//40 Free Cyber Security Risk Management Resources
40 Free Cyber Security Risk Management Resources2019-06-18T02:25:02+00:00

40 Free Cyber Security Risk Management Resources

Tools, Templates, Calculators and Articles to Help You Manage Cyber Security Risks

Cyber security risk management is essential to keep businesses and organizations ahead of cyber threats and protected from data breaches. Continuous cyber security risk assessment enables you to take a proactive approach to cyber security risk mitigation, so you can minimize damage from data breaches, cyber attacks and other costly IT threats.

According to the 2018 Global Data Risk Report from the Varonis Data Lab, cyber threats are a serious risk because of a lack of risk management. Consider the following insights from this study of 130 organizations of various sizes:

  • 58% of companies have more than 100,000 folders that are vulnerable to cyber attacks.
  • 21% of all folders are open to everyone.
  • 41% of companies have more than 1,000 sensitive files open to everyone.

Cyber security professionals can make their jobs easier with effective cyber security risk management. This list of cyber security risk management resources is designed for those who may be involved in their first cyber security risk assessment or cyber security risk mitigation project, or who are interested in cyber security management as a way to achieve career advancement goals.

Use these reports, risk equations and calculators, frameworks, assessment tools and mitigation checklists to more effectively identify, protect, detect, respond and recover from cyber security threats.

Are you interested in pursuing a Master of Cyber Security online? Learn more about the online M.S. in Cybersecurity from our partner Syracuse University.

woman at computer assessing a cyber security threat

Introduction to Cyber Security Risk Management

The following resources provide a substantial introduction to cyber security risk management. These resources expand on the definition of cyber security risk management, provide links to reputable national organizations in the cyber security risk management field, and provide practical advice on how to implement a risk management program in an organization.

There are still many organizations without a cyber security risk management plan in place.  According to CSO, 46% of cyber security and IT professionals say they are challenged by continually measuring cyber risks. For both cyber risk management newbies and veterans, these resources provide valuable information for getting on track with a risk management strategy.

5 Fundamentals in Cyber Risk Management

The article “5 Fundamentals in Cyber Risk Management” provides a checklist of what every cyber risk management strategy needs. Get details about risk identification; how to communicate the value of risk management to executives; and how to stay up-to-date about possible data security threats. Cyber risk management is an organizational duty, not just one on the shoulders of IT professionals.

Key Takeaways:

  • With the prevalence of cyber attacks on the rise, a risk management strategy is important  for organizations, since attacks aren’t just possible, but likely.
  • Effective cyber risk management requires top-down buy-in, transparent communication and security best practices implementation for every single employee.

RIT Cybersecurity Risk Management Course

This edX course presented by the Rochester Institute of Technology teaches online students principles of cyber security risk analysis, cyber security risk mitigation and cyber security risk assessment. Students learn how to apply both quantitative and qualitative methods to cyber security risk management. The course is free (or pay $150 to add a verified certificate), lasts 8 weeks and takes about 10 to 12 hours per week to complete.

Key Takeaways:

  • Students learn how to identify and model cyber security risks and how they apply to business consequences.
  • The course features industry case studies to illustrate cyber security risk management application.
  • Students also learn about the intersection of artificial intelligence, big data and information security.

Information Security Risk Management

This article presented by Rapid7 Insight cloud explains the stages of information security risk management: identification, assessment, treatment and communication. It breaks down the tasks associated with each stage and explains why risk management is an ongoing process. It also identifies the stakeholders in cyber security risk management and provides examples for what a risk management process would look like in a company.

Key Takeaways:

  • Asset identification helps organizations determine the resources that will have the most impact on an organization if they’re compromised.
  • Threat modeling is a process that helps identify vulnerabilities so organizations can stay better protected.
  • Once risks are pinpointed, organizations can put together effective treatment plans that mitigate damage.

Cybersecurity Risk Management: Finding and Fixing Your Security Vulnerabilities

This article on security buying guides website eSecurity Planet explains why a cyber security risk management system is important and how to set one up. It outlines the five levels of an effective risk management process — initial, repeatable, defined, managed and optimized — and explains how to do a risk/reward calculation for cyber security enhancements. The article also includes practical tips for risk mitigation.

