Mon Sep 29 18:51:29 PDT 2014

Risk Management: How does ICS do risk management?


Options:

Option 1: We will use the provided risk management model.
Option 2: We will use a different enterprise risk management model as described.


Decision:

IF A different overall risk management model is REQUIRED by external mandates,
THEN We will use a different enterprise risk management model as described.
OTHERWISE We will use the provided risk management model.


Risk Management
Turns Duties to Protect into What to Protect and How Well.
Threats
{Capabilities & Intents}
Vulnerabilities
{Technical, Human, Organizational, Structural}
Consequences
{Brand, Value, Time, Cost}
Accept / Transfer / Avoid / Mitigate
Interdependencies
Function < People < Applications < Systems < Physical systems < Critical infrastructures
Matching Surety to Risk
The Risk Management Model

Basis:

The risk management function, in context, is used to turn duties to protect into decisions about what to protect and how well.
Oversight
Turns Business Needs into Duties to Protect.
Laws
Owners
Board
Auditors
CEO
Risk Management
Turns Duties to Protect into What to Protect and How Well.
Threats
{Capabilities & Intents}
Vulnerabilities
{Technical, Human, Organizational, Structural}
Consequences
{Brand, Value, Time, Cost}
Accept / Transfer / Avoid / Mitigate
Interdependencies
Function < People < Applications < Systems < Physical systems < Critical infrastructures
Matching Surety to Risk
Security Management
Uses Power and Influence to Control the Protection Program.
Organizational Governance
Business Processes
Human Actuators & Sensors

Risk management in context
Risk Management

Risk management transforms duty to protect into what to protect, selects between risk acceptance, transfer, avoidance, and mitigation, and for risk mitigation approaches, attempts to match surety of mitigation with desired risk reduction.

Risks are generally formed from the combination of threats, vulnerabilities, and consequences. Threats, including nature and accidents as well as individual actors and groups, possibly acting in concert, exploit sequences of vulnerabilities to induce consequences.

Risk management is the process used by enterprises to turn duty to protect into decisions of what to protect and to what extent they should be protected. It leads to the executive security management function that is tasked with carrying out the duty to protect the things that should be protected to the extent appropriate to the need as identified by risk management.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved