Cyber Risk Management¶

This module gives an administrative view to risks, by explaining the concepts and principles of risk governance, risk management, and risk assessment, and notes that the borderline between these is not very sharp. The module examines perspectives on risks ranging from from individual assets to the goals of the entire system.

This section refines the properties of the same core concepts in different contexts, and it can sometimes be difficult to keep the relationships between the terms in mind. The following “equations” may be helpful, and include also risk analysis as a further concept:

Governance ≈ Management + policies + organizational culture and leadership
Management ≈ identification + Assessment + measures (i.e., their selection; implementation is treated separately)
Analysis ≈ Management minus selection of measures

The word risk was omitted above for simplicity, but here are its ingredients in a nutshell, also refined in later sections:

Vulnerability is a property through which an attacker, environment or user can affect a process or system in an undesirable way.
Threat is a person, event or activity that has the potential to affect a process or system in an undesirable way, either through a vulnerability or otherwise.
Exposure determines whether threats can come into contact with vulnerabilities and how easily this can happen. It is possible that a vulnerability is not exposed to a threat.
Likelihood measures the chance that the threat will materialize.
Impact is the consequence of the threat materializing, i.e. something undesirable happening. As likelihood, this is also intended to be assessed quantitatively.

Effective risk governance is essential for maintaining security, and is also influenced by social and cultural factors. Almost all systems still include a human element of control, which must be considered from the outset. Despite a well-defined and implemented risk governance, it is always possible for a risk to materialize. When that happens, incident response is needed, which is connected to the risk management process.

What was said above is general. In addition to cybersecurity it applies, for instance, to banking, logistics, and sports. The same is true in many parts of this module, but cybersecurity receives a natural emphasis. This is also because digitalization is becoming more common in everyday life, and for example services are moving online and everyday objects are being connected to the network. With the growth of the Internet of Things (IoT), the number of active network-connected devices is expected to increase to 30 billion by the year 2030. In addition, tasks that have traditionally relied on human decision-making, such as driving a car, are being replaced by automated technologies. The dependence on digital infrastructure is growing at the level of entire societies, and disruptions and service interruptions caused for example by ransomware have become an increasingly significant and dangerous problem. Losses caused by various cyber incidents can be economically costly, and as cyber-physical systems become more common, they may also endanger human lives. Therefore, assessing and managing cybersecurity risks is particularly important and concerns everyone, both users and developers of digital infrastructure.