Key Takeaways:

  • Not having a risk management in place can do more harm than the actual breach, since the organization’s reputation may be damaged by failing to have a mitigation plan.
  • There is no one-size-fits-all solution for a risk management system. Organizations like financial services firms and healthcare organizations will also have regulatory concerns to include in a risk management strategy.
  • You may not realize where your most sensitive data is if it’s not stored correctly. A data map can help identify data that is mis-stored to mitigate risk.

7 Considerations for Cyber Risk Management

This article presented by Carnegie Mellon University explores essential elements to include in a risk management program and ways to make a cyber security risk management program more successful. The article includes several valuable resources from organizations like the National Institute of Standards and Technology (NIST) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO). It also presents some basic cyber hygiene practices for useful risk management.

Key Takeaways:

  • Effective cyber security risk management requires the creation of a culture of cyber security. This ensures continued buy-in and focus on risk management.
  • To make risk communication more efficient, set up thresholds and criteria for how to communicate risks.
  • Insider threats are the cause of most security problems, so a risk management strategy must account for proper employee training to avoid threats.

Developing an Information Security and Risk Management Strategy

This ISACA article breaks down the phases of developing an information security and risk management strategy, including business awareness, strategy definition, strategy development, metrics and benchmarking, and implementation and operation. The article explains how to factor in budgets when defining a strategy, how to measure staff availability against strategy and how to integrate a risk management strategy into company culture. It also explains how to use a capability maturity model for a cyber security risk assessment.

Key Takeaways:

  • Cyber security risk management is no longer just a function of IT. It is a comprehensive business initiative that should align with overall enterprise risk management strategy.
  • Cyber security risk management is best broken down into a long-term (three-year) plan and an annual plan. These updates ensure risk management strategies are always up-to-date and account for evolving needs.

An Introduction to Information System Risk Management

This whitepaper by information security firm SANS Institute breaks down quantitative and qualitative cyber security risk assessment strategies. It explains how to identify threats and vulnerabilities, how to define threat likelihood and impact, and how to manage risk. It also provides common cyber security risk assessment tools, such as the National Institute of Standards & Technology (NIST) methodology.

Key Takeaways:

  • Cyber security threats include accidental disclosure, accidental system configuration error, and alteration of software.
  • Some reasons for vulnerabilities include inadequate information system recovery procedures, absence of adequate formal contingency training and a lack of information backups.
  • When defining threat impact, confidentiality, integrity and availability should all be considered.

National Cyber Security Centre Risk Management Guidance

The National Cyber Security Centre’s (NCSC) guidance on risk management for cyber security has a collection of articles on various topics. These include the fundamentals of risk, component-driven and system-driven risk assessments, and delegating risk management decision making. The NCSC enables users to send general inquiries to the organization regarding the information they find in the guide.

Key Takeaways:

  • Component-driven risk management focuses on technical components.
  • System-driven risk management analyzes whole systems.
  • Different situations will require different risk management techniques. This guide outlines example situations where each type of risk management has value.

[Back to Top]

Cyber Security Threat Reports

A cyber security risk management strategy should take into account the most prominent threats to similar industries and businesses, as well as emerging threats that may not be evident at the moment, but that have the potential to impact organizations. Cyber security threat reports like these enable cyber security risk professionals to stay up-to-date on new and emerging threats.

The following is a collection of 2019 reports from some of the most prominent cyber security solutions providers. These reports cover broad global trends, as well as cyber security risk threats that are specific to certain types of enterprises.

Internet Security Threat Report, Volume 24, February 2019

This report by cyber security provider Symantec provides data on malicious URLs, web and formjacking attacks, cryptojacking, ransomware, supply chain attacks and more. It reveals what the most significant cyber attack threats were to organizations in 2018 and presents emerging security challenges in cloud computing technology. It also covers election interference, Internet of Things (IoT) and email cyber security trends.

