Cybersecurity isn't just about firewalls and antivirus software. It's about understanding what could go wrong and how to protect what matters most to your organization. Welcome to Cybersecurity Risk Management, your guide to thinking like a security professional who protects business operations, not just computers.

In this room, you'll learn how to identify potential threats, assess their impact on business operations, and choose the right strategies to manage risks. We'll start with the basics of what risk means in cybersecurity, then walk through the entire risk management process with practical examples you can apply immediately.

What You'll Learn:

• What cybersecurity risk really means and why it matters to businesses
• How to identify different types of risks in real-world scenarios
• Methods to assess how seriously a risk could impact operations
• Four main strategies for dealing with identified risks
• Practical frameworks used by security professionals

Prerequisites:

• Basic understanding of cybersecurity concepts
• Familiarity with common security terms
• No prior risk management experience needed

How to Approach This Room:

This is foundational knowledge, focus on understanding the concepts rather than memorizing details. Think about how each concept applies to organizations you know (schools, businesses, online services). The examples and analogies will help make abstract ideas concrete.

Optional Video

This optional video covers the fundamental concepts of risk management. It's helpful but not required to complete the room.

Cybersecurity risk is what happens when a potential threat finds a weakness in your defenses and could cause harm to your business. Think of it like leaving your front door unlocked (vulnerability) while knowing burglars are in the neighborhood (threat). The risk is that your home might get broken into, resulting in stolen valuables (impact).

Every organization faces cybersecurity risks. A small business might risk losing customer data. A hospital might risk having medical systems shut down. A school might risk student records being exposed. Understanding these risks is the first step in protecting what matters.

The Three Components of Risk:

1. Threat - Something that could cause harm (hackers, malware, natural disasters)
2. Vulnerability - A weakness that threats could exploit (unpatched software, weak passwords, poor security policies)
3. Impact - The damage that could result (data loss, financial cost, reputation damage)

The basic formula is: Threat + Vulnerability = Risk (with Potential Impact)

Below is a simple flow diagram showing how threats meeting vulnerabilities create risks with business impacts

Common Risk Examples:

Threat	Vulnerability	Possible Impact
Hacker looking for data	Unencrypted customer database	Customer data theft, legal fines
Ransomware attack	Employees who click phishing links	Systems encrypted, business stops
Insider threat	Poor access controls	Sensitive information leaked
Power outage	No backup generator	Operations halt, revenue loss

Real-World Scenario: Online Store Risk

Imagine an online store with outdated payment software (vulnerability). Cybercriminals (threat) discover a way to steal credit card information through this software. The risk? Customer financial data could be stolen, leading to refunds, lawsuits, and lost trust (impact).

Risk identification is like being a detective for your organization's security. Instead of waiting for something bad to happen, you proactively look for what could go wrong. This process helps you find problems before attackers do, saving time, money, and reputation damage.

There are two main ways to identify risks:

1. Looking for Threats - What could attack us? (hackers, malware, disgruntled employees)
2. Looking for Vulnerabilities - Where are we weak? (outdated software, poor passwords, lack of training)

Where to Look for Risks:

• External: Hackers, competitors, natural disasters
• Network: Firewall gaps, unsecured Wi-Fi, outdated routers
• Systems: Old software, misconfigured servers, unpatched applications
• People: Untrained employees, poor security habits, social engineering targets
• Data: Unencrypted files, improper backups, weak access controls
• Physical: Unlocked server rooms, unauthorized building access, theft risks

Below is a diagram showing common risk areas in an organization with icons and labels

Simple Risk Identification Methods:

Method	What It Involves	Example
Brainstorming	Team discussion of "what could go wrong"	"What if our website goes down during holiday sales?"
Checklists	Using security standards as guides	Checking if all software has latest updates
Past Incidents	Learning from previous problems	Reviewing last year's security incidents
Asset Inventory	Listing everything valuable to protect	Creating list of customer databases, payment systems
Walking Around	Physical inspection of premises	Noticing server room door left unlocked

Scenario: Identifying Risks in a Coffee Shop Business

Maria owns a small coffee shop with online ordering. She identifies these risks:

1. Payment system risk: Old credit card reader (vulnerability) + skimming device threat
2. Wi-Fi risk: Open customer Wi-Fi (vulnerability) + hacker snooping threat
3. Employee risk: Untrained staff (vulnerability) + social engineering threat
4. Supply risk: Single coffee supplier (vulnerability) + delivery interruption threat

Evaluating Risk Impact

Not all risks are created equal. A hacker stealing customer data is usually more serious than someone guessing the Wi-Fi password. Risk assessment helps you figure out which risks need immediate attention and which can wait. It's about asking: "If this risk happens, how bad would it really be?"

