Cyber risk management, also called cybersecurity risk management, is the process of identifying, prioritizing, managing and monitoring risks to information systems.
Cyber risk management has become a vital part of broader enterprise risk management efforts. Companies across industries depend on information technology to carry out key business functions today, exposing them to cybercriminals, employee mistakes, natural disasters and other cybersecurity threats. These threats can knock critical systems offline or wreak havoc in other ways, leading to lost revenue, stolen data, long-term reputation damage and regulatory fines.
These risks cannot be eliminated, but cyber risk management programs can help reduce the impact and likelihood of threats. Companies use the cybersecurity risk management process to pinpoint their most critical threats and select the right IT security measures to protect information systems from cyberattacks and other digital and physical threats based on their business priorities, IT infrastructures and resource levels.
Get insights to better manage the risk of a data breach with the latest Cost of a Data Breach report.
Assess your cyber risk to protect your business
It's difficult to evaluate cyber risk with total certainty. Companies rarely have full visibility into cybercriminals' tactics, their own network vulnerabilities or more unpredictable risks like severe weather and employee negligence. Plus, the same kinds of cyberattacks can have different consequences between companies. Data breaches in the healthcare sector cost USD 10.10 million on average, whereas breaches in hospitality cost USD 2.9 million, according to the IBM Cost of a Data Breach report.
For these reasons, authorities like the National Institute of Standards and Technology (NIST) suggest approaching cyber risk management as an ongoing, iterative process rather than a one-time event. Revisiting the process regularly allows a company to incorporate new information and respond to new developments in the broader threat landscape and its own IT systems.
To ensure that risk decisions account for the priorities and experiences of the whole organization, the process is typically handled by a mix of stakeholders. Cyber risk management teams may include directors, executive leaders like the CEO and chief information security officer, IT and security team members, legal and HR and representatives from other business units.
Companies can use many cyber risk management methodologies, including the NIST Cybersecurity Framework (NIST CSF) and the NIST Risk Management Framework (NIST RMF). While these methods differ slightly, they all follow a similar set of core steps.
Risk framing is the act of defining the context in which risk decisions are made. By framing risk at the outset, companies can align their risk management strategies with their overall business strategies. This alignment helps avoid ineffective and expensive mistakes, like deploying controls that interfere with key business functions.
To frame risk, companies define things like the following:
The scope of the process: What systems and assets will be examined? What kinds of threats will be looked at? What timeline is the process working on (e.g., risks in the next six months, risks in the next year, etc.)?
Asset inventory and prioritization: What data, devices, software and other assets are in the network? Which of these assets are most critical to the organization?
Organizational resources and priorities: What IT systems and business processes are most important? What resources, financial and otherwise, will the company commit to cyber risk management?
Legal and regulatory requirements: What laws, standards or other mandates must the company comply with?
These and other considerations give the company general guidelines when making risk decisions. They also help the company define its risk tolerance—that is, the kinds of risks it can accept and the kinds it cannot.
Companies use cybersecurity risk assessments to identify threats and vulnerabilities, estimate their potential impacts and prioritize the most critical risks.
How a company conducts a risk assessment will depend on the priorities, scope and risk tolerance defined in the framing step. Most assessments evaluate the following:
Threats are people and events that could disrupt an IT system, steal data or otherwise compromise information security. Threats include intentional cyberattacks (like ransomware or phishing) and employee mistakes (like storing confidential information in unsecured databases). Natural disasters, like earthquakes and hurricanes, can also threaten information systems.
Vulnerabilities are the flaws or weaknesses in a system, process or asset that threats can exploit to do damage. Vulnerabilities can be technical, like a misconfigured firewall that lets malware into a network or an operating system bug that hackers can use to take over a device remotely. Vulnerabilities can also arise from weak policies and processes, like a lax access control policy that lets people access more assets than they need.
Impacts are what a threat can do to a company. A cyberthreat could disrupt critical services, leading to downtime and lost revenue. Hackers could steal or destroy sensitive data. Scammers could use business email compromise attacks to trick employees into sending them money.
The impacts of a threat can spread beyond the organization. Customers who have their personally identifiable information stolen during a data breach are also victims of the attack.
Because it can be hard to quantify the exact impact of a cybersecurity threat, companies often use qualitative data like historical trends and stories of attacks on other organizations to estimate impact. Asset criticality is also a factor: The more critical an asset is, the more costly attacks against it will be.
Risk measures how likely a potential threat is to affect an organization and how much damage that threat would do. Threats that are likely to happen and likely to cause significant damage are the riskiest, while unlikely threats that would cause minor damage are the least risky.