Key Takeaways:

  • Incidents of formjacking, which is the use of malicious JavaScript code to steal payment details on ecommerce sites, increased in 2018.
  • In 2018, enterprises accounted for 81% of all ransomware infections, and enterprise infections were up 12% year-over-year.
  • In 2018, there was a significant increase in attackers using off-the-shelf tools and operating system features to conduct cyber attacks.

2019 Forcepoint Cybersecurity Predictions Report

This report by cyber security products brand Forcepoint presents seven cyber security predictions for 2019, which can be applied to business and organization operations. The report covers topics including cloud computing, biometric data, and the use of algorithms and analytics to alert security professionals to data loss incidents. The predictions are backed by statistics from customer surveys and previous cyber security data.

Key Takeaways:

  • Despite artificial intelligence developments, AI is not predicted to take over cyber security professional tasks due to the need for professionals to upload expert knowledge and training datasets for successful cyber security strategies. However, AI may help with outlier detection.
  • In 2019 and beyond, this report predicts attackers will target the underlying cloud infrastructure of IoT devices to attack them.
  • Expect cyber security attacks to become more prevalent in governments, as trade policies motivate critical infrastructure and vital industry attacks.

FireEye M-Trends 2019 Report

The annual report by cyber security company FireEye features cyber security statistics, case studies and best practices for cyber security defense and incident response. The report presents a global view of cyber security, breaking down data into regions and continents. It also presents case studies of advanced persistent threat (APT) attacks, which involve pursuing victims over greater lengths of time, typically months or years.  

Key Takeaways:

  • Cryptocurrency is being used in extortion cases, which are on the rise.
  • Attackers are increasingly targeting cloud providers, telecoms and organizations with large amounts of data.
  • The global median dwell time of attacker operation on victim networks decreased to 78 days in 2018, compared to 101 days in 2017.

2019 SonicWall Cyber Threat Report

The 2019 SonicWall Cyber Threat Report by cyber security solutions provider SonicWall is a global look at some of the world’s most significant cyber security breaches and cyber security attack data. The report identifies top 2018 global cyber attack trends (including web app attacks and intrusion attempts) and explains cyber security threat advances like an increase in ransomware and memory processor threats. The report presents several cyber attack case studies from the past year.

Key Takeaways:

  • Business (46%), healthcare (29%) and banking (11%) were the top three industries for 2018 American breach volume.
  • Global malware attack samples rose from 8.62 billion in 2017 to 10.52 billion in 2018.
  • The United States is by far the most-attacked country targeted by malware, accounting for nearly 50% of the total global malware attacks.

2019 Cyber Security Risk Report

This report by risk consultancy firm Aon explores eight cyber security risks all organizations face, including digital transformation, supply chain security and IoT. The report offers recent examples of cyber security attacks and provides recommendations for how businesses must react to similar threats. The report recommends that organizations constantly examine how emerging threats can affect continuous business development.

Key Takeaways:

  • The report declares that the greatest challenge organizations face is staying informed on evolving cyber security issues, since they are constantly evolving.
  • While 59% of U.S. and U.K. companies say they experienced a third-party data breach, only 35% of those companies rated their third-party risk management program as highly effective.
  • Companies are vastly underestimating their IoT devices — 52% said their inventory had at least 1,000 IoT devices, but the study average was more than 15,000 IoT devices.

Cisco Cybersecurity Report Series: 2019 Chief Information Security Officer (CISO) Benchmark Study  

This ebook by cyber security solutions provider Cisco is focused on needs, trends, characteristics and fears of chief information security officers (CISO). It features interviews with CISOs from around the country and provides insight into how diverse organizations are approaching cyber security risk management. It covers cyber security technology adoption and prevalent attack types.

Key Takeaways:

  • Nearly a quarter (24%) of survey respondents say “the unknown” is the most serious risk to their organizations. The unknown exists in new devices, new cloud applications, new data and more.
  • Successful collaboration between networking and security tends to decrease the financial impact of security breaches — 59% of those who were very or extremely collaborative experienced the lowest category of breach cost for their most impactful breach.
  • One third of organizations use drills or exercises to practice their cyber security response plan every year, and 61% practice one every six months.

