Cyber Risk Management: Frameworks and Practices

Cybersecurity as Risk Management

There is no absolute security. The task is to manage risks: reduce the probability of an attack, minimize the damage from a successful attack, ensure recovery.

Formula: Cyber Risk = Threat × Vulnerability × Asset Value.

NIST Cybersecurity Framework

The most widely used framework (NIST CSF) — five functions:

Identify: inventory of assets, understanding risks. "What are we protecting?"

Protect: controls to reduce risks. MFA, encryption, staff training, access management.

Detect: monitoring to identify incidents. SIEM (Security Information and Event Management) — aggregation and analysis of logs.

Respond: incident response plan. Who does what, how to notify, how to isolate.

Recover: restoration after an incident. Backups, disaster recovery, business continuity.

ISO 27001

International standard for information security management. Certification — confirmation of the maturity of the IS system for clients, partners, regulators. Requires: ISMS (Information Security Management System), risk assessment, set of controls (Annex A: 93 controls).

Cyber Risk Insurance

Cyber Insurance — a rapidly growing market ($13 billion in 2022, forecast $84 billion in 2030). Covers: costs for incident investigation; client notification; legal expenses; ransom payments (debated); losses from business interruption.

Insurers' requirements: presence of MFA, EDR (Endpoint Detection and Response), regular backups, incident response plan.

Practical Assignment

The bank is preparing for an audit for ISO 27001 compliance. Internal audit revealed: (1) no inventory of all IT assets, (2) 30% of employees have not received information security training, (3) there is no formal incident response plan. Develop a plan to eliminate the non-conformities within 3 months.