All organizations possess numerous assets, including facilities, hardware, software, and information. It is critical, therefore, that these organizations define and implement appropriate policies and procedures to protect assets as part of a security management approach. And once all assets are identified, organizations must ensure to the greatest degree possible that the vulnerabilities of each asset have been identified in order to define a risk management strategy to protect their confidentiality, integrity, and availability. Confidentiality ensures information is only accessible by those who require the access to that information. Integrity ensures the accuracy of information. Availability ensures the information is accessible when needed.

Organizations use various tools to manage their security and risk profiles. These tools include data classification (e.g., confidential, proprietary, private), risk assessment approaches, and risk analysis, enabling organizations to both categorize their assets and identify threats and vulnerabilities. Once identified, the organizations can then select appropriate security measures and controls to protect their assets and mitigate risks. Security controls take many forms and include management controls (e.g., policies, guidelines, procedures), operational and physical controls (e.g., policy execution, education and training, facility protection), and technical controls (e.g., access control, identification, authorization).

As organizations establish their security management strategies, in addition to the focus areas, they must also consider their information security governance approach, how they will either acquire or develop systems and/or services, their approach to addressing cybersecurity threats through risk management, the certification and accreditation of their systems, and their security assessment strategies. In doing so, they will develop documentation including new standards, policies and procedures, and documents such as system security plans (SSPs), risk mitigation plans, and system security authorization agreements (SSAAs).

How does cyber risk management and compliance work? A risk is a threat that has some likelihood of occurring, exploiting a vulnerability and resulting in some positive or negative impact or loss to an organization. If an organization can proactively identify a potential threat or cybersecurity vulnerability it can put countermeasures, or safeguards, in place to mitigate against that risk. Effective risk management implementation includes a risk assessment to identify, analyze, and prioritize the risks and risk control, including risk management planning, risk monitoring, and risk resolution. Risks can be associated with a variety of organizational assets including, but not limited, to hardware, software, data/information, people, and facilities. A thorough risk assessment must consider organizational assets and their vulnerabilities, determine the likelihood of the risk occurrence, and quantify the potential impact in order to establish an effective risk management plan. This process must be revisited regularly to ensure the organization's security posture remains as effective as possible.

Fobeteh Consulting staff fully comprehend cost benefit analysis as a quantitative risk analysis. This analysis allows an organization to calculate the amount of financial loss that will occur if a vulnerability is exploited by a threat. For example, if a hacker exploits the network and steals personally identifiable information (PII), the calculation can help to determine the amount of money that will be lost from providing the affected users with identity theft protection services and legal ramifications.

Cybersecurity risk management cost benefit analysis has tremendous potential for future development of innovative calculation models. 

Our firm utilizes the below equation in calculating cybersecurity risk and mitigation costs in financial terms.

threat  x  consequence  x  vulnerability  -  risk transferred  =  net financial risk

In the calculation, one or more of the experts at Fobeteh Consulting will sit with a client an explain in details what each item constitute.  

The threat of an incident occurring refers to the frequency of risk event and probable number of events in a year. 

Consequence refers to the severity of a risk event and the probable loss from an individual event. 

Vulnerability is the likelihood or percent of damage given the risk mitigation actions taken. Collectively these items determine the gross financial risk, also known as the annualized expected loss. Once the gross financial risk is determined any risk that has been transferred can be subtracted. This will reveal the net financial risk.