2019 Cybersecurity Almanac: 100 Facts, Figures, Predictions and Statistics

Cyber security researcher Cybersecurity Ventures is the company behind this helpful handbook covering data on cyber crime damage, breaches, vulnerabilities, ransomware and more. Each statistic links back to the original data source. The handbook details particularly vulnerable industries, like healthcare, and covers how cyber security threats are impacting small businesses in particular.

Key Takeaways:

  • Cybersecurity Ventures predicts cyber crime damages will cost the world $6 trillion annually by 2021, which is more than annual damage from natural disasters globally and more than profits from the global trade of all major illegal drugs combined.
  • The FBI states the number of reported cyber crimes in the agency’s report only represent up to 12% of the total number actually committed.
  • Leading technology trends like ecommerce, mobile payments, IoT, cloud computing and big data are all correlated with increased cyber security risk for organizations and users.

[Back to Top]

Cyber Security Risk Equations and Quantification Calculators

Cyber security risk management is a business expense. It’s vital, but cyber security risk professionals will need to determine risk and present their findings to business owners and financial officers who control budgets.

By using the formulas covered here, you can determine which risks are most worth protecting against and how to justify cyber security risk management spending. Both quantitative and qualitative assessments are discussed in these resources.

Quantifying Information Risk and Security

In this guide, ISACA presents considerations for quantifying information security in business terms. ISACA states the task is difficult because there are so many indicators and suggested metrics, but this guide provides a comprehensive look at factors to consider. These include how to conduct a business impact analysis (BIA), risk of human error, risk of product/technology error, technology vulnerabilities and probability.

Key Takeaways:

  • A common risk formula is Risk = Probability x Impact. Probability is a numerical value based on statistical analysis.
  • A successful BIA is owned by the business unit and/or functional managers, is quantitative, is regularly updated, is validated by executives and is reviewed and approved by the audit committee.

The One Equation You Need to Calculate Risk-Reduction ROI

The Center for Internet Security presents this blog on how to calculate return on investment (ROI) to account for the cost of risk versus the cost of control. The blog explains how to calculate reduction in risk. It also uses phishing attacks as an example for how an organization can use the calculation.

Key Takeaways:

  • If you’re considering multiple cyber security solutions for the same risk, run each solution through the ROI formula to compare them.
  • Using this calculation for multiple risks will also help you identify which ones to prioritize for the most cost savings.

OWASP Risk Rating Methodology

The OWASP Risk Rating Methodology uses the formula Risk = Likelihood + Impact to determine risk. This article details how to identify a risk, factors for estimating likelihood and impact, how to determine the severity of the risk and how to customize a risk rating model. It includes a repeatable method that takes into account threat agent factors, vulnerability factors, technical impact and business impact to determine overall risk.

Key Takeaways:

  • To determine the threat likelihood, take into account threat agent factors like skill level and motive and vulnerability factors like ease of discovery, intrusion detection and ease of exploit.
  • Impact will depend on technical impact factors like loss of confidentiality and loss of integrity, as well as business impact factors like financial damage, non-compliance and reputation damage.

Threats and Risk Calculation

This document distributed by Carnegie Mellon University features common formulas for risk calculation, including how to calculate annualized loss expectancy, exposure factor, annualized rate of occurrence and single loss expectancy. It also explains additional risk calculation measurements like mean time to failure, mean time between failures and mean time to restore. The paper covers a qualitative risk assessment, too, which can be used when dollar amounts are not available.  

Key Takeaways:

  • The main steps in a quantitative cyber security risk assessment are to find out asset value, calculate the exposure factor, assign a single loss expectancy, calculate the annualized rate of occurrence and calculate the annualized loss expectancy.
  • Judgment, intuition and experience are the main drivers in a qualitative cyber security risk assessment.

