Fundamentals of Cyber security

Chapter Two: Cybersecurity Risks

Senait D.

School of Information Technology and Engineering

Addis Ababa Institute of Technology
Temesgen Kitaw Damenu
Addis Ababa University
April
March2022
2025
 Contents
Overview of cybersecurity risks
Cybersecurity risk assessment
Cybersecurity risk mitigation
Cybersecurity risk management controls
• Technical security controls
• Managerial security controls (policies and procedures)
• Human related security controls
• Physical security controls
Legal aspects of cybersecurity
SiTE - AAiT - AAU 2
Risk Management Implementation
Risk management contains a series of process

Risk management should be

• a continuous and dynamic process
• to ensure that changing threats and vulnerabilities are addressed in a timely manner.
Risk management consists of the following major components:
• Establish scope and context
• Risk assessment
• Risk treatment (mitigation)
• Risk communication and monitoring

Each component have series of process

Different methodologies and frameworks have these processes,

• although differences happen based on their context

SiTE - AAiT - AAU 3

 Methodologies and Frameworks
Some of the methodologies for risk assessment
• NIST SP 800-30
• ISO 27005
• OCTAVE
• IRAM2

Some of the frameworks and standards for risk mitigation

• NIST Cybersecurity Framework
• ISO/IEC 27001 and 27002
• Critical Mass CSRS

Select based on organizational context and requirements

SiTE - AAiT - AAU 4

 NIST SP 800-30 (Guide for Conducting Risk Assessments

Developed by US National
Institute of Standards and
Technology

It focuses on risk
assessment

It has 4 major steps

SiTE - AAiT - AAU 5

 ISO 27005 - Information Security Risk Management

Developed by ISO (the

International Organization
for Standardization) and
IEC (the International
Electrotechnical
Commission)

It covers almost all steps

of information security
risk management

SiTE - AAiT - AAU 6

 Cybersecurity risk assessment

SiTE - AAiT - AAU 7

 Risk Assessment
Used as a basis for identifying appropriate and Strategic
cost-effective controls or countermeasures to mitigate
the identified risk

A variety of methodology for assessing risk are available

• Whichever approach is used the outcome should be similar Tactical
The choice of methodology should be based on the best
fit for organizational need

Risk assessment should be conducted at Strategic, Operation

Tactical and Operational level of the company
al
SiTE - AAiT - AAU 8
 Strategic Level Risk Assessment
Helps to identify the major
cybersecurity gaps and threats at
strategic level
Involves the engagement of the
strategic level (senior) management

Can be conducted using

• SWOT (Strength, Weakness, Opportunity and
Threat) analysis, and
• PESTLE (Political, Economic, Social,
Technological, Legal, and Environmental)
analysis

SiTE - AAiT - AAU 9

 Risk Assessment Framework

SiTE - AAiT - AAU 10

 Risk Assessment and Analysis
Methodologies
Most methodologies have
three phases
• Risk identification
• The process of using risk scenarios
to determine the range and nature of
risk
• Risk analysis
• Combining the vulnerability and
threat information to determine risk of
compromise in terms of frequency
and potential magnitude
SiTE - AAiT - AAU 11
 Risk Assessment and Analysis
Methodologies…
Risk evaluation
Is the process of comparing the
results of the risk analysis
against established criteria for

• impact,
• likelihood and
• acceptability,
• the need for further
treatment.

SiTE - AAiT - AAU 12

 Risk Assessment and Analysis
Methodologies…
Risk evaluation…
The need for treatment is determined
based on criteria shown or combination of
criteria
Criteria should be inline with the scope
•Criteria
• Operat-ional
and qualitative analysis of the
organization’s internal policies and • Technical
procedures
•must support company goals and
objectives • Financial

• Regula-tory

• Legal

• Social

• Environ-ment

SiTE - AAiT - AAU 13

 Asset Identification and Valuation
Locate and inventory of all assets

Determine their relative or approximate business

value (criticality or sensitivity)

