performance, increased customer satisfaction, and reduced costs.

In the context of cybersecurity, CMMI can be used to evaluate an organization's cybersecurity

processes and identify areas for improvement. By implementing CMMI-based process
improvements, organizations can improve their cybersecurity posture, reduce cybersecurity
risks, and better protect their assets.

Back to Threat based Risk Assessment

Inherent risk assumes that no controls are in place, and that the probability of a threat
occurring is based solely on its frequency.

Once an organization implements controls at a certain maturity level, the probability of a

threat occurring can be reduced. This means that the risk associated with the threat is also
reduced. The more effective the control is and the higher its maturity level, the greater the
reduction in risk.

Therefore, as an organization implements more effective controls and improves their maturity
level, the overall risk associated with each threat will be reduced. This can be seen as a direct
relationship between the effectiveness of controls, their maturity level, and the overall risk
for each threat.

One way to visualize this relationship is to use a bubble chart. In the chart, the x-axis
represents the control maturity level, the y-axis represents the risk reduction, and the size of
each bubble represents the effectiveness of the control in mitigating the threat. The chart
could also include color-coding to represent different threat types or attack vectors.

Each bubble represents a specific control. The x-axis represents the maturity level of the
control, with lower maturity levels on the left and higher maturity levels on the right. The y-
axis represents the reduction in risk associated with the control, with greater risk reduction
at the top of the chart. The size of each bubble represents the effectiveness of the control in
mitigating the threat, with larger bubbles indicating greater effectiveness.

22
The color-coding in this example represents different types of threats, with blue bubbles
representing threats related to external digital assets, green bubbles representing threats
related to internal digital assets, and red bubbles representing threats related to social
engineering. By looking at the chart, it is easy to see which controls are most effective at
mitigating each type of threat, and where additional controls or improvements may be
needed.

Weighted scoring model

The weighted scoring model is a quantitative method that can be used to evaluate and
prioritize the effectiveness of controls in mitigating different types of threats based on their
maturity level. The model assigns a score to each control based on its effectiveness and
maturity level and calculates an overall score for each threat based on the scores of the
controls that mitigate that threat.

To use the weighted scoring model, the first step is to identify the controls that are in place to
mitigate each type of threat, along with their effectiveness and maturity level ratings. Then,
for each control, the effectiveness rating and maturity level rating are multiplied together to
calculate a control score. For example, if a control has an effectiveness rating of 4 and a
maturity level rating of 3, its control score would be 12.

Next, the control scores for all controls that mitigate a specific threat are added together to
calculate the total controls score. Finally, the risk score for the threat is calculated by dividing
the total controls score by the number of controls that mitigate the threat. This gives a
weighted average score for the controls that mitigate the threat, considering both their
effectiveness and maturity level.

By using the weighted scoring model, organizations can prioritize which controls to improve
based on their effectiveness and maturity level, and identify which threats are most critical to
address. The model can also be used to monitor the effectiveness of controls over time and
adjust the scoring as the maturity level of controls changes.

23
 Maturity Maturity
Example Effectiveness Level Effectiveness Level Weighted
Controls Rating Rating Percentage Percentage Score

Email Filtering 4 3 80% 60% 48%

Employee
Training 5 2 100% 40% 40%

Two-Factor
Authentication 3 4 60% 80% 48%

Incident Response
Plan 4 5 80% 100% 90%

Risk Score for

Attack Vector:
"Phishing
Emails" - - - - 56.5%

If we apply the weighted scoring model to all controls for the most common threats and attack
vectors, we will obtain a comprehensive view of the effectiveness and maturity level of the
organization's cybersecurity measures. By calculating the weighted score for each control, we
can determine which controls are most effective at mitigating each specific threat and attack
vector. This allows us to prioritize our resources and focus on improving the maturity level of
controls that are most critical in reducing the overall risk associated with each threat and
attack vector.

24
Once we have the weighted scores for all controls, we can calculate the total weighted score
for each threat and attack vector by averaging the weighted scores across all controls that
mitigate that threat or attack vector. This would give us an overall assessment of the
effectiveness of our cybersecurity measures in addressing each specific threat and attack
vector.