How to Calculate ROI and Justify Your Cybersecurity Budget

This CSO article explains how to calculate cyber security risk investment ROI to get buy-in from executives. It includes a calculator for annual loss expectancy, covers how to determine potential loss per incident and explains how to justify the budget you’re asking for by providing the most effective products and solutions. The article contains examples that illustrate all formulas and rates.

Key Takeaways:

  • To get cyber security buy-in, it is essential for cyber security professional to use formulas like those mentioned in the article because they’re ones management can relate to.
  • To determine potential financial loss per incident, look at industry averages and factor in tangible and unavoidable incident costs. Present each cost separately to validate the total cost.

Cybersecurity Risk Calculator

This cyber security risk calculator presented by SAP Sales Cloud is a quiz-like calculator. Participants plug in answers, and the calculator presents a quick cyber security cost fact or tip related to each answer. It’s an interactive way to get a qualitative look at your organization’s cyber security risk based on broad trends.

Key Takeaways:

  • The quiz offers the following tip: to mitigate cyber security risk with email, make sure all emails containing personal information in attachments are encrypted.
  • Another insight from the quiz is to restrict software and set up administrative rights so nothing can be installed without company authorization.

Cybersecurity: Quantifying Value at Risk

This article by the Association for Financial Professionals explains the value-at-risk (VAR) concept for classifying cyber security risk. VAR quantifies risk in economic terms, so executives can easily understand it and invest. VAR takes into account total exposure, attack type/probability and controls effectiveness to determine risk.

Key Takeaways:

  • The Association for Financial Professionals recommends that the analyst benchmark the company against a cyber security risk framework that is widely accepted, such as the NIST Cybersecurity Framework.
  • VAR enables a firm to calculate risk exposure without considering mitigation measures, then compare risk exposure with mitigation measures in place to see the risk reduction benefits.

Cybersecurity Posture Scoring vs Risk Scoring

This blog by cyber security management firm Cavirin explains how cyber security risk scoring — or determining the extent of weaknesses and the value of assets — leads to cyber security posture scoring, which designates the cyber security controls that will be deployed to mitigate risks. The cyber security posture scoring determines how strong the controls are in mitigating the risks. It helps assess how strong an IT environment is, so a plan to upgrade or replace inadequate controls can be formed.

Key Takeaways:

  • As the cyber security posture score increases, the cyber security risk score decreases.
  • Scoring both cyber security risks and cyber security posture must be a continual process, especially whenever new business processes are introduced.

[Back to Top]

Cyber Security Risk Frameworks

Cyber security risk frameworks present standards, guidelines and best practices to manage cyber security risks. These frameworks are built upon data, case studies and what has worked for diverse organizations and IT professionals around the globe.

Some organizations choose to abide by a specific framework, while others take tenets of multiple cyber security risk frameworks into account. These leading frameworks can inspire how your own organization applies cyber security risk management strategies.

Introduction to the Security Engineering Risk Analysis (SERA) Framework

This report by the Software Engineering Institute at Carnegie Mellon University covers security risk concepts and presents a model-based approach for analyzing software security risks. The Security Engineering Risk Analysis (SERA) Framework uses operational models to describe a system’s operational context, and it proposes scenarios to document security risk complexities. The report includes tables, graphs and sample scenarios to illustrate its concepts.  

Key Takeaways:

  • The SERA Framework requires that for each security risk, the following are recorded: security risk scenario, risk statement, threat components, threat sequence, workflow consequences, stakeholder consequences and enablers.
  • The SERA Framework consists of these tasks: establish operational context, identify risk, analyze risk and develop control plan.


The COBIT 5 framework is used for the management and governance of enterprise IT. It covers audit and assurance, risk management, information security, regulatory and compliance, and how to align IT goals with strategic business objectives. The online framework includes publications, training, case studies and process assessment.

Key Takeaways:

  • COBIT 5 is the product of a global task force and development team from ISACA, which is a nonprofit with more than 140,000 members in 187 countries.
  • COBIT 5 can be used by enterprises of all sizes and types.
  • Some of the leading principles of COBIT 5 include to maintain high-quality information to support business decisions, to achieve strategic goals through IT initiatives and to optimize the cost of IT technology and services.

