5. The Approach to Cybersecurity: Cyber Risk Management 111 ACS. In this case, we can assume that the DDoS protection server adds no extra overhead cost. Therefore, the ROI can be calculated using only the annual fee. ROI = $5,000 - $500 - $3,000 = $1,500 Because the ROI is positive ($1,500), this means that purchasing the safeguard will save the organization money over the course of a year and should be purchased. In this case, the organization has a new $3,000 per year expense for DDoS protection, but according to their calculations, they will end up saving $1,500 per year by making that purchase. 5.3.4.3 Risk Analysis Summary Both qualitative and quantitative risk assessments examine risk severity based on likelihood and impact. The quantitative risk assessment is attractive because it uses precise figures. At the end of the day, organizations care about dollars and cents, and a quantitative risk assessment delivers that. However, the calculation is based on assumptions, and the assumptions are only as good as the available data. Therefore, the precision of the calculation can be deceptive. A qualitative risk analysis is also based on assumptions and the available data, but it has a bigger “fudge factor” making it quicker and easier to perform. It does not attempt to deliver the exact ROI of an investment, but it sheds light on how risks should be prioritized. Both approaches are helpful and should lead to similar conclusions. 5.3.5 Handling Risk Once risks have been identified and assessed, organizations need to determine how to handle the risks. There are four options for handling any given risk: avoiding, transferring, mitigating, and accepting. 5.3.5.1 Avoiding Most cyber risks cannot be avoided. Avoiding a risk means eliminating the risk as a possibility. Since all risks have two components, threats and vulnerabilities, at least one of the two would need to be eliminated in order to avoid the risk. Most threats (i.e., human adversaries) are beyond an organization’s ability to control, so most of the time there is not much that can be done with this half of the equation. In physical space a business could move locations to eliminate a non-cybersecurity threat like a hurricane, but in cyberspace, it is not possible to move out of the reach of threat actors. However, there are some instances where an organization can eliminate a threat. One real-world example is the Sony Pictures hack of 2014. Sony Pictures came under a nation state threat from North Korea for a controversial film they made mocking the North Korean government. If Sony had decided not to release the film, the North Korean threat would have ceased, eliminating the cyber attack risk. However, Sony did release the film, and unfortunately for them, the risk was realized when they became the victim of a major doxxing attack.
RkJQdWJsaXNoZXIy MTM4ODY=