Operationalizing Risk

Putting together an Incident Response Strategy for your Organization requires the ability to break down its components into measurable elements with tangible outcomes. In this chapter we will explore different approaches to operationalize cyber risk in the context of IR

Defining a Cyber Risk Matrix

For any discipline whose primary concern is to respond to incidents in an efficient manner, operationalizing risk is an essencial undertake. Operationalizing risk means defining measurement criteria that allow for a qualitative and quantitative observation of risk.

When making the table of the severity/risk matrix, map it to actual meaning and actions

The Risk Triad: Vulnerability, Impact and Threat

  • vulnerability: exposure, sensitivity and adaptive capacity

  • threat: intent, oportunity and capability

  • impact: damage (attributes or components whose functionality is degraded due to damage), persistence (the extent to which the effects of the damage may persist over time) and survibability (the extent to which the impacted system can keep existing after receiving damage)

Vulnerability

(TBD)

Impact

(TBD)

Threat

Let’s hear it from NIST, they describe an event’s likelihood of occurrence as

A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities