UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

DEFINITION:
Cybersecurity is the practice of protecting systems, networks, and
programs from digital attacks. These cyberattacks are usually aimed at accessing,
changing, or destroying sensitive information; extorting money from users; or
interrupting normal business processes
Cybersecurity is a part of information security that relates to the protection
of computers, networks, programs and data against unauthorized access. As
cybersecurity includes the protection of both company and personal data, the
fields of cybersecurity and data protection overlap. The security objectives of
confidentiality, integrity and availability are of paramount importance to both
elements of information security.
Types of Cybersecurity
Cyber security is a wide field covering several disciplines. It can be divided into
seven main pillars:
1. Network Security
Most attacks occur over the network, and network security solutions are designed
to identify and block these attacks. These solutions include data and access
controls such as Data Loss Prevention (DLP), IAM (Identity Access
Management), NAC (Network Access Control), and NGFW (Next-Generation
Firewall) application controls to enforce safe web use policies.
Advanced and multi-layered network threat prevention technologies include IPS
(Intrusion Prevention System), NGAV (Next-Gen Antivirus), Sandboxing, and
CDR (Content Disarm and Reconstruction). Also important are network
analytics, threat hunting, and automated SOAR (Security Orchestration and
Response) technologies.
2. Cloud Security
As organizations increasingly adopt cloud computing, securing the cloud
becomes a major priority. A cloud security strategy includes cyber security
solutions, controls, policies, and services that help to protect an organization’s
entire cloud deployment (applications, data, infrastructure, etc.) against attack.
While many cloud providers offer security solutions, these are often inadequate
to the task of achieving enterprise-grade security in the cloud. Supplementary
third-party solutions are necessary to protect against data breaches and targeted
attacks in cloud environments.
3. Endpoint Security
The zero-trust security model prescribes creating micro-segments around data
wherever it may be. One way to do that with a mobile workforce is using endpoint

1
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

security. With endpoint security, companies can secure end-user devices such as
desktops and laptops with data and network security controls, advanced threat
prevention such as anti-phishing and anti-ransomware, and technologies that
provide forensics such as endpoint detection and response (EDR) solutions.
4. Mobile Security
Often overlooked, mobile devices such as tablets and smartphones have access to
corporate data, exposing businesses to threats from malicious apps, zero-day,
phishing, and IM (Instant Messaging) attacks. Mobile security prevents these
attacks and secures the operating systems and devices from rooting and
jailbreaking. When included with an MDM (Mobile Device Management)
solution, this enables enterprises to ensure only compliant mobile devices have
access to corporate assets.
5. IoT Security
While using Internet of Things (IoT) devices certainly delivers productivity
benefits, it also exposes organizations to new cyber threats. Threat actors seek out
vulnerable devices inadvertently connected to the Internet for nefarious uses such
as a pathway into a corporate network or for another bot in a global bot network.
IoT security protects these devices with discovery and classification of the
connected devices, auto-segmentation to control network activities, and using IPS
as a virtual patch to prevent exploits against vulnerable IoT devices. In some
cases, the firmware of the device can also be augmented with small agents to
prevent exploits and runtime attacks.
6. Application Security
Web applications, like anything else directly connected to the Internet, are targets
for threat actors. Since 2007, OWASP has tracked the top 10 threats to critical
web application security flaws such as injection, broken authentication,
misconfiguration, and cross-site scripting to name a few.
With application security, the OWASP Top 10 attacks can be stopped. Application
security also prevents bot attacks and stops any malicious interaction with
applications and APIs. With continuous learning, apps will remain protected even
as DevOps releases new content.
7. Zero Trust
The traditional security model is perimeter-focused, building walls around an
organization’s valuable assets like a castle. However, this approach has several
issues, such as the potential for insider threats and the rapid dissolution of the
network perimeter.

2
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

As corporate assets move off-premises as part of cloud adoption and remote work,
a new approach to security is needed. Zero trust takes a more granular approach
to security, protecting individual resources through a combination of micro-
segmentation, monitoring, and enforcement of role-based access controls.
cyber threat
The importance of system monitoring is echoed in the “10 steps to cyber
security”, guidance provided by the U.K. government’s National Cyber Security
Centre. In Australia, TheAustralian Cyber Security Centre(ACSC) regularly
publishes guidance on how organizations can counter the latest cyber-security
threats.
Types of cyber threats
The threats countered by cyber-security are three-fold:
1. Cybercrime includes single actors or groups targeting systems for financial
gain or to cause disruption.
2. Cyber-attack often involves politically motivated information gathering.
3. Cyberterrorism is intended to undermine electronic systems to cause panic or
fear.
So, how do malicious actors gain control of computer systems? Here are some
common methods used to threaten cyber-security:
Malware
Malware means malicious software. One of the most common cyber threats,
malware is software that a cybercriminal or hacker has created to disrupt or
damage a legitimate user’s computer. Often spread via an unsolicited email
attachment or legitimate-looking download, malware may be used by
cybercriminals to make money or in politically motivated cyber-attacks.
There are a number of different types of malware, including:
· Virus: A self-replicating program that attaches itself to clean file and
spreads throughout a computer system, infecting files with malicious code.
· Trojans: A type of malware that is disguised as legitimate software.
Cybercriminals trick users into uploading Trojans onto their computer where they
cause damage or collect data.
· Spyware: A program that secretly records what a user does, so that
cybercriminals can make use of this information. For example, spyware could
capture credit card details.