Information can be valued using

• Cost of recreation or restoring

• Contribution to generating revenues
• Consequential costs and possible regulatory sanctions
•Critical
Consequence
assetson reputational
existing indamage
a company and with
service providers, outsourcers, employees,
contractors and others should be identified and
valued
SiTE - AAiT - AAU 14
 Risk Identification
The process of determining
• type and nature of viable threats
and
Viability
• examiningof the
threats reflects
organization’s
vulnerabilities
two factors subject to the
threats.
• They exist (existing threats) or
• Could reasonably be expected
Accomplished through a
(potential threats)
knowledgeable group effort
• developing a variety of risk
scenarios and what-ifs
Vulnerabilities could be
many forms requiring holistic
consideration
• Ranging from commonly known
technical
Range of vulnerabilities
potential to
threats
obscured in particular business
identification
processes could be
challenging
• Ranging from existing threats to
sophisticated schemes by a
SiTE - AAiT - AAU well-financed attacker group 15
 Risk Identification…

• Each of the identified vulnerabilities must be evaluated in terms of viable threats that might
compromise them and result in impact
• This will generate a list of identified vulnerabilities and threats that will help to analyse the
likelihood and potential impact
• Significant vulnerabilities not subject to an identified threat should be added to the analysis list
• Possible threat may be discovered in the near future
• Identifying risk requires
• High quality information and knowledge of the organization and its internal and external environments
• Historical information about the organization or similar organizations

SiTE - AAiT - AAU 16

 Risk Identification Techniques
Team-based brainstorming
•Involve various members of the
various organizational units
•Arrange workshops to build
Structured
commitment techniques
and makesuch
useasof
different experiences;
•flow charting, system design
review, systems analysis,
•hazard and operability studies,
“What-if ” scenario
operational analysis
modelling;
•for less clearly defined situations
•E.g. strategic risk identification
Threats profile
•Threats identified internally or
externally mapped to identified and
suspected vulnerabilities
SiTE - AAiT - AAU 17
 Threat Identification

• Types of threats
• Natural—Flood, fire, cyclones, rain/hail, and earthquakes
• Unintentional—Fire, water, building damage/collapse, loss of utility services and equipment
failure
• Intentional physical—Bombs, fire, water and theft
• Intentional nonphysical—Fraud, espionage, hacking, identity theft, malicious code, social
engineering, phishing attacks and denial-of-service attacks

SiTE - AAiT - AAU 18

 Threat Identification…
Threats may be divided into multiple categories, including

SiTE - AAiT - AAU 19

 Threat Identification…
Sources for information regarding threats are

SiTE - AAiT - AAU 20

 Internal Threats
Insider threats are among the major
threats
•Mainly employees

Unintentional
•Errors
•Negligence

Intentional (disgruntled employee)

•Theft
•System compromise
•Data leakage
SiTE - AAiT - AAU 21
•Intercept, modify, fabricate data
 External threats

SiTE - AAiT - AAU 22

 Vulnerability Identification
Finding the problems before they are
found by an adversary and exploited

Can be found by conducting regular

• vulnerability assessments and
• penetration tests

Identify, validate and classify vulnerabilities

Considered all types of vulnerabilities

• Managerial (administrative)
• Technical
• Physical
SiTE - AAiT - AAU • Human 23
 Vulnerability Identification

•Categorize and consider vulnerabilities in different

categories
• Policies and procedures
• Standards and frameworks
• Processes
• Humans (employees and others)
• Third parties and supply chain
• Networks
• Applications
• Physical accesses
• Utilities

SiTE - AAiT - AAU 24

 Discussion

•Identify the threats of SiTE/AAiT

•Identify Assets
•Create scenarios
•Identify threats

SiTE - AAiT - AAU 25

 va
tsv
a
sa
h
e
rsn
in
ye
d
p
tt,
ta
t(h
o
n
h
p
e
o
d
Likelihood (Probability)
A measure of the frequency
e that an event may happen
•o ith
ri
lim
ih Requires considering factors
V stie
p
g including
• ckh
tra
ol a
ch
a
cvm
ati a
o
lltsio
e
V
lit u
ly(t
In
el su
le
m
y h
in
te
oc
Pr d
o
e
vtb
rd b
tiili
sg
e
ity
ox o
ve
e rf
tla
im g
a
e
o
n
ytir
p
ity fta
e td
m
e
M sta
fe
n
oti a
ke
u
rb
tn
vad rg
ill
n
e
e
d
cttr
o
e
tio e
S fiftih
tw
ncn
kil tp
n
e
so
e
h
Viyl a
va
o
n
e
si a
tn
esrn
tcl,
bil e
a
o
im
o
n
d
n
ity ta
ce
tio
SiTE - AAiT - AAU llh 26
itvr
a
n
 Impact (consequence)
The result of any vulnerability
exploited by a threat that causes a
loss is an impact
Impact is quantified as
•a direct financial loss in the short term or
•an ultimate (indirect) financial loss in the long
term
Included in the risk equation
•Risk = threats x vulnerabilities x
consequences

