Steps for Risk Management Part 1

● Steps for Risk Management
○ Risk Identification
○ Risk Analysis
○ Risk Prioritization

Steps for Risk Management
The following are the steps for risk management:
1. Risk Identification
2. Analysing Risk
3. Risk Prioritization
4. Risk Ownership
5. Risk Mitigation
6. Risk Monitoring
1. Risk Identification
Risk identification is the first step in the proactive risk management process.
It is a deliberate and systematic effort to identify and document the
organisation key risks.
It provides the opportunities, indicators, and information that allows an
organization to raise major risks before they adversely affect operations in the

1. Risk Identification
Key steps necessary to effectively identify risks:
● Understand what to consider when identifying risks
● Gather information from different sources to identify risks
● Apply risk identification tools and techniques
● Document the risks
● Document the risk identification process
● Assess the effectiveness of the risk identification process.

2. Analyzing Risk
Risk Analysis is a process that helps to identify and manage potential problems
that could cause harm to business initiatives or projects.
Risk Analysis carry out in two step:
● one must, first identify the possible threats that organization face
● then estimate the harmful effect that these threats will cause.
Risk Analysis is a complex process but it is also essential planning tool.

2. Analyzing Risk
Risk analysis is useful in many situations:
● While planning projects
● While deciding whether or not to move forward with a project.
● While improving safety and managing potential risks in the workplace.
● While preparing for events such as equipment or technology failure, theft,
staff sickness, or natural disasters.
● While planning for changes in business environment.

3. Risk Prioritization
The method of ranking material risks on an appropriate scale, such as
frequency and/or severity. This method is known as Risk Prioritization.
The objective of Risk Prioritization is to prioritize the identified risks for
The risk can be prioritize with both qualitative and quantitative methods.
It can be used to categorize the risks as to their relative severity and potential
impact on the project.

3. Risk Prioritization
The risk prioritization method should consider the following factors:
1. the probability of the risk occurring,
2. the consequence of the risk
3. the cost and resources required to mitigate the risk.

Cyber Attacks

● Cyber Attacks
● Types of Malicious code

Types of Attack
● Advanced Persistent Threats
● Backdoor
● Buffer Overflow
● Man-in-the-middle Attack
● Social engineering
● Phishing
● Spoofing
● Cross-Site Scripting
● Denial of Service Attack
● SQL injection
● Zero-day exploit

Types of Malicious Code
● Viruses
● Network worm
● Trojan Horse
● Botnet
● Keylogger
● Rootkit
● Spyware
● Adware
● Ransomware


● Vulnerabilities
● Classification of Vulnerability
● Impact

Vulnerability is a cyber-security term that refers to a flaw in a system that can
leave it open to attack.
Vulnerability is the composition of three elements:
● A flaw in system
● Access of attacker to that flaw
● Capability of attacker to exploit the flaw
Classification of Vulnerabilities according to the asset:
● Hardware
● Software
● Network
● Personnel
● Physical site
● Organizational

Some of the Vulnerability in the system occur due to:
● Missing patches
● Cleartext credentials
● Using unencrypted channels
● RF Emanation

A successful cyber attack can cause major damage to organization or system,
as well as to business reputation and consumer trust.
● Financial loss
● Reputational damage
● Legal consequences

Cyber Risk

● What is Risk?
● Types of Risks
● Risk Management Process
● Types of Risk Management Process

Cyber Risk
Cyber risk means any risk of financial loss, disruption or damage to the
reputation of an organisation.
It is done by giving some sort of failure of its information technology
The risk is connected to online activities, internet trading and electronic
systems as well as storage of personal data

Types of Risks
● Hacker Attacks
● Data Breach
● Virus transmission
● Cyber Extortion
● Employee Sabotage
● Network downtime
● Human error

Risk Management Process
Risk management is defined as the process of identifying, monitoring and
managing potential risks.
An effective risk management process have two important things:
● Help to identify which risks pose the biggest threat to an organization.
● Provide complete guidelines for handling them.

Type of Risk Management
Reactive risk management
Project team react to risks when they occur.
Mitigation – plan to reduce loss of life and property by lessening the impact
Fix or failure- resources are found and applied when the risk strikes
Proactive Risk Management
Formal risk analysis is performed.
Organization corrects the root causes of risk.
● Proper analysing the risk

Type of Risk Management

Reactive risk management
Crisis management- the identification of threats to an organization and its stakeholders, and the methods used to deal with these threats.

Proactive Risk Management
● Examining risk sources
● Developing the skills to
manage change.