3
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

· Ransomware: Malware which locks down a user’s files and data, with the
threat of erasing it unless a ransom is paid.
· Adware: Advertising software which can be used to spread malware.
· Botnets:Networks of malware infected computers which cybercriminals
use to perform tasks online without the user’s permission.
SQL injection
An SQL (structured language query) injection is a type of cyber-attack used to
take control of and steal data from a database. Cybercriminals exploit
vulnerabilities in data-driven applications to insert malicious code into a
databased via a malicious SQL statement. This gives them access to the sensitive
information contained in the database.

Phishing is when cybercriminals target victims with emails that appear to be from
a legitimate company asking for sensitive information. Phishing attacks are often
used to dupe people into handing over credit card data and other personal
information.
A man-in-the-middle attack is a type of cyber threat where a cybercriminal
intercepts communication between two individuals in order to steal data. For
example, on an unsecure WiFi network, an attacker could intercept data being
passed from the victim’s device and the network.
A denial-of-service attack is where cybercriminals prevent a computer system
from fulfilling legitimate requests by overwhelming the networks and servers
with traffic. This renders the system unusable, preventing an organization from
carrying out vital functions.
End-user protection
End-user protection or endpoint security is a crucial aspect of cyber security. After
all, it is often an individual (the end-user) who accidentally uploads malware or
another form of cyber threat to their desktop, laptop or mobile device.
Cyber safety BEST PRACTICES:
1. Update your software and operating system:This means you benefit from the
latest security patches.
2. Use anti-virus software:Security solutions like Kaspersky Total
Security will detect and removes threats. Keep your software updated for the best
level of protection.
3. Use strong passwords:Ensure your passwords are not easily guessable.

4
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

4. Do not open email attachments from unknown senders:These could be

infected with malware.
5. Do not click on links in emails from unknown senders or unfamiliar
websites:This is a common way that malware is spread.
6. Avoid using unsecure WiFi networks in public places:Unsecure networks
leave you vulnerable to man-in-the-middle attacks.

Bestpractices:
cybersecurity tips and best practices for you to implement and share with
others. We’ll continue to update this list to help keep your business secure.
1. Keep software up-to-date
Software companies typically provide software updates for 3 reasons: to add new
features, fix known bugs, and upgrade security.
Always update to the latest version of your software to protect yourself from new
or existing security vulnerabilities.
2. Avoid opening suspicious emails
If an email looks suspicious, don’t open it because it might be a phishing scam.
Someone might be impersonating another individual or company to gain access
to your personal information. Sometimes the emails may also include attachments
or links that can infect your devices.
3. Keep hardware up-to-date

5
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

Outdated computer hardware may not support the most recent software security
upgrades. Additionally, old hardware makes it slower to respond to cyber-attacks
if they happen. Make sure to use computer hardware that’s
more up-to-date.
4. Use a secure file-sharing solution to encrypt data
If you regularly share confidential information, you absolutely need to start using
a secure file-sharing solution. Regular email is not meant for exchanging sensitive
documents, because if the emails are intercepted, unauthorized users will have
access to your precious data.
On the other hand, using a secure file-sharing solution like TitanFile will
automatically encrypt sensitive files so that you don’t have to worry about a data
breach. Remember, your files are only as secure as the tools you chose to share
them with
5. Use anti-virus and anti-malware
As long as you’re connected to the web, it’s impossible to have complete and total
protection from malware. However, you can significantly reduce your
vulnerability by ensuring you have an anti-virus and at least one anti-malware
installed on your computers.
6. Use a VPN to privatize your connections
For a more secure and privatized network, use a virtual private network (VPN).
It’ll encrypt your connection and protect your private information, even from
your internet service provider.
7. Check links before you click
Links can easily be disguised as something they’re not so it’s best to double check
before you click on a hyperlink. On most browsers, you can see the target URL
by hovering over the link. Do this to check links before you click on them.
8. Don’t be lazy with your passwords!
Put more effort into creating your passwords.
9. Disable Bluetooth when you don’t need it
Devices can be hacked via Bluetooth and subsequently your private information
can be stolen. If there’s no reason to have your Bluetooth on, turn it off!
10. Enable 2-Factor Authentication
Many platforms now allow you to enable 2-factor authentication to keep your
accounts more secure. It’s another layer of protection that helps verify that it’s