International Organization for Standardization

The International Organization for Standardization (ISO) is an independent, non-governmental international organization with 164 national standards bodies. ISO members share knowledge and develop consensus-based international standards. There are more than a dozen ISO information security management systems standards, including standards on process control systems specific to the energy utility industry and information security management for inter-sector and inter-organizational communications.

Key Takeaways:

  • ISO standards are based on expert knowledge from around the world, representing cyber security thought leadership from diverse sources.
  • Businesses that follow ISO standards are said to be ISO-compliant, which can be a positive differentiating cyber security risk factor for organizations.

Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process

This technical report from the Software Engineering Institute at Carnegie Mellon University presents the Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) methodology, OCTAVE Allegro. This methodology was designed to streamline and optimize the cyber security risk assessment process. It highlights OCTAVE Allegro design considerations and requirements and includes guidance, worksheets and examples so organizations can perform their own OCTAVE Allegro risk assessment.

Key Takeaways:

  • The OCTAVE Allegro methodology has eight steps, including establish risk measurement criteria, identify areas of concern and identify threat scenarios.
  • Each OCTAVE Allegro worksheet identifies an information asset, area of concern, actor that would exploit the weakness, means, motive, outcome, security requirements, probability, consequences, severity and risk mitigation action.

Framework for Improving Critical Infrastructure Cybersecurity

This framework by the National Institute of Standards and Technology focuses on using business motivators to guide cyber security risk management. The framework positions cyber security risk management as an ongoing risk management process. The framework includes a core, implementation tiers and framework profiles.

Key Takeaways:

  • This framework is based on globally recognized standards for cyber security risk management.
  • This framework can be applied to all types of businesses and organizations relying on diverse technology types, including IoT and IT.
  • The framework is a living document that is continually updated with feedback from government agencies and the private sector.

Putting the NIST Cybersecurity Framework to Work

This article by network security provider Cohesive Networks is a case study of how an SaaS client used the NIST framework to update their cyber security risk management approach. The article outlines the steps Cohesive Networks took to apply the framework to the SaaS company, including identifying a short list of security standards to apply, documenting gaps to target and creating a Cybersecurity Risk Management & Network Operations Manual for each of the client’s application teams.

Key Takeaways:

  • Cohesive Networks used three established cyber security questionnaires to quickly identify gaps and needed cyber security risk management processes.
  • The client discovered that even though they thought the Payment Card Industry Security Standards Council requirements did not apply to them because they didn’t work with credit card information, the requirements were still applicable to protect their cyber security systems and helped identify cyber security risks where gaps were.

Implementing the NIST Cybersecurity Framework

This ISACA guide teaches organizations how to implement the NIST Framework at their business or organization. The guide is based on ISACA’s work with the National Institute of Technology to meet the 2013 executive order by U.S. President Obama to improve critical infrastructure cyber security. The guide includes key principles from the COBIT 5 framework, which were used to achieve the executive order.

Key Takeaways:

  • The executive order called for the development of a voluntary risk-based cyber security framework.
  • This framework was to be flexible, repeatable, performance-based and cost-effective.
  • ISACA worked with small and large organizations around the globe when working on developing the framework.

Cybersecurity: Based on the NIST Cybersecurity Framework

This audit program from ISACA is for IT auditors and assurance professionals to use when they are performing an assurance process. It is based on the NIST Cybersecurity Framework and covers processes including communications, recovery planning, resource planning and asset management. The document is a review tool and starting point that can be modified.

Key Takeaways:

  • The audit program recommends that the IT audit and assurance professional has the necessary subject matter expertise required to conduct the work, because the document is not intended to be used as a questionnaire or checklist.
  • The audit program recommends that the IT audit and assurance professional is supervised by a professional with the necessary subject matter expertise to adequately review the work, or by a professional with the Certified Information Systems Auditor (CISA) designation.

[Back to Top]

Cyber Security Risk Assessment Tools

Your cyber security risk management program needs to take into account many factors to determine what threats you’re facing now, which ones you should focus on and how to gauge a return on your investment. To aid organizations in determining how to best manage cyber security risk, there are many free cyber security risk assessment tools available.

