In the first chapter of Learning Tree’s System and Network Security Introduction we briefly mention risk analysis and risk management. As part of that mention we note that risk analysis is a complex and difficult process. When we developed the first version of this course over fifteen years ago, I wanted to look into risk management because it is a critical first step in implementing cyber security.
Since risk management is often associated with the insurance industry, I went there to look. I found that there is a certification for risk managers called ARM™ (Associate in Risk Management). I looked at the study materials and decided two things: this was not oriented toward cyber security (at least then), and it was difficult! I had hoped to find good tools for evaluating cyber security risks and managing defenses against those risks. I also found out that many practitioners with whom I discussed risk analysis practices as part of their security plan design basically went by the seats of their pants. I kept looking for a more rigorous scheme.
The NIST and somewhat similar ISO frameworks are also discussed in much greater detail in Learning Tree course 2013. This course is entitled Cyber Security Risk Assessment and Management. It doesn’t require participants to technical experience beyond basic concepts. It does relate to business operations so some basic business knowledge is necessary, which makes sense as those who need this course will likely have that knowledge.
The course is structured around practical application of the somewhat obtusely-worded frameworks. The author helps make the real-life application clear by designing the workshops around authentic scenarios. The class is divided into groups and each group works on a different scenario. With a common debrief, all the participants benefit from the outcomes of each scenario.
The frameworks workshops begin with basic risk management and conclude with deciding whether or not to authorize systems for operation – a key action in the frameworks. In the final workshop participants look at vulnerability alerts from CVE (Common Vulnerabilities and Exposures) and prioritize remediation based on risk to the individual organization,
I’m a big fan of using scenarios and this is a perfect approach here. Risk analysis is a difficult process and this course makes a significant dent in making it approachable and practical. Please share your thoughts about risk analysis or scenario-based learning in the comments below, and if you’ve attended 2013, we’d love to hear your experiences, too!
To your safe computing,