During risk analysis, companies consider multiple factors to assess how likely a threat is. Existing security controls, the nature of IT vulnerabilities and the kinds of data a company holds can all influence threat likelihood. Even a company's industry can play a role: The X-Force Threat Intelligence Index found that organizations in the manufacturing and finance sectors face more cyberattacks than organizations in transportation and telecommunications.
Risk assessments can draw on internal data sources, like security information and event management (SIEM) systems, and external threat intelligence. They may also look at threats and vulnerabilities in the company's supply chain, as attacks on vendors can affect the company.
By weighing all of these factors, the company can build its risk profile. A risk profile provides a catalog of the company's potential risks, prioritizing them based on criticality level. The riskier a threat is, the more critical it is to the organization.
The company uses the risk assessment results to determine how it will respond to potential risks. Risks deemed highly unlikely, or low-impact risks, may simply be accepted, as investing in security measures may be more expensive than the risk itself.
Likely risks and risks with higher impacts will usually be addressed. Possible risk responses include the following:
Mitigation is the use of security controls that make it harder to exploit a vulnerability or minimize the impact of exploitation. Examples include placing an intrusion-prevention system around a valuable asset and implementing incident response plans for quickly detecting and dealing with threats.
Remediation means fully addressing a vulnerability so it cannot be exploited. Examples include patching a software bug or retiring a vulnerable asset.
If mitigation and remediation aren't practical, a company may transfer responsibility for the risk to another party. Buying a cyber insurance policy is the most common way companies transfer risk.
The organization monitors its new security controls to verify that they work as intended and satisfy relevant regulatory requirements.
The organization also monitors the broader threat landscape and its own IT ecosystem. Changes in either one—the emergence of new threats or the addition of new IT assets—can open up new vulnerabilities or make previously effective controls obsolete. By maintaining constant surveillance, the company can tweak its cybersecurity program and risk management strategy in nearly real time.
As companies have come to use technology for everything from day-to-day operations to business-critical processes, their IT systems have become larger and more complex. The explosion of cloud services, the rise of remote work and the growing reliance on third-party IT service providers have brought more people, devices and software into the average company's network. As an IT system grows, so does its attack surface. Cyber risk management initiatives offer companies a way to map and manage their shifting attack surfaces, improving security posture.
The broader threat landscape also evolves constantly. Every month, roughly 2,000 new vulnerabilities are added to the NIST National Vulnerability Database (link resides outside ibm.com). Thousands of new malware variants are detected monthly (link resides outside ibm.com)—and that's only one kind of cyberthreat.
It would be unrealistic and financially impossible for a company to close every vulnerability and counter every threat. Cyber risk management can offer companies a more practical way of managing risk by focusing information security efforts on the threats and vulnerabilities most likely to impact them. That way, the company doesn't apply expensive controls to low-value and non-critical assets.
Cyber risk management initiatives can also help organizations comply with the General Data Protection Regulation, the Health Insurance Portability and Accountability Act, the Payment Card Industry Data Security Standard and other regulations. During the cyber risk management process, companies consider these standards when designing their security programs. Reports and data generated during the monitoring stage can help companies prove they did their due diligence during audits and post-breach investigations.
Sometimes, companies may be required to follow specific risk management frameworks. US federal agencies must adhere to both the NIST RMF and the NIST CSF. Federal contractors may also need to comply with these frameworks, as government contracts often use NIST standards to set cybersecurity requirements.
Outsmart attacks with a connected, modernized security suite. The QRadar portfolio is embedded with enterprise-grade AI and offers integrated products for endpoint security, log management, SIEM and SOAR—all with a common user interface, shared insights and connected workflows.
Proactive threat hunting, continuous monitoring and a deep investigation of threats are just a few of the priorities facing an already busy IT department. Having a trusted incident response team on standby can reduce your response time, minimize the impact of a cyberattack and help you recover faster.
Manage IT risk by establishing governance structures that increase cybersecurity maturity with an integrated governance, risk and compliance (GRC) approach.
Proactively protect your organization’s primary and secondary storage systems against ransomware, human error, natural disasters, sabotage, hardware failures and other data loss risks.
The Cost of a Data Breach report shares the latest insights into the expanding threat landscape and offers recommendations for how to save time and limit losses.
X-Force Threat Intelligence Index tracks threats and provides actionable insights that help you understand how threat actors are waging attacks, and how to proactively protect your organization.
Risk management is the process of identifying, assessing and controlling financial, legal, strategic and security risks to an organization’s capital and earnings.