6
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

actually you who is accessing your account and not someone who’s unauthorized.
Enable this security feature when you can.
11. Remove adware from your machines
Adware collects information about you to serve you more targeted ads. It’s best
to rid your computer of all forms of adware to maintain your privacy.
Use AdwCleaner to clean adware and unwanted programs from your computer.
12. Double check for HTTPS on websites
When you’re on a website that isn’t using HTTPS, there’s no guarantee that the
transfer of information between you and the site’s server is secure. Double-check
that a site’s using HTTPS before you give away personal or private information.
13. Don’t store important information in non-secure places
When storing information online, you want to keep it in a location that can’t be
accessed by unauthorized users.
14. Scan external storage devices for viruses
External storage devices are just as prone to malware as internal storage devices.
If you connect an infected external device to your computer, the malware can
spread. Always scan external devices for malware before accessing them.
15. Avoid using public networks
When you connect to a public network, you’re sharing the network with everyone
who is also connected. Any information you send or retrieve on the network is
vulnerable. Stay away from public networks or use a VPN when you’re connected
to one.
16. Avoid the “secure enough” mentality
Unless you’re completely isolated from the rest of the world, there’s no such thing
as being “secure enough.” Big companies like Facebook invest a fortune into
security every year but are still affected by cyber attacks.
17. Invest in security upgrades
Following the previous tip, try to invest in security upgrades when they’re
available. It’s better to eat the costs of security than pay for the consequences of
a security breach!
18. Back up important data
Important data can be lost as a result of a security breach. To make sure you’re
prepared to restore data once it’s lost, you should ensure your important
information is backed up frequently on the cloud or a local storage device.

7
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

19. Train employees

The key to making cybersecurity work is to make sure your employees well
trained, in sync, and consistently exercising security practices. Sometimes, one
mistake from an improperly trained employee can cause an entire security system
to crumble.
20. Use HTTPS on your website
Having an SSL certificate installed and HTTPS enabled on your website will help
encrypt all information that travels between a visitor’s browser and your web
server.
21. Employ a “White Hat” hacker
Not all hackers are bad. Some hackers expose security risks for the sake of
helping others improve their cybersecurity by keeping them aware of security
flaws and patching them. These hackers are known as “white hat” hackers. It
might benefit you to hire one to help you find risks you never knew you had.
STANDARDS
A cybersecurity standard is a set of guidelines or best practices that
organizations can use to improve their cybersecurity posture.
Organizations can use cybersecurity standards to help them identify and
implement appropriate measures to protect their systems and data from cyber
threats. Standards can also provide guidance on how to respond to and recover
from cybersecurity incidents.
Cybersecurity frameworks are generally applicable to all organizations,
regardless of their size, industry, or sector. This page details the common
cybersecurity compliance standards that form a strong basis for any cybersecurity
strategy.

Cybersecurity requires careful coordination of people, processes, systems,

networks, and technology. Find out how to get started with the basics of
cybersecurity while keeping costs to a minimum.
FISMA (Federal Information Security Management Act)
The FISMA (Federal Information Security Management Act) is a US federal law
enacted as Title III of the E-Government Act of 2002. The law establishes a
comprehensive framework for ensuring the security of information and
information systems for all executive branch agencies.

8
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

The FISMA was put in place to strengthen information security within federal
agencies, NIST, and the OMB (Office of Management and Budget). It requires
federal agencies to implement information security programs to ensure their
information and IT systems’ confidentiality, integrity, and availability, including
those provided or managed by other agencies or contractors.
HIPAA (Health Insurance Portability and Accountability Act)
The HIPAA (Health Insurance Portability and Accountability Act) is a set of
federal regulations that protect the privacy of patients’ health information. The
HIPAA applies to all forms of health information, including paper records,
electronic records, and oral communications.
It aims to make it easier for people to keep their health insurance when they
change jobs, protect the confidentiality and security of health care information,
and help the health care industry control its administrative costs.
ISO 22301
ISO 22301 is an international standard that outlines how organizations can ensure
business continuity and protect themselves from disaster. The Standard provides
a framework for a comprehensive BCMS (business continuity management
system). It can be used by any organization, regardless of size, industry, or
location.
ISO/IEC 27001
ISO 27001 is an international standard for information security that provides a
framework for managing sensitive company information. The Standard includes
requirements for developing an ISMS (information security management
system), implementing security controls, and conducting risk assessments.
The Standard’s framework is designed to help organizations manage their
security practices in one place, consistently and cost-effectively.
ISO/IEC 27002
ISO 27002 is the code of practice for information security management. It
provides guidance and recommendations on how to implement security controls
within an organization. ISO 27002 supports the ISO 27001 standard, which
provides the requirements for an ISMS.
ISO/IEC 27031
ISO 27031 is a standard for ICT (information and communications technology)
preparedness for business continuity. It provides guidance on how organizations
can use ICT to protect their business operations and ensure continuity in the event
of an incident or a disaster.

9
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

Achieving compliance with ISO 27031 helps organizations understand the threats
to ICT services, ensuring their safety in the event of an unplanned incident.
ISO/IEC 27032
ISO 27032 is an internationally recognized standard that provides guidance on
cybersecurity for organizations. The Standard is designed to help organizations
protect themselves against cyber attacks and manage the risks associated with the
use of technology. It is based on a risk management approach and provides
guidance on how to identify, assess, and manage cyber risks. The Standard also
includes guidance on incident response and recovery.
ISO/IEC 27701
ISO 27701 specifies the requirements for a PIMS (privacy information
management system) based on the requirements of ISO 27001. It is extended by
a set of privacy-specific requirements, control objectives, and controls.
Organizations that have implemented ISO 27001 can use ISO 27701 to extend
their security efforts to cover privacy management. This can help demonstrate
compliance with data protection laws such as the California Privacy Rights Act
(CPRA) and the EU General Data Protection Regulation (GDPR).
NIST CSF (Cybersecurity Framework)
The NIST CSF (National Institute of Standards and Technology Cybersecurity
Framework) is a voluntary framework that provides a set of standards, guidelines,
and best practices for managing cybersecurity risks.
The framework helps organizations to identify, assess, and manage their
cybersecurity risks in a structured and repeatable manner. The framework is not
mandatory, but it is increasingly being adopted by organizations as a voluntary
measure to improve their cybersecurity posture.
PLAN AND ACTIONS
A cyber security plan is a written document comprising information about an
Organization's security policies, procedures, and remediation plan concerning
countermeasures. This plan aims to ensure the integrity of operations and the
security of the Organization's critical assets.
It's a vital tool to protect customers, employees, and corporate confidential
information. By defining the current and future state of your cybersecurity space,
cybersecurity best practices are being provided as a plan for the Organization. A
cybersecurity plan also empowers the Information Technology team to
communicate effectively with respect to the cybersecurity structure and
operations. Professional earned hacking can help organizations to create effective
cybersecurity plans.

10
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

There are three (3) reasons why cyber security plans are important:
Cyber attacks are the new normal for organizations. Usually, industry-
concentrated reports may focus more on bigger corporations. However, small
businesses are the new target for cybercriminals. When a breach occurs in any
Organization, disruptions may take a new high if there is no proper cyber security
plan. If an incident response plan is incorporated into the cyber resilience strategy,
damage can be reduced drastically. Hence, the earlier it detects, the easier it is to
deal with and secure the data.
A quick response to cyber-bound threats will
protect the Organization's Integrity and safeguard critical information
of employees, customers, and stakeholders. For instance, if a critical asset
(Laptop) of an Organization containing sensitive data is lost, a remote wipe can
be possible from the host, which will protect the organization's valuable
assets. A cyber security plan will encompass all necessary
procedures and countermeasures desirable against any cyber threat.
A cyber security plan that contains measures against information technology
breaches could help to prevent cyber attacks. Cyber security does not begin
after an attack occurs. It's an ongoing process that requires consistent
maintenance and monitoring. It is a proactive and preventive approach rather than
a detective. A cyber attack prevention plan is a subset of a cyber security plan and
is intended to help the Organization from cyber attacks.

Objectives of Cyber Security Planning

Most business operations run on the internet, revealing their data and
resources to various cyber threats. Since the data and system resources are the
pillars upon which the Organization operates, it goes without saying that a threat
to these entities is indeed a threat to the Organization itself.
A threat can be anywhere from a minor bug in a code to a complex system
hijacking liability through various network and system penetration. Risk
assessment and estimation of the cost of reconstruction help the Organization to
stay prepared and to look ahead for potential losses. Thus, knowing and
formulating a plan of cyber security precise to every Organization is crucial in
protecting critical and valuable assets. Hence, professionals trained in Ethical
Hacking certification courses are hired by Organizations for Incident Response
roles.
Cyber security aims to ensure a risk-free and secure environment for keeping the
data, network, and devices secured against cyber threats.
Benefits of a Cybersecurity Plan