Two Main Assessment Approaches:

Qualitative Assessment (Simple, subjective)

• Uses categories like High/Medium/Low
• Based on expert judgment and experience
• Example: "Losing our customer database would be High impact"

Quantitative Assessment (Detailed, numerical)

• Uses numbers, percentages, dollar amounts
• Based on data and calculations
• Example: "A data breach would cost $50,000 in fines and repairs"

For beginners, qualitative assessment is often easier to start with.

Factors That Affect Impact:

• Financial cost: How much money would we lose?
• Time to recover: How long before we're back to normal?
• Reputation damage: Will customers lose trust in us?
• Legal consequences: Could we face fines or lawsuits?
• Safety issues: Could anyone get physically hurt?

Below is a risk matrix grid showing likelihood versus impact with example risks placed in different quadrants

Simple Impact Scale for Beginners:

Impact Level	What It Means	Example
Low	Minor inconvenience, easy to fix	Temporary website slowdown
Medium	Noticeable disruption, costs money	Server crash needing 4-hour repair
High	Major business problem, significant cost	Customer data breach with lawsuits
Critical	Business survival threatened	Complete system failure for days

Scenario: Assessing Coffee Shop Risks

Let's assess Maria's coffee shop risks from Task 3:

1. Payment system compromise: HIGH impact (customer financial data, legal issues, reputation)
2. Customer Wi-Fi snooping: MEDIUM impact (privacy concerns, some reputation damage)
3. Employee social engineering: MEDIUM-HIGH impact (possible data access, depends on what's stolen)
4. Coffee supply interruption: HIGH impact (can't serve customers, immediate revenue loss)

Handling Cybersecurity Risks

Once you've identified and assessed risks, you need to decide what to do about them. This is called risk treatment. There are four main strategies, often called the "Four T's": Treat, Tolerate, Transfer, and Terminate. Choosing the right strategy depends on the risk's impact and what resources you have available.

The Four Risk Treatment Strategies:

1. Treat (Mitigate)
   Reduce the risk to an acceptable level
   Example: Installing antivirus software to reduce malware risk
   Use when: You can implement effective controls at reasonable cost
2. Tolerate (Accept)
   Accept the risk as-is, usually because it's low impact or too expensive to fix
   Example: Accepting that some spam emails will get through filters
   Use when: Impact is low, or cost to fix exceeds potential loss
3. Transfer (Share)
   Move the risk to someone else, like an insurance company
   Example: Buying cybersecurity insurance for data breach costs
   Use when: You can't handle the impact alone, but someone else can
4. Terminate (Avoid)
   Eliminate the risk completely by removing its cause
   Example: Discontinuing a vulnerable service that's not essential
   Use when: The risk is too high and the activity isn't worth it

Strategy Comparison:

Strategy	Best For	Pros	Cons
Treat	Medium-High impact risks you can fix	Reduces actual risk, proactive	Costs time/money, needs maintenance
Tolerate	Low impact or too costly to fix	No upfront cost, simple	Risk remains, could worsen over time
Transfer	High impact with insurance options	Shares financial burden, predictable costs	Doesn't prevent incident, premiums cost money
Terminate	Unacceptable risks on non-essential things	Eliminates risk completely	May mean stopping useful activities

Scenario: Treating Coffee Shop Risks

Maria decides how to handle her coffee shop risks:

1. Payment system risk → TREAT: Buy new encrypted card reader ($500)
2. Customer Wi-Fi risk → TREAT: Set up separate guest network with terms of use
3. Employee social engineering → TREAT: Implement security training program
4. Coffee supply risk → TRANSFER: Sign contract with backup supplier (costs more but ensures supply)

Congratulations! You've completed the Cybersecurity Risk Management room and taken your first steps toward thinking like a security professional who protects business operations.

Throughout this room, you've learned how to:

1. Understand cybersecurity risk as a combination of threats, vulnerabilities, and potential impacts
2. Identify risks proactively by looking at different areas of an organization
3. Assess impact to determine which risks need immediate attention
4. Choose treatment strategies using the Four T's: Treat, Tolerate, Transfer, or Terminate

Key Takeaways:

• Cybersecurity risk management is about protecting business continuity, not just computers
• The risk formula is simple: Threat + Vulnerability = Risk (with Impact)
• Not all risks are equal - assessment helps prioritize what to fix first
• There are multiple ways to handle risks, not just "fix everything"
• Risk management is an ongoing process, not a one-time project

What You Should Now Understand:

You should now be able to look at any organization and start asking the right questions: What could go wrong? Where are the weaknesses? How bad would it be if something happened? What's the best way to handle each risk? These questions form the foundation of effective cybersecurity.