Other Approaches to Thinking About Your Risks - mccright/FCCSCybersecurityInput GitHub Wiki
Risk Response
- Risk acceptance
- Risk avoidance
- Risk mitigation
- Reduce threat (likelihood of occurence)
- Reduce vulnerability (likelihood of consequence)
- Seek specific effects on adversaries
- Risk Sharing
- Risk Transfer
[page 42]
"Cyber Resiliency Design Principles" MITRE Technical Report, By Deborah Bodeau & Richard Graubart, January 2017
https://www.mitre.org/sites/default/files/publications/PR%2017-0103%20Cyber%20Resiliency%20Design%20Principles%20MTR17001.pdf
Opportunistic
- INVENTORY. We cannot understand our risk load until we have accurate data about the infrastructure and processes that represent our organizations. This is sometimes also called "visibility," "know your environment," or "know your data."
- EVENT TRANSPARENCY. Organizations need access to and an understanding of inventory, attack vectors, and security events to inform security decision-making. Simply responding to successful attack is not a sustainable goal.
- CONTEXTUAL AWARENESS. Effective threat hunting and incident identification/triage/response require events-in-context requires application, infrastructure & operations documentation, modern SIM integration, as well as real-time access to data, logging systems, and penetration test & code assessment results. Contextual awareness is also essential for effective risk management at application/system architecture, design, and development time.
- HARDENING. Our attack surface needs to resist the activities of all hostile actors.
- PRIORITIZE. All organizations have more risks than can be addressed at any given time. Most organizations are in the risk-taking business.
FROM: "Most Important Security Elements."
https://dzone.com/articles/most-important-security-elements-part-1 and
https://dzone.com/articles/most-important-security-elements-part-2
"Visibility, mitigation, prioritization, and encryption — these are the most important elements to security right now." By Tom Smith, May. 24, 2019