II.B     Risk Measurement

Action Summary

Management should develop risk measurement processes that evaluate the inherent risk to the institution.

The risk measurement process should be used to understand the institution's inherent risk and determine the risk associated with different threats. Management should use its measurement of the risks to guide its recommendations for and use of mitigating controls.

Threat analysis tools assist in understanding and supporting the measurement of information security-related risks. Such tools can include event trees,An event tree is a diagram of a chronological series of events in a system or activity that displays sequence progression, end states, and dependencies across time. attack trees,An attack tree is a diagram showing how an asset, or target, might be attacked through various attack scenarios. Using an attack tree helps describe threats on computer systems and possible attacks to realize those threats. kill chains,A kill chain originally was used as a military concept related to the structure of an attack. In information security, a kill chain is a method for modeling intrusions on a computer network. and other security-related schemata.Security-related schemata are lists of software vulnerabilities and include the Mitre Corporation's Common Attack Pattern Enumeration and Classification, CVE, Common Weakness Enumeration, "ATT&CK Matrix," and Malware Attribute Enumeration and Characterization, and Mandiant's Open Indicators of Compromise. These tools help management deconstruct an event into stages, better understand the event, identify the most effective and efficient means of mitigating risk, and improve the information security program. Additionally, management could use a taxonomy for security-related events to help accomplish the following:

  • Map threats and vulnerabilities.
  • Incorporate legal and regulatory requirements.
  • Improve consistency in risk measurement.
  • Highlight potential areas for mitigation.
  • Select proper controls to cover various attack stages, channels, and assets.
  • Allow comparisons among different threats, events, and potential mitigating controls.

Refer to the IT Handbook's "Management" booklet for more information.


Previous Section
II.A.3(b) Resources for Cybersecurity Preparedness
Next Section
II.C Risk Mitigation