Master of Science in Cyber Security. Nov 26 2020
The ultimate aim of any cybersecurity endeavour or cybersecurity training programme is to train to resist an attack and emphasize on the need for training people and systems to recognise infiltration in time.
Risk is a potential event, expected or unanticipated, that may adversely affect the institution’s earnings, capital, or reputation. Risk is considered in terms of categories, one of which is operational risk.
Risk Management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. Organisations use risk assessment, the first step in the risk management methodology, to determine the extent of the potential threat, vulnerabilities and the risk associated with the IT system.
Operational risk is the risk of failure or loss resulting from inadequate or failed processes, people, or systems. Internal and external events can affect operational risk. Internal events include human error, misconduct and insider attacks. External events affecting IT and the institution’s ability to meet its operating objectives include natural disasters, cyber-attacks, changes in market conditions, new competitors, new technologies, litigation and new laws or regulations. These events pose risks and opportunities and the institution should factor them into the risk identification process. Operational risk summarises the risks a company undertakes when it attempts to operate within a given field or industry. Operational risk is the risk not inherent in financial, systematic or market-wide risk. It is the risk remaining after determining financing and systematic risk and includes risks resulting from breakdowns in internal procedures, people and systems.
How to treat risks
In addition to accepting risk, there are a few ways to approach and treat risk in risk management. They include:
? Avoidance: This entails changing plans to eliminate a risk. This strategy is good for risks that could potentially have a significant impact on a business or project.
? Transfer: Applicable to projects with multiple parties. Not frequently used. Often includes insurance. Also known as "risk sharing."
? Mitigation: Limiting the impact of a risk so that if a problem occurs it will be easier to fix. This is the most common. Also known as "optimising risk" or "reduction."
? Exploitation: Some risks are good, such as if a product is so popular there are not enough staff to keep up with sales. In such a case, the risk can be exploited by adding more sales staff.
To be effective, an information security programme should have documented processes to identify threats and vulnerabilities continuously. Risk identification should produce groupings of threats, including significant cybersecurity threats. A taxonomy [i] for categorising threats, sources, and vulnerabilities can help support the risk identification process. Management should perform these risk identification activities to determine the institution’s information security risk profile, including cybersecurity risk.