Cyber Threats

● Cyber Threats
● Source of Cyber Threats
● Cyber Threats types
● Cyber Security Index Level

Cyber Threats
A Cyber threat is any malicious act that attempts to gain access to a computer
network without authorization or permission from the owners.
It refers to the wide range of malicious activities that can damage or disrupt a
computer system , a network or the information it contain.
Most common cyber threats : Social Engineered Trojans, Unpatched Software ,
Phishing, Network worms etc

Source of Cyber Threats
● Nation states or national governments
● Terrorists
● Industrial secret agent
● Hackers
● Business competitors
● Organization insiders

Types of Cyber Threats
Threats can be classified according to multiple criteria:
1. Attacker’s Resources
2. Attacker’s Organization
3. Attacker’s Funding
On basis of these criteria, threats are of 3 types:
1. Unstructured Threats
2. Structured Threats
3. Highly Structured threats

Types of Cyber Threats
1. Unstructured Threats:
Resources: individual or small group
Organization: Little or no organization
Funding : negligible
Attack: Easy to detect and make use of freely available cyberattack tool
Exploitation based on Documented vulnerabilities.
2. Structured Threats:
Resources: well trained individual or group
Organization: well planned organization
Funding : available
Attack: against particular individual or organizations
Exploitation based on information Gathering.
3. Highly Structured Threats:
Extensive organization, resources and planning over time.
Attack: long term attack on particular machine or data.
Exploitation with multiple methods: technical, social and insider help

Cyber Security Index Level
Cyber threats are evaluated daily by the CTU (counter threat unit) and updated
the index level:
1. Guarded – Level 1
2. Elevated – Level 2
3. High – Level 3
4. Critical – Level 4

Cyber Security

● What is Cybersecurity?
● Principles
● Difference between Information security and cybersecurity
● Similarities
● Assets

Cyber Security
Cybersecurity is the body of technologies, processes and practices.
It is designed to protect integrity of networks, computers, programs and
data from attack, damage or unauthorized access.
Kill chains, zero-day attacks, ransomware, alert fatigue and budgetary
constraints are just a few example of cyber attacks.

Cyber Security Principle
The Cyber Security five principles:
1. Confidentiality
2. Integrity
3. Availability
4. Accountability
5. Auditability

Cyber Security Principle
● Confidentiality : is a set of rules that limits access or place restrictions on
certain type of information.
● Integrity : is the assurance that the information is trustworthy and accurate
● Availability : is a guarantee of reliable access to the information by
authorized people.
● Accountability : is an assurance that an individual or an organization will
be evaluated on their performance or behavior related to something for
which they are responsible.

Cyber Security Principle
● Auditability : A security audit is a systematic evaluation of the security of a
company’s information system by measuring how well it conforms to a set
of established criteria.

Information security Information Security means Data Security.
It main concern is for the confidentiality, integrity, and availability of user data.
Cybersecurity is all about protecting data that is found in electronic form.
It identify what the critical data is, where it resides, and the
technology that user have to use in order to protect it.

Information security and Cybersecurity:
● Both have physical security component :
There is a need of entire physical access control to a place where data is
stored either digitally or physically, in order to avoid unauthorized access.
● Both protect the valuable ‘data’ :
In both the securities, the main concern is safeguarding the data of the
company from the illegal digital and physical access of any kind.

Cyber Security Assets
Assets include
● Hardware (e.g. servers and switches)
● Software (e.g. mission critical applications and support systems)
● Confidential information
Asset can be data, device or other component of the environment that
supports information-related activities.
Assets should be protected from unauthorized access.



● Evolution of internet
● What is Cyberspace?
● Increase in Internet insecurities.
● What is Cybercrime?

Evolution of Internet
● Russian Sputnik 1 (1957)
● Invention of internet by ARPA (1958)
● ARPANET (1970)
● Internetworking (1977)
● World wide web (1990)

Cyberspace is the environment of the internet.
It is the home of google, facebook, yahoo and many more.
The term was coined by William Gibson
Cyberspace is a ideal electronics space unbounded by distance and other
physical limitation.
It allows the users to share information, interact, swap ideas, play games,
engage in discussions or social forums, conduct business, create media and
many other activities.

Internet Insecurities
Internet insecurity spreads at Internet speed:
● Morris worm of 1988
● Password sniffing attacks in 1994
● IP spoofing attacks in 1995
● Denial of service attacks in 1996
● Email borne viruses 1999

Internet insecurity spreads at Internet speed
● Distributed denial of service attacks 2000
● Ransomware attack in mid 2000
● Fast spreading worms and viruses 2003
● Spam 2004

Cyber Crime is any illegal activity that involves a computer or
network-connected device, such as a mobile phone.
Cybercrime is divided into three categories by Department of justice:
● Crimes in which the computing device is the target.
● Crimes in which the computer is used as a weapon.
● Crimes in which the computer is used as an accessory to a crime.
It include malicious activities such as
● Illegal interception of data
● System interferences
● Copyright infringements
● Sale of illegal items like weapons, drugs