Example of Cyber Risk Management¶

At Hipster Inc., a network drive is used by customer service as well as secretaries and payroll clerks. Hipster Inc. begins to consider the risks associated with the network drive because the CEO has read the following threats in New Scientist and considers them likely:

Disk failure of the network drive server
Software fault in the network drive server that fills the disk’s files with 0x41.
Ransomware
Fire and water damage (together or separately)
Burglary

First, Hipster Inc. identifies what is valuable on the drive:

Customer data
Billing system payment information
Payroll data

Hipster Inc. assesses the threats and their severity from the perspective of data loss on a scale of 0–5. The magnitude of the risk is calculated using the formula probability*severity.

Risk Assessment:

	1 disk failure	2 software fault	3 ransomware	4 fire/water damage	5 burglary
Probability	4	1	3	2	2
Severity	2	5	5	5	4
Risk magnitude	8	5	15	10	8

Based on the risk analysis, the greatest risk is ransomware, followed by fire/water damage, then disk failure and burglary, and finally software fault. Next, Hipster Inc. considers ways to manage the risks:

A good backup system and process protect against ransomware, disk failure, and software faults, allowing data to be restored in case of damage. This also helps against physical risks when backups are geographically distributed.
Risks related to physical threats (fire, water damage) can be mitigated by distributing the network drive (and its backups) across several physical locations. These locations must be fire‑safe and protected against water damage.
An alarm system helps protect against burglaries.

Hipster Inc. decides to adopt measures 1 and 2 because they address the two greatest risks. In addition, they also provide protection in the event of disk failure and software fault. The acquisition of an alarm system is postponed for now, and the risk of burglary is tolerated.