Risk management is the process of minimizing or mitigating risk. It begins with identification and evaluation of the various types of risk that an organization faces, determining the probability that these risks will occur, estimating their potential impact, and determining optimal use of resources to monitor and minimize the same. The common purpose of risk management is to safeguard the organization’s mission, finances, and reputation in the face of natural, accidental, and adversarial threats.
Cybersecurity is one category of enterprise risk management. Effective management balances achieving enterprise mission and objectives with optimizing resources (which are always limited) and risk. The below six core phases of risk management are applicable to almost all manner of risk, including cyber risk, and can be applied to any organization, regardless of size or industry:
1. Identify the context. Context is the environment in which the organization operates as influenced by the risks identified.
2. Identify the risks. This means identifying the comprehensive set of risks and determining which events may impede objectives.
3. Analyze the risks. This involves…