11
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

Small, medium and large organizations are prime targets, and they need to be
prepared to eliminate cyber security threats. A widespread cyber security plan
has become the most important factor for every business, or the organization will
be at greater risk compared to an organization with a
cyber security business plan can help reduce risks to a
great extent. The benefits of a cyber security plan are listed down:
1. Better Understanding of Risks
Organizations have extensively used cloud computing technology, mobile
devices, the Internet of Things (IoT), Smart Wearables, and so on. This has led to
substantial exposure to cyber-attacks and threats. Hence, Organization needs to
be more calculated in safeguarding themselves than ever. A cyber security plan
will help organizations understand the current IT environment, allowing them to
make the necessary amendments to secure it.
2. Enabling Proactive Protection
One of the main reasons that organizations become fall prey to cybercrime is
their reactive approach. It is important to defend against cyber-attacks and
a cyber-attack prevention plan and take proactive measures
towards strengthening cyber security posture. The organization should always be
prepared for worst-case scenarios. A fundamentally strong cyber security
plan can be put in place, which comprises vulnerability analysis and penetration
testing, security vulnerability scans, business continuity, and disaster recovery,
and managed security services as a proactive approach.
3. Respond Promptly
No organization is entirely secure, even with the strongest security solutions.
Some attacks can breach the strongest defenses, and many organizations have
witnessed that. That is why having a cyber security plan can be
helpful. Creating this plan means knowing exactly what steps to take in
the event of a cyber-attack and comprising the possible could take
place. A cyber-attack prevention plan also helps each employee in
the Enterprise will know their discrete role in how they should react to the
catastrophe.
4. Necessary Compliance Requirements
In this highly regulated industry, relevant compliance standards and
regulations are necessary to comply. Some of these are GDPR (General Data
Protection Regulation), PCI DSS (Payment Card Industry
Data Security Standards), HIPAA (Health Insurance Portability and
Accountability Act), and so on. Failure to do the same can lead to hefty penalties,
lowered profits, and reputational risk. A cyber security plan guarantees utmost

12
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

compliance and empowers the Enterprise to monitor all the best practices while
consistently meeting industry principles and protocols.
5. Prevent Insider Threats
Cyber security strategy and plan widen the horizon
in helping organizations by repudiating insider threats by implementing a
more organized approach to security. In another way, it is creating an impact to
make cyber security a part of the organizational culture. Employees are currently
making cyber security a top priority by engaging themselves in awareness and
training sessions; hence, there is a declining trend for insider threats. In short, a
cyber security plan is a natural preventive against insider threats.
cybersecurity governance
Cybersecurity governance refers to the component of governance that
addresses an organization's dependence on cyberspace in the presence of
adversaries. The ISO/IEC 27001 standard defines cybersecurity governance as
the following:
The system by which an organization directs and controls security governance,
specifies the accountability framework and provides oversight to ensure that risks
are adequately mitigated, while management ensures that controls are
implemented to mitigate risks.
6 steps organizations should follow for their cybersecurity governance program
Here are six steps that can help an organization grow and sharpen its
cybersecurity governance program:

• Establish the current state.

• Complete a cyber-risk assessment to understand the gaps, and create a
roadmap to close those gaps.
• Complete a maturity assessment.
• Create, review and update all cybersecurity standards, policies and
processes.
• Many describe this as low-hanging fruit -- and it is -- but it is a heavy lift.
Take the time needed to establish the structure and expectations of
cybersecurity governance.
• Approach cybersecurity from an enterprise lens.
• Understand what data needs to be protected.

PRINCIPLES:
Cyber Security: An Overview

13
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

Cyber security is a set of practices to protect networks, servers, information

systems, and data from malicious attacks intended to exploit networks and
devices connected to them. Cyber security is also popularly known as information
technology (IT) security.
The primary objective of cyber security is to prevent unauthorized access to
networks and data theft. In general, actors carrying out cyber-attacks intend to
steal or manipulate data and disrupt the functioning of a network. Cyber security
makes it possible to intercept such attacks and secure networks.
Cyber Security Principles
Cyber security principles act as a set of instructions that help to safeguard
networks and systems against cyber threats. There are several cyber security or
IT security principles to ensure the safety of networks and the devices connected
to them.
Need for Defining Cyber Security Principles
Most organizations working in this digital era rely on the internet, wireless
networks, and computer systems to operate properly. To make sure that the data
they share across networks and different systems are safe from unauthorized
access and manipulation, they need to put a cyber security framework in place.

The principles of cyber security assists organizations in creating robust

frameworks to enforce strict security of networks and data.

14
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

14 Crucial Cyber Security Principles with Examples

If you are wondering what the principles of cyber security are, you need to go
through all the key cyber security principles discussed below:
1. Framing a Risk Management Regime
One of the first principles of cybersecurity is to define and create a risk
management strategy for the organization to handle all the potential cyber threats.
While developing the strategy or regime, it becomes essential to take input from
the executives of the organization along with the professional guidance of experts
who have taken proper Cyber Security training.
While strategizing, all the threats and their sources need to be identified and
defined clearly. This helps to make rules and regulations that aim to minimize the
vulnerabilities in the organization’s IT infrastructure.
Example: A team of cyber security monitors a system and identifies all the
vulnerabilities. The people at the management level review all the vulnerabilities
and discuss which vulnerabilities need to be eliminated by the cyber security
team.

2. Economy of Mechanism
The economy of mechanism is among the basic principles of cyber security that
define the best practices for designing an efficient cyber security framework. To
be precise, it states that the mechanisms employed for cyber security must be easy
to design and implement. If a security mechanism is complex, its implementation
can bring a lot of challenges and at the same time, is prone to errors.
To create a simple and efficient cybersecurity framework, it is essential to identify
what types of threats it needs to tackle and how. An organization may create
multiple modules for enforcing cyber security, with each module having its
specific assumptions and input data requirements. Therefore, it is important to
create only those modules that fulfill the cyber security needs of the organization.
Creating too many modules or setting incorrect assumptions may lead the whole
system to produce unexpected results.
Example: A file encryption mechanism that allows the admin to encrypt any type
of file and prevent access for unauthorized users. Instead of creating a security
mechanism for each file type, it is better to use an encryption mechanism that
protects all types of files.
3. Secure All Configurations

15
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

This principle defines how a network system should behave whenever a new user
or device is added to the network or when the access permissions for a user are
not clearly defined.
Whenever a new user or device joins a network or a system, the admin needs to
set their access permissions. In case the level of access is not clear, the system
should either grant restricted access or completely deny access to the network or
the system.
Managing the access permissions for every user or network device helps
eliminate intrusion.
Example: Whenever a new user is added to the system or network, administrators
define their access levels explicitly. In case, the access level is not defined, the
system should automatically assign the minimal access level to that user.
4. Fail-safe Defaults
This is one of the cyber security architecture principles, which states that
whenever a system fails or goes down, a backup protection plan should safeguard
the system. It is essential to secure the system when it encounters an error that
disrupts its normal operation.
In general, a system should restrict access to all the configuration settings and
objects until the system gets restored to its normal state. Also, the fail-safe
program should terminate all the system functions that attackers may exploit and
reverse all the changes made to the system during the downtime.
Example: If a new user is added to a system during the downtime, the new user
should get limited access to the system’s configuration and features.
5. Network Security
Under this principle, the main agenda is to completely secure the network so that
data can be transferred over it safely. To achieve network security, it becomes
essential to design the network architecture deliberately to achieve protection
against cyber attacks.
Data encryption is an essential aspect of network security as it helps to ensure
that attackers do not extract any information even if they manage to steal data.
Also, it’s important to set up firewalls and filters to detect and filter out viruses
and infected data that can damage the nodes in the network.
Example: A firewall helps network administrators monitor both incoming and
outgoing traffic. The firewall filters traffic based on certain parameters and
restricts the flow of certain data. Also, the network needs to make use of an
encryption algorithm to protect confidential information transmitted over the
network.

16
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

6. Managing User Privileges

Usually, there are several users that can access a system, and managing user
privileges helps organizations to define what features each user can access.
Depending on the tasks users have to perform, they get different privileges.
It is not ideal to provide all the users within a system to have admin-level user
privileges. So, while designing an IT system, it’s important to add scope for
different user privileges. The admin of the system should be able to change the
privileges given to each user.
Example: In Windows OS, a user with admin-level access can change all the
settings of the system, whereas the standard and guest users have limited access
to the files and settings of the system.
7. Open Design
Open design is one of the most important principles of cyber security. According
to this principle, a cyber security mechanism should not depend on the
confidentiality of its design. Instead, it is better to use an open design that is
publicly available.
It is a viable option to use different cryptographic methods for encrypting the
different components or levels of security. This will ensure that the whole system
won't get compromised if one security component gets attacked.
Example: A DVD contains data in various standard formats, but the CSS
encryption prevents unauthorized copying of the data stored in the DVD.
8. Monitoring
As per this cyber security principle, it is essential to devise a strategy to monitor
all the activities happening within an organization’s network. A special emphasis
should be put on activities that are directly related to network security. This
eventually helps organizations track any activity that can compromise security
and prevent them from causing serious harm to the network and its devices.
The monitoring strategy needs to involve tracking the activities of each system or
user connected to the network. It can help to detect and prevent cyber attacks in
case the primary intrusion detection mechanism fails.
Example: Several systems restrict the number of attempts to enter a system within
a certain period. In case the wrong credentials are provided to the system more
times than the maximum allowed attempts, the login will get disabled for the user,
and a warning will be sent to the administrator.
9. Complete Mediation

17
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

Every user who wants to access an object within the system needs to go through
an authorization process, and this is what the complete mediation principle is all
about. Access authorization helps to confirm that a user has the appropriate
permissions to get into the system and use certain objects.
To improve the overall performance, the system should remember the access
permissions of a user after authorizing their access. However, after a certain time
or session, the system should ask the user to provide credentials again to access
an object.
Example: Most banking sites implement this principle by logging out the user if
they are inactive for a certain duration.
10. Home and Mobile Networking
The employees of an organization while working remotely may have to access
systems from home or mobile networks. However, this increases the security risks
for an organization’s IT infrastructure.
An organization that allows employees to work remotely should create separate
policies for managing the risks associated with home and mobile networks. By
doing so, organizations can prevent security breaches and loss of information.
Example: While working remotely and accessing the office network, employees
should use internet security software and/or a VPN to access the network
securely.
11. Work Factor
The work factor represents the number of resources required by an attacker to
breach the security of a system. The more the work factor of a system, the more
resources are needed to break the cryptographic encryption of the system to gain
unauthorized access.
While designing a cyber security framework, it is essential to keep the work
factor high so that it becomes difficult for the attacker to circumvent the system’s
security.
Example: A system that accepts 4 characters password (26 alphabets, case
insensitive ) will have 264 = 456976 combinations. So, a hacker will need to try
all the combinations to crack the password. However, if the character limit is
increased to 5 characters and the alphabets are made case sensitive, then the
number of possible combinations will become 529 = 380204032, making it
difficult for hackers to crack the password.
12. Incident Management
The incident management principle states that organizations need to keep a record
of all security incidents to improve the security mechanism. It's essential to store