Use tools like the ones mentioned here to help you build a cyber security risk management strategy. You should conduct a new assessment whenever a new business practice is introduced, especially when it involves technology.

Baldrige Cybersecurity Excellence Builder

The Baldrige Cybersecurity Excellence Builder (BCEB) is a self-assessment that helps organizations better understand the effectiveness of their cyber security risk management efforts. The self-assessment helps participants determine the most important cyber security activities for business strategy, prioritize cyber security risk investments and assess an organization’s cyber security standards. The BCEB includes questions relating to organizational context, leadership, strategy, customers and measurement.

Key Takeaways:

  • The BCEB is most valuable as an assessment of an entire organization’s cyber security risk management program.
  • Use the Organizational Context section to identify topics for action planning based on where little, no or conflicting information is available.
  • Complete the BCEB as a first step to carry out suggestions in the Cybersecurity Framework “How to Use the Framework” section.

Federal Financial Institutions Examination Council Cybersecurity Assessment Tool

Designed with financial institutions in mind, the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool is a repeatable and measurable cyber security risk assessment. It contains two parts: an Inherent Risk Profile that identifies the institution’s inherent risk before implementing controls, and a Cybersecurity Maturity profile, including domains, assessment factors, components and individual declarative statements. The assessment is consistent with the NIST Cybersecurity Framework.

Key Takeaways:

  • If management determines the institution’s maturity levels are not appropriate related to the risk profile, then steps can be taken to reduce inherent risk or to improve maturity levels.
  • The inherent risk profile and maturity levels will change over time, so the assessment should be conducted periodically and when planned changes can affect the inherent risk profile.

HealthIT.gov Security Risk Assessment Tool

Covered healthcare organization entities and their business associates must conduct a risk assessment per the Health Insurance Portability and Accountability Act (HIPPA) Security Rule. This Security Risk Assessment Tool was developed by the Office of the National Coordinator for Health Information Technology in collaboration with the HHS Office for Civil Rights. The results are displayed in a report that shows risks in policies, systems, methods and processes.

Key Takeaways:

  • This tool is designed for small and medium providers and may be inappropriate for larger organizations.
  • Use the tool to see how your organization implements safeguards to mitigate or plans to mitigate identified risks.

Information Security Checklist

This information security checklist from the Information Commissioner’s Office is a basic cyber security assessment of the progress your organization has made in cyber security risk management. After choosing answers from a series of questions, you will receive an assessment with suggested actions to take regarding cyber security risk management. The assessment also provides cyber security risk management guidelines for recommended actions.

Key Takeaways:

  • If you receive recommendations, click on the guidelines to research further.
  • Use the suggested actions as a guideline of where cyber security risk management gaps exist. Calculate risks to see which actions to prioritize.

International Professional Practices Framework Global Technology Audit Guide

This practice guide leads auditors through an exploration of cyber security risks and common threats faced. It identifies where gaps in assurance may occur and explains the first, second and third lines of defense activities related to cyber security risk management. It presents an approach to assessing cyber security risks and controls.

Key Takeaways:

  • Common first line of defense activities include administering security procedures, training and testing, maintaining secure device configurations and deploying intrusion detection systems.
  • Common second line of defense activities include designing cybersecurity policies, training and testing, conducting cyber risk assessments and gathering cyber threat intelligence.
  • Common third line of defense activities include providing independent ongoing evaluations of preventive and detective measures related to cybersecurity, evaluating IT assets of users with privileged access and conducting cyber risk assessments of third parties and suppliers.

Cyber Exposure Risk Calculator

The Cyber Exposure Risk Calculator by cyber insurance provider CyberBee provides visitors with an online quiz that shows what type of cyber security risk an organization has, from low risk to escalated risk. Questions cover topics like bring-your-own-device, public networks and sensitive information. The quiz takes about 10 minutes to complete.