If there are no consequences, the

risk can be considered non existent
SiTE - AAiT - AAU 27
 Impact (Consequence)…
Impact on companies can be

• Direct loss of money (cash or credit)

• Criminal or civil liability
• Loss of reputation/goodwill/image
• Reduction of share value
• Conflict of interests to staff or customers or shareholders
• Breach of confidence/privacy
• Loss of business opportunity/competition
• Loss of market share
• Reduction in operational efficiency/performance
• Interruption of business activity
• Noncompliance with laws and regulations resulting in penalties

SiTE - AAiT - AAU 28

 Impact (Consequence)…
Impact calculations can be done either qualitatively or quantitatively

• Quantitative - range of possible financial impact

• Qualitative - such as loss of reputation or market share

Impacts are determined by performing a business impact assessment and

subsequent analysis

• This analysis will determine the criticality and sensitivity of information assets
• Serves to prioritize risk mitigation
• provide the basis for developing an approach to information classification and
addressing business continuity requirements.

SiTE - AAiT - AAU 29

 Risk Analysis
Assessing and understanding the level of the risk and determining the potential
consequence of compromise

Include determining the effectiveness of existing controls

Involves

• Examination of the risk source (threats and vulnerabilities)

• Exposure to potential threats and the effect on likelihood
• Potential negative consequence (impact) if attacked
• Likelihood that those consequence may occur and the factors affecting them
• Assessment of any existing control that minimize the risks
SiTE - AAiT - AAU 30
 Risk Analysis…
Information used to estimate impact and likelihood comes from:

•past experience or data and records (e.g., incident reporting);

•reliable practices, international standards or guidelines;
•market research and analysis;
•experiments and prototypes;
•economic, engineering or other models;
•specialist
Risk analysisand expert advice.
techniques include:

•interviews with experts in the area of interest and questionnaires,

•use of existing models and simulations.

SiTE - AAiT - AAU 31

 Risk Analysis…

• Vary in detail according to

• the risk,
• the purpose of the analysis, and
• the required protection level of the relevant information,
• data and resources

• Analysis may be
• qualitative,
• semiquantitative
• quantitative or
• combination of these

SiTE - AAiT - AAU 32

 Qualitative Analysis
The magnitude and likelihood of potential consequences are
presented and described qualitatively and using scale.

Qualitative analysis may be used:

• as an initial assessment to identify risk which will be the subject of further, detailed
analysis;
• where nontangible aspects of risk are to be considered (e.g., reputation, culture,
image, etc.)
• where there is a lack of adequate information and numerical data or resources
necessary for a statistically acceptable quantitative approach.
A qualitative analysis can be accomplished by using a 5 x 5
matrix

SiTE - AAiT - AAU 33

 Semiquantitative Analysis
Assign values to the scales used in the
qualitative assessment

• These values are usually indicative and not real,

• The numbers used must only be combined using a formula that
recognizes the limitations or assumptions made in the description
of the scales used.
• Numbers chosen may not properly reflect analogies between risks,
particularly when either consequences or likelihood are extreme.
These values should be sufficient to allow risk
prioritization

• Risk = impact x likelihood

• Risk = 4 (material) x 3 (moderate) = 12

SiTE - AAiT - AAU 34

 Quantitative Analysis

• Numerical values are assigned to both impact and likelihood.

• These values are derived from a variety of sources.
• The quality of analysis depends on accuracy of assigned values and validity of the statistical models used
• Consequences may be expressed in various terms of:
• Monetary
• Technical
• Operational
• Human impact criteria
• Different approaches can be used
• Annual Loss Expectancy (ALE)
• Value at Risk (VAR)
• These formulas should cover the expected loss for specific security risks and the value of
safeguards to reduce the security risks

SiTE - AAiT - AAU 35

 Annual Loss Expectancy (ALE)
Annual Loss Expectancy (ALE) = Single Loss
Expectancy (SLE) × Annual Rate of Occurrence
(ARO)
SLE = Asset Value (AV) × Exposure Factor
(EF)

EF is the probability that an event (asset loss)

will occur and its likely magnitude,
• equals the proportion (percentage) of asset loss
caused by the identified threat

ARO is the number of times a threat on a single

asset is estimated to occur.