18
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

the details of all the intrusions to find loopholes in the system and eliminate them
to prevent future attacks.
Additionally, by monitoring all the incidents, it is possible to devise cyber security
strategies that are more robust and less prone to malicious attacks.
Example: A monitoring system that keeps a record of the system condition may
help to track the changes made to the system during an incident.
13. Prevention of Malware
Malware is the most common type of threat used by hackers to penetrate security
and gain unauthorized access to a system. It is an infected software with malicious
code that aims to disrupt the normal operation of a system and let attackers bypass
the security mechanism.
Being one of the cybersecurity defense principles, the prevention of malware
suggests that an organization should design its cyber security to detect and
prevent malware from getting installed on its system. A proper strategy is
essential for tackling various types of malware attacks. Firewalls and intrusion
detection systems are ideal for detecting malware and restricting them from
entering a system.
Example: An antivirus software with online protection will alert the user
whenever it detects malware in the system.
14. Acceptance of Security Breaches
Cyber attackers are always on the lookout for new ways to intrude systems. Thus,
it is important to mzodify and update the cyber security framework to add
protection against new types of cyber attacks.
It is imperative to keep track of all the latest cyber attacks and figure out the most
effective ways to prevent them. The cyber security team of an organization is
responsible for making any necessary changes in the scope of the cyber security
framework.
Example: A cybersecurity team monitors cyber attacks happening within or
outside the organization to identify the loopholes that attackers may exploit to
breach the security of a system.
Purpose of Cyber Security Principles
Cyber security design principles guide organizations to implement cyber security
and protect their information systems and data against cyber-attacks and illicit
activities. Any organization can make use of them to facilitate the following
processes:

19
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

1. Governance: This process focuses on monitoring networks for any suspicious

activity. It can be simply understood as identifying and managing security risks,
both online and offline.
2. Detection: It aims to detect and identify the events related to security and data
breaches. This simply means be on the lookout to identify and understand
cybersecurity events and cybersecurity incidents.
3. Protection: This is a simple one to understand. Protection involves the
implementation of various mechanisms to protect networks and systems against
cyber attacks.
4. Respond: This process aims to recover the system or network after the
occurrence of a security breach. This means the techniques and tools to mitigate
cyber security incidents and recover from them.
COMPONENTS:
Cyber security is the shielding of web associated systems, for example, hardware,
software, and information from cyber dangers. The training is utilized by people
and ventures to defend against unapproved access to the servers and other
electronic systems.
Various elements of cyber security are given below:

• Application Security
• Information Security
• Network Security
• Disaster Recovery Planning
• Operational Security
• End-user Security

20
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

1. Application Security: Application security is the principal key component of

cyber security which adds security highlights inside applications during the
improvement time frame to defend against cyberattacks. It shields sites and online
applications from various sorts of cyber security dangers which exploit
weaknesses in source code. Application security is tied in with keeping software
applications away from dangers. The general focus of application security is on
cloud service-based organizations.
Due to misconfiguration of settings the data of the cloud gets insecure. The
fundamental reason for cloud application misconfiguration are:

• Absence of attention to cloud security approaches

• Absence of sufficient controls and oversight
• Utilization of such a large number of connection points to oversee.

Vulnerabilities of Application: Denial-of-service (DoS) and Distributed denial-

of-service(DDoS) attacks are used by some isolated attackers to flood a
designated server or the framework that upholds it with different sorts of traffic.
This traffic in the end keeps real users from getting to the server, making it shut
down. A strategy called SQL injection (SQLi) is used by hackers to take
advantage of database flaws. These hackers, specifically, can uncover user
personalities and passwords and can also create, modify and delete data without
taking permission of the user.
Types of Application Security: The types of Application Security are
Authentication, Authorization, Encryption, Logging, and Application security
testing.
21
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

Tools of Application Security: The various tools of application security

are firewall, antivirus, encryption techniques, web application firewalls that
protect applications from threats.