Key Takeaways:

  • Use the quiz as a way to identify cyber security risk management areas to focus on.
  • If you answer “yes” or “unsure” to a question, that is an area your organization is at a higher cyber security risk.

[Back to Top]

Cyber Security Risk Mitigation Checklists

Checklists and guides are valuable tools for getting started with cyber security risk management. Even a general checklist can be a worthwhile starting-off point for devising a cyber security risk management plan, since it can inspire discussion and a closer look at vulnerabilities you may not have realized.

The following checklists range from general to detailed, and some questions come directly from federal cyber security recommendations. Review checklists like these regularly to make sure your cyber security risk strategy is always up-to-date.

Information Security Risk Assessment Checklist

This checklist by Agri-Business Insurance Services walks participants through cyber security risks related to organizational and management practices, personnel practices, physical security practices and more. Each checklist point lists a category with appropriate cyber security risk management steps that should have been taken. If the organization’s efforts don’t align with the checklist point, action should be taken to mitigate the risk.

Key Takeaways:

  • Agri-Business Insurance Services recommends that the Information Security Officer completes this checklist in cooperation with the Chief Information Officer.
  • Any items that result in a “no” response should be assigned a level of risk. An appropriate action plan should be developed to mitigate the identified risk.

IT Security Risk Assessment Checklist

The Center for IT and e-Business Management at the University of Illinois put together this IT Security Risk Assessment Checklist covering topics like security policies, awareness and training, and identity management. The first page has some sample answers to questions about whether or not an initiative is planned, partially completed or full implemented, what the severity of the risk is and a risk calculation and upperlimit. At the end of the checklist, a Total Risk Score and Maximum Possible Risk are calculated.

Key Takeaways:

  • This checklist is very extensive, at eight pages long. You’ll likely need input from multiple stakeholders and will need to conduct an extensive audit to complete the full assessment.
  • For “no” and “N/A” answers, prioritize which risks you want to focus on first, and come up with action plans.

NIST 800-171 Checklist

This checklist created by Redhawk Network Security is based on NIST 800-171 requirements. It is a broad checklist covering topics like access control, configuration management and system and communications protection. It provides organizations with an idea of where they are in the cyber security risk management process.

Key Takeaways:

  • If you are failing to do anything on this checklist, look more closely at the aspects you’re failing to meet.
  • Use this checklist as a basic starting point before using more detailed assessments.

Cyber Security Risk Mitigation Checklist

This checklist by All Hazards Consortium covers recommended guidelines for building a risk management program, creating a cyber security policy, assessing operational risks and more. Each activity/security control is paired with rationale behind the strategy. For those who are newer to cyber security risk management, being able to pair the rationale with the action can be a helpful learning tool.

Key Takeaways:

  • If you are unsure about why a certain activity/security control you are failing to implement is important, use the rationale as a guide to investigate further.
  • Mark off items you are not meeting presently, and compare their levels of risk to devise a plan of action.

Information Security Risk Assessment Checklist

This information security risk assessment checklist by Netwix is a general risk assessment guide that helps organizations get started with cyber security risk management. The guide recommends for organizations to consider all valuable assets across the organization that would result in a monetary loss if compromised. Then, identify potential consequences, threats and levels, vulnerabilities and likelihood and risk. The guide provides sample entries for how to create a risk management plan going forward.

Key Takeaways:

  • This guide can be used as a collaborative tool, since it walks teams through a process with an all-hands-on-deck approach.
  • To create a successful risk management process, create a strategy, then define mitigation processes.

[Back to Top]

Do You Want to Lead Cyber Security Teams, Initiatives and Strategies?

Cyber security risk management is crucial for organizations of all types and sizes. If resources like these interest you, and you want to lead the charge of a cyber security risk management plan at your current organization or somewhere new, earning a master’s degree in cyber security might be your next step.

If you’re interested in taking your career to the next level by enriching and developing your cyber security skills, get information about an online Master of Cyber Security degree through our partner Syracuse University, as well as online cyber security masters programs at other institutions.

Online Cyber Security Programs
Browse online graduate cyber security programs nationwide.

Find a Program