Using this approach, we can identify areas where our cybersecurity measures may be lacking
and focus on improving the maturity level of the controls that are most critical to mitigating
the highest risk threats and attack vectors. We can also use the overall risk scores for each
threat and attack vector to prioritize our risk management efforts and allocate resources more
effectively to reduce the organization's overall cyber risk.

If we assume a 100% probability of occurrence for each threat in the absence of controls, then
the inherent risk level for each threat is also 100% and if the average risk score for the most
common threats is 56.5%, this suggests that the overall probability of those threats occurring
has been reduced to 34.5% through the implementation of controls.

Current Probability = 100% - Average Risk Score

For example, if the average risk score for the most common threats is 56.5%, the current
probability of those threats occurring with controls in place would be:

Current Probability = 100% - 56.5%

Current Probability = 43.5%

Normal Distribution model

The BELL model, also known as the normal distribution model, is a statistical model that
represents the distribution of a set of data points that follow a normal or Gaussian
distribution. In other words, it can help us understand the likelihood of different outcomes
based on the mean and standard deviation of a set of data.

In the context of risk management, the BELL model can be used to adjust risk scores based on
uncertainty and variability of inputs. By assuming a normal distribution of inputs and applying
the BELL model, we can generate a range of possible outcomes with associated probabilities.
This can help us better understand the potential range of current risk levels and make more
informed decisions about risk management strategies.

In the example we showed earlier, we used the BELL model to adjust the simple result of
34.5% based on a 5% uncertainty and variability of inputs. This adjustment provided a range

25
of possible outcomes with associated probabilities, which can help organizations better
understand the potential range of current risk levels and make more informed decisions about
risk management strategies.

If we assume a 5% uncertainty and variability of inputs for the simple result of 34.5%, we could
use the BELL model to adjust the result as follows:

First, we need to define the distribution of inputs for the BELL model. Let's assume that the
inputs follow a normal distribution with a mean of 34.5% and a standard deviation of 5%.

Using this distribution, we can generate a range of possible outcomes for the current
probability of threats occurring with controls in place, along with probabilities assigned to
each outcome. For example, we might generate the following results using the BELL model:

With a 5% uncertainty and variability of inputs, the adjusted result using the BELL model
suggests that the current probability of threats occurring with controls in place could be
between 29.4% and 39.6%, with a most likely probability of 34.5%.

The choice of uncertainty and variability of inputs depends on various factors, including the
nature of the data, the complexity of the model, and the level of accuracy desired. In the
context of risk management, a 5% uncertainty and variability of inputs is a reasonable
assumption for many organizations as it provides a moderate level of flexibility while still
maintaining a degree of accuracy.

However, the specific level of uncertainty and variability of inputs should be determined based
on the unique needs and characteristics of each organization. Some organizations may require
a higher degree of flexibility due to the nature of their business or industry, while others may
need to prioritize accuracy over flexibility.

For organizations in highly regulated industries such as finance, healthcare, and government,
a lower level of uncertainty and variability may be required to meet regulatory compliance
requirements. In contrast, for smaller organizations with limited resources, a higher level of
uncertainty and variability may be necessary to provide flexibility while still maintaining an
acceptable level of risk management.

Ultimately, the choice of uncertainty and variability of inputs should be made based on a
careful consideration of the specific needs and goals of the organization, as well as the
available data and resources.

26
Business impact analysis
Business impact analysis (BIA) is a process that helps organizations identify the potential
impacts of a disruption or loss of their critical business functions and resources. In the context
of cybersecurity, BIA helps to identify the potential impact of cyber-attacks on an
organization's operations, assets, and reputation.

For each of the most common cyber threats, a BIA would involve assessing the potential
impact of an attack on the organization's critical systems, applications, and data. This would
include an analysis of the financial impact, such as the cost of lost revenue, damage to
equipment and infrastructure, and expenses associated with recovery and remediation
efforts. It would also include an assessment of the operational impact, such as the disruption
to business processes, the loss of productivity, and the impact on employee and customer
satisfaction.