Safeguard Value = (ALE Before − ALE After) −

Annual Cost of Countermeasure

SiTE - AAiT - AAU 36

 Annual Loss Expectancy (ALE)…
Safeguard evaluation – is the safeguard cost
effective?

Controls gap – the amount of risk reduced by

implementing safeguards

Residual risk – the risk that remains after

safeguards implemented

SiTE - AAiT - AAU 37

Annual Loss Expectancy (ALE) Example
Scenario
•A computer is damaged with
fire and it is out of service.
AV = ETB 100,000
EF = 30%
ARO = 50% (once every two
years)
SLE = ETB 100,000 x 0.3 =
ETB 30,000
ALE = ETB 30,000 x 0.5 =
ETB 15,000
Countermeasure that costs
more than ETB 15,000 not
recommended
•need increased justification
SiTE - AAiT - AAU 38
 Cybersecurity risk mitigation

SiTE - AAiT - AAU 39

 Risk Mitigation
Risk mitigation
• Is the management and reduction of risk through
the use of controls
• Should be based on the risk assessment result
• Risks that are not accepted, avoided or transferred
should be mitigated

SiTE - AAiT - AAU 40

 Risk Mitigation Strategy
The mitigation strategy
involves selection
The selected of can
controls
adequate
best be applied by
countermeasures
developing and and
controls
implementing risk
mitigation
•NSA’S Top Ten Cybersecurity
(cybersecurity) program Mitigation Strategies
• Update and Upgrade Software Immediately
• Defend Privileges and Accounts
• Enforce Signed Software Execution Policies
• Exercise a System Recovery Plan
• Actively Manage Systems and Configurations
• Continuously Hunt for Network Intrusions
• Leverage Modern Hardware Security Features
• Segregate Networks Using Application-Aware Defenses
• Integrate Threat Reputation Services
• Transition to Multi-Factor Authentication

SiTE - AAiT - AAU 41

 Evaluation of Risk
Decisions have to be made concerning which risk needs treatment and the
treatment priorities based on the foregoing analysis.

• compare the level of risk determined during the analysis process with risk criteria
established in the risk management context

The decisions made are usually based on the level of risk, but may also be related
to thresholds specified in terms of:

• consequences (e.g., impacts),

• the likelihood of events,
• the cumulative (aggregated) impact of a series of events that could occur
simultaneously.

SiTE - AAiT - AAU 42

 Risk Mitigation (Treatment) Options
Organizations have four
strategic choices
Avoid: Terminate the activity giving rise to risk.

• activities might be modified or processes reengineered

• this can serve to mitigate or manage risk

Transfer: Transfer risk to another party.

• purchase insurance to address areas of risk

• outsourcing IT functionality to a third party
• financial impacts associated with the risk can be transferred, the
legal responsibility for the consequences of compromise cannot
be transferred

SiTE - AAiT - AAU 43

 Risk Mitigation (Treatment)
Options…
Mitigate risk with appropriate control measures or
mechanisms.
Risk Acceptance Framework

• implementing or improving security controls or by Risk Level Required for Acceptance

instituting countermeasures Level
• controls may directly address the risk or they may be
compensating controls that mitigate the effects Low Risk acceptance possible by
Accept the risk. local (middle) management

• cost of mitigating it is too high in proportion to the

value of the asset.
Medium Risk acceptance possible by
• not be feasible to effectively mitigate a risk or
• the potential impact may be low. CIO
High Risk acceptance possible by
CIO, IT security director or
CISO, depending on impact

Severe Risk acceptance only at board

SiTE - AAiT - AAU 44
level, depending on impact.
 Residual Risk
The risk that remains after countermeasures and controls are implemented

• can be used to identify those areas requiring more control

Final acceptance of residual risk takes into account:

• Regulatory compliance
• Organizational policy
• Sensitivity and criticality of relevant assets
• Acceptable levels of potential impacts
• Uncertainty inherent in the risk assessment approach
• Cost and effectiveness of implementation 45
SiTE - AAiT - AAU
 RiskInformation
Communication (Reporting)
about risk should be exchanged
and/or shared between the decision-maker and
other stakeholders

Objective
To provide assurance of the
outcome of the
organization’s risk
management
To support decision-making
To share the results from
the risk assessment and
present the risk treatment
plan

SiTE - AAiT - AAU 46

 Risk Communication (Reporting)
Objective…
To avoid or reduce both occurrence and
consequence of security breaches due to
the lack of mutual understanding among
decision makers and stakeholders
To obtain new information security
knowledge
To co-ordinate with other parties and plan
responses to reduce consequences of any
incident
To give decision makers and stakeholders a
sense of responsibility about risks

To improve awareness

To collect risk information

SiTE - AAiT - AAU 47

 Risk Communication (Reporting)…
Risk communication should be performed
continually

Develop communication plans for normal

operations and emergency situations.

