Lesson 6.2: Risk Management & Assessment

Introduction: Risk-Based Security

"You can't protect everything equally. Risk management tells you where to focus your limited resources."

Perfect security is impossible and unaffordable. Risk management provides a systematic approach to identifying, assessing, and treating risks proportionate to their potential impact.

🎯 Lesson Objectives

Apply risk assessment methodologies (ISO 27005, NIST RMF)
Conduct qualitative and quantitative risk assessments
Select appropriate risk treatment options
Maintain and communicate risk registers

1. Risk Management Fundamentals

1.1 Key Definitions

Risk

Effect of uncertainty on objectives (ISO 31000). In security: potential for loss when a threat exploits a vulnerability.

Threat

Potential cause of an unwanted incident (e.g., hacker, malware, insider)

Vulnerability

Weakness that can be exploited by a threat (e.g., unpatched system)

Impact

Consequence if the risk materializes (financial, reputational, operational)

Likelihood

Probability that the risk will occur

Risk Appetite

Amount of risk the organization is willing to accept

1.2 Risk Formula

Risk = Likelihood × Impact

Or more detailed: Risk = Threat × Vulnerability × Impact

2. Risk Assessment Process (ISO 27005)

1

Context Establishment

Define scope, criteria, risk appetite

2

Risk Identification

Identify assets, threats, vulnerabilities, existing controls

3

Risk Analysis

Assess likelihood and impact (qualitative or quantitative)

4

Risk Evaluation

Compare against criteria, prioritize risks

5

Risk Treatment

Select and implement treatment options

6

Monitoring & Review

Continuous monitoring, periodic reassessment

3. Risk Assessment Methods

3.1 Qualitative Assessment

	Low Impact	Medium Impact	High Impact	Critical Impact
Almost Certain	Medium	High	Critical	Critical
Likely	Low	Medium	High	Critical
Possible	Low	Medium	Medium	High
Unlikely	Low	Low	Medium	Medium
Rare	Low	Low	Low	Medium

3.2 Quantitative Assessment (FAIR Model)

Factor Analysis of Information Risk (FAIR) provides quantitative risk analysis:

Loss Event Frequency (LEF): How often will the loss event occur?
Loss Magnitude (LM): How much will we lose when it occurs?
Risk = LEF × LM (expressed in currency)

💡 Example: Ransomware Risk Quantification

LEF: 10% probability per year (based on industry data)

LM: ₹5 crores (recovery costs + business interruption + potential fines)

Annualized Risk: 0.10 × ₹5 crores = ₹50 lakhs/year

Decision: If a control costs ₹20 lakhs and reduces risk by 80%, ROI is positive.

4. Risk Treatment Options

🛡️ Mitigate (Reduce)

Implement controls to reduce likelihood or impact

Example: Deploy EDR to reduce malware risk

🔄 Transfer

Shift risk to another party

Example: Purchase cyber insurance

🚫 Avoid

Eliminate the risk by removing the source

Example: Don't store data you don't need

✅ Accept

Acknowledge and retain the risk

Example: Accept residual risk after controls (documented)

5. Risk Register

A risk register documents identified risks, their assessment, treatment, and status:

Risk ID	Description	Likelihood	Impact	Rating	Treatment	Owner	Status
R-001	Ransomware encrypts critical systems	Likely	Critical	Critical	Mitigate: EDR, backups, training	CISO	In Progress
R-002	Employee falls for phishing	Almost Certain	Medium	High	Mitigate: Training, email filters	Security Mgr	Ongoing
R-003	Third-party breach exposes data	Possible	High	Medium	Transfer: Contract requirements, insurance	Vendor Mgmt	Implemented

📝 Key Takeaways

1

Risk = Likelihood × Impact; focus resources on highest risks

2

ISO 27005 provides systematic risk assessment process

3

Four treatment options: Mitigate, Transfer, Avoid, Accept

4

Risk registers document risks and track treatment progress

⚠️ Risk Management & Assessment