The BIA process also involves identifying the critical assets and resources that support the
organization's operations and the potential impact of their loss or disruption. This could
include the organization's IT infrastructure, data and information systems, financial systems,
and other key resources.

By conducting a BIA for each of the most common cyber threats, organizations can develop a
better understanding of the potential impact of a cyber-attack and develop strategies to
mitigate those risks. This could involve implementing additional security measures,
developing incident response plans, and ensuring that critical data and resources are backed
up and can be quickly restored in the event of a breach or disruption. Overall, the BIA process
helps organizations to develop a more comprehensive and effective cybersecurity risk
management strategy.

The top business impacts that can happen due to the most common cyber threats are:

 Legal and regulatory penalties: Cybersecurity incidents can result in legal and
regulatory penalties, including fines and lawsuits.
 Operational disruption: Cyber-attacks can disrupt business operations, resulting in
lost productivity, missed deadlines, and reduced revenue.
 Theft of intellectual property: Cybercriminals may target organizations to steal trade
secrets, patents, and other intellectual property.

27
  Reputational damage: A cyber-attack can result in significant reputational damage for
an organization, costs associated with repairing the damage done to the
organization's reputation and rebuilding trust with customers.
 Financial loss: Cyber-attacks can cause significant financial losses to organizations,
including client loss and loss of revenue.

A possible model for describing different levels of potential impact could be a five-point scale
ranging from minimal impact to catastrophic impact. Here is an example of how such a scale
might be defined:

1. Minimal impact: The cyber incident has a limited effect on the organization's
operations, finances, or reputation, and can be easily contained and remediated.
Examples might include a low-level malware infection or a brief website outage that
does not result in data loss.
2. Minor impact: The cyber incident causes some disruption to the organization's
operations, finances, or reputation, but is still manageable and does not have a
significant long-term impact. Examples might include a successful phishing attack that
results in some data loss.
3. Moderate impact: The cyber incident has a significant impact on the organization's
operations, finances, or reputation, and may require additional resources or outside
assistance to address. Examples might include a successful data breach that results in
the loss of sensitive customer information, or a cyber-attack that disrupts critical
systems or processes for an extended period of time.
4. Major impact: The cyber incident has a major impact on the organization's operations,
finances, or reputation, and requires significant resources and time to fully recover
from. Examples might include a large-scale data breach that affects a large number of
customers, or a ransomware attack that results in extensive data loss and system
downtime.
5. Catastrophic impact: The cyber incident has a critical impact on the organization's
operations, finances, or reputation, and may result in the organization going out of
business or suffering irreparable harm. Examples might include a successful cyber-
attack that results in the complete loss of critical data or systems, or a major data
breach that exposes sensitive information to the public.

28
Appendix A – Inherent Risk matrix
The reason that inherent cyber risk will always be at the junction between 'almost certain'
frequency and critical impact is due to the nature of cyber threats. Cyber threats are
constantly evolving and increasing in frequency and sophistication, with new types of attacks
and vulnerabilities emerging on a regular basis. This means that the likelihood of a cyber-
attack happening is becoming more and more certain over time.

Furthermore, the impact of a successful cyber-attack can be catastrophic for a business, with
potential consequences including financial loss, reputation damage, and loss of confidential
information. The impact can be even more severe if the attack targets critical systems or
infrastructure.

Potential Business Impact

Inherent Risk
Matrix

Minimal Minor Moderate Major Catastrophic

Rare Low Low Medium High Very High

Cyber Incident Frequency

Occasional Low Medium High Very High Very High

Frequent Medium High Very High Critical Critical

Almost
Medium High Very High Critical Critical
Certain

29
Appendix B – Residual Risk matrix
Residual risk is the level of risk that remains after an organization has implemented its risk
management measures, including controls and mitigation strategies. It represents the risk
that still exists even though the organization has taken steps to reduce the inherent risk. The
residual risk considers the effectiveness of the implemented controls and the level of maturity
of those controls. It is important to regularly reassess residual risk and adjust risk management
measures accordingly to ensure that the residual risk is acceptable and within the
organization's risk tolerance level.