A risk report should be

• accurate, timely, comprehensive of the entire

organization,
• clear and precise to support decision making, and
• updated on a regular basis.
• relevant for the intended audience
Intended audiences

• Executive management
• Regulators
• Others
SiTE - AAiT - AAU 48
 Cybersecurity risk management controls

SiTE - AAiT - AAU 49

 Cybersecurity Controls
Cybersecurity controls can be

• Management (Administrative)
• Technical
• Human
• Physical controls

The purpose of these controls include

• Deterrence - provide warnings

• Detection - warn of violations
• Prevention - inhibit violations
• Correction - remediate impact
• Recovery – remediate incident

SiTE - AAiT - AAU 50

 Cybersecurity Controls

SiTE - AAiT - AAU 51

 Management (Administrative)
Controls
are the strategies, policies, procedures, standards, guidelines,
and frameworks that an organization uses to implement
technical and physical controls.
sources can be laws and regulations, industry best practices,
and organizational mandates.

inform the organization on

• roles and responsibilities,

• proper information protection practices, and
• enforcement actions if controls are not followed.

these controls aim to establish system, build capacity, and

create awareness and culture
SiTE - AAiT - AAU 52
 Technical Controls
defend against misuse or unauthorized access to valuable
information.

a combination of technical controls is needed to work

together to

•protect,
•detect, and
•respond to potential and actual security incidents and events.

Examples include

•Encryption
•Anti-virus
•Firewall
•IPS/IDS
SiTE - AAiT - AAU 53
 Human related controls
Security is more than just a technical
issue
•It must be addressed through
awareness, training and education
Focus on common user concerns
tailored to specific groups
Give greater emphasis on staff with
privileged access levels
Starts when an employee joins the
organization (induction training)
Vary the delivery techniques to keep
it interesting
SiTE - AAiT - AAU 54
 Technical and Physical Controls
controlling physical, human access to information assets is often
the least expensive and most effective prevention control. It
includes

uards and receptionists,

ntry access controls,
ea lighting and surveillance,
osed circuit television (CCTV), and
hysical intrusion detection systems

SiTE - AAiT - AAU 55

 Common and Compensating Controls
Common Controls

• Security controls which safeguard multiple assets.

• Effective use of common controls can potentially reduce the overall
resource expenditures by organizations.
• Examples of common controls
• Administrative controls: Policy for initial and annual information security
training
• Technical controls: Firewalls, intrusion detection systems, and DLP
appliances
• Physical
Compensating controls: access controls are shared by all systems located in a
controls
data center..

• Used when baseline controls have potential to degrade or obstruct

business operations or are cost-prohibitive
• Augments the primary control’s ability to achieve the control objective or
replaces the primary control in order to meet the control objective
SiTE - AAiT - AAU 56
 Legal aspects of cybersecurity

SiTE - AAiT - AAU 57

 Cybercrime
Cybercrime is:
•Crime that is committed using the
Internet (Oxford dictionary)
•“any crime that is committed using a
computer or network or hardware
device” (Semantec)
•The computer may have been used in
committing the crime, or it may be the
target.

SiTE - AAiT - AAU 58

 Common types of cybercrime - UN

SiTE - AAiT - AAU 59

 Cybercrime: examples
Hacking and related
activities
Viruses and other malicious
programs
Fraud and Theft
Gambling, Pornography and
other offences against
morality
Child pornography and other
offences against minors
Stalking, Harassment, Hate
speech
Other offences against
persons
Cyberterrorism

SiTE - AAiT - AAU 60

 Cyber laws and regulations
• Legislation
– Problematic situation
– Traditional legislation unable to address
– Legislators and judges have to consider this reality
• Cyber laws and regulations are required
– National
• Ethiopia: Computer Crime Proclamation No. 958/2016
– Regional
• EU: General Data Protection Regulation (GDPR)
– International
– International consensus is difficult

SiTE - AAiT - AAU 61

 Thank you!

SiTE - AAiT - AAU 62