Potential Business Impact

Residual Risk
Matrix

Minimal Minor Moderate Major Catastrophic

Rare Low Low Medium High Very High

Cyber Incident Probability

Occasional Low Medium High Very High Very High

Frequent Medium High Very High Critical Critical

Almost
Certain Medium High Very High Critical Critical

An organization should aim to reduce inherent risk through implementing controls and
managing risks, and continuously monitor and evaluate the effectiveness of those controls.
The residual risk should be at a level that the organization is comfortable with, considering
the potential impact of a risk event and the cost of implementing controls to mitigate it.

It is important to note that residual risk can never be completely eliminated, as it is impossible
to eliminate all risks. However, the goal is to reduce the risk to an acceptable level and to
ensure that the organization is prepared to manage and respond to any potential risk events
that may occur.

30
Appendix C – Control Effectiveness and Maturity

To improve the "almost certain" frequency of a cyber-attack to "rare" probability, an

organization should implement effective threat-based controls and ensure they are
implemented in high maturity levels. This can be achieved by conducting a comprehensive risk
assessment to identify potential cyber threats and attack vectors, and then selecting the most
effective controls to mitigate those risks. These controls can be implemented at varying levels
of maturity, depending on the organization's resources and capabilities.

Once the controls have been implemented, it is important to continuously monitor and assess
their effectiveness, as well as the evolving cyber threat landscape, to ensure they remain
effective.

By taking a proactive approach to cybersecurity and continuously improving their controls and
processes, an organization can reduce the likelihood of cyber-attacks and move from "almost
certain" frequency to "rare" probability. This can ultimately help to minimize the potential
impact of cyber incidents on the organization and its stakeholders.

49% 65% 85% 95%

Controls are Controls are Controls are

Risk Score Controls are
minimally moderately extremely
highly effective
effective or effective and effective and
and well-
partially implemented as exceeds
implemented
implemented designed requirements

Cyber
Incident Almost Certain Frequent Occasional Rare
Probability

The effectiveness of controls and the frequency of cyber incidents can vary greatly between
companies and sectors, depending on a range of factors. For example, companies that handle
sensitive data or financial transactions may be at a higher risk than those that do not.
Additionally, the size of the organization, its geographic location, and the nature of its business
operations can all impact the risk of cyber incidents.

Furthermore, companies may have different risk appetites and tolerance levels, which can
affect the implementation of controls and the overall approach to risk management. Some

31
organizations may be willing to accept a higher level of risk in order to achieve greater
efficiency or innovation, while others may prioritize risk mitigation at all costs.

In addition, the threat landscape is constantly evolving, with new and emerging threats
constantly emerging. Companies need to remain vigilant and adaptable, updating their risk
management strategies and implementing new controls as necessary to stay ahead of
potential threats.

Overall, it is important for companies to take a holistic approach to risk management,

considering all relevant factors and tailoring their approach to their specific needs and
circumstances. This may involve conducting regular risk assessments, monitoring the threat
landscape, and maintaining a strong cybersecurity posture through ongoing training, testing,
and implementation of effective controls.

32
DISCLAIMER

This Paper has been written using ChatGPT AI capabilities, to provide information about Cyber
Risk Management.

However, there may be mistakes in typography or content. Also, this Book provides
information only up to the publishing date. Therefore, this Book should be used as a guide -
not as the ultimate source.

The purpose of this Book is to educate. The author and the publisher do not warrant that the
information contained in this book is fully complete and shall not be responsible for any errors
or omissions.

The author and publisher shall have neither liability nor responsibility to any person or entity
with respect to any loss or damage caused or alleged to be caused directly or indirectly by this
Book.

Copyright © 2022 - Cyzea.io

All rights to this book are reserved. No permission is given for any part of this book to be
reproduced, transmitted in any form, or means; electronic or mechanical, stored in a retrieval
system, photocopied, recorded, scanned, or otherwise. Any of these actions require the
proper written permission of the author.

33