2. Information Security: Information Security is the component of cyber

security that denotes the methods for defending unapproved access, use,
revelation, interruption, modification, or deletion of information. The protection
of the companies data, code, and information that is collected by the company
from their clients and users is protected by Information security. The primary
standards and principles of Information security are Confidentiality, Integrity, and
Availability. Together it is called as CIA.
Confidentiality: The protection of information of authorized clients which
allows them to access sensitive information is known as Confidentiality. For
example, assuming we say X has a password for my Facebook account yet
somebody saw while X was doing a login into the Facebook account. All things
considered, my password has been compromised and Confidentiality has been
penetrated.
Integrity: The maintaining of consistency, accuracy, and completeness of the
information is known as Integrity. Information cannot be modified in an
unapproved way. For example, in an information break that compromises the
integrity, a programmer might hold onto information and adjust it prior to sending
it on to the planned beneficiary. Some security controls intended to keep up with
the integrity of information include Encryption, Controls of Client access,
Records Control, Reinforcement, recovery methodology, and Detecting the error.
Availability: The information which can be accessed any time whenever
authorized users want. There are primarily two dangers to the accessibility of the
system which are as per the following:

• Denial of Service
• Loss of Data Processing Capabilities
22
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

3. Network Security: Network security is the security given to a network from

unapproved access and dangers. It is the obligation of network heads to embrace
preventive measures to safeguard their networks from potential security dangers.
Network security is one more element of IT security which is a method of
defending and preventing unapproved access into computer networks.
Network Security Strategies: There are numerous strategies to further develop
network security and the most well-known network security parts are as per
following: Firewalls, Antivirus, Email Security, Web Security, Wireless Security.
Network Security Software: There are different types of tools that can shield a
computer network like Network firewall, Cloud application firewall, Web
application firewall, etc.

23
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

4. Disaster Recovery Planning/Business Continuity Planning: The planning

that describes the continuity of work in a fast and efficient way after a disaster is
known as Disaster Recovery Planning or Business Continuity Planning. A
disaster recovery technique should begin at the business level and figure out
which applications are generally vital to run the activities of the association.
Business continuity planning (BCP) is tied in with being ready for cyber danger
by distinguishing dangers to the association on schedule and examining how
activities might be impacted and how to conquer that.
The primary objectives of disaster recovery planning include:

• Protect the organization during a disaster

• Giving a conviction of security
• Limiting the risk of postponements
• Ensuring the dependability of backup systems
• Giving a standard to testing the plan.
• Limiting decision-production during a disaster

Disaster Recovery Planning Categories: The categories of Disaster Recover

Planning are

• Data Center disaster recovery

• Cloud applications disaster recovery
• Service-based disaster recovery
• Virtual disaster recovery
• Steps of Disaster Recovery Planning: The steps are:
• Acquire Top Management Commitment
• Planning panel establishment
• Performing risk management

24
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

• Establish priorities for handling and tasks

• Decide Recovery Strategies
• Data Collection
• Record a composed plan
• Build testing rules and methods
• Plan testing
• Support the plan

5. Operational Security: The process that encourages the managers to see the
activities according to the viewpoint of a hacker to protect sensitive data from
various threats is known as Operational Security (OPSEC)n or Procedural
security. Operations security (OPSEC) is utilized to defend the functions of an
association. It tracks basic data and resources to distinguish weaknesses that exist
in the useful technique.
Steps of Operational Security: There are five stages to deal with the operational
security program, which are as per the following:

• Characterize the association’s delicate data

• Distinguish the types of dangers
• Investigate security openings and weaknesses
• Evaluation of Risks
• Execution of accurate countermeasures
• Practices of Operational Security: The best practices of Operational
Securities are:
• Implement exact change management processes
• Limit access to network devices

25
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

• Minimum access to the employees

• Carry out double control
• Task automation
• Reaction and disaster recovery planning

6. End User Education: End-user training is most the significant element of

computer security. End users are turning into the biggest security threat in any
association since it can happen whenever. One of the primary errors that lead to
information breaks is human mistakes. An association should prepare its workers
about cybersecurity. Each representative should know about phishing attacks
through messages and interfaces and can possibly manage cyber dangers.
Threats of End-User: There are many reasons, that danger can be made. The
end-user dangers can be made in the following ways:

• Utilizing of Social Media

• Text Messaging
• Utilization of Email
• Applications Download
• Creation and irregular uses of passwords

CYBERSECURITY RISK MANAGEMENT AND RISK ASSESMENT

Cybersecurity risk management is the continuous process of identifying,
analyzing, evaluating, and addressing an organization’s cyber security
threats. Learn how to design and implement your security processes.
Cybersecurity risk assessment is the starting point of any cybersecurity risk
management campaign. Businesses need to do these assessments to understand
how great a risk their networks are in. They achieve this by first identifying which
assets are vulnerable and then tackling the issue of securing them in the order of
their riskiness.
Therefore, a cybersecurity risk assessment identifies every digital asset that could
be the target of a cyber-attack – like hardware, software, data, and intellectual
property – and then determines the various risks that could affect them.
What are the steps involved in a cybersecurity risk assessment?

• A business needs to define its key business processes and objectives and
the information technology (hardware and software) assets used to serve as
input to the cybersecurity risk assessment.
• Next, cyber-attack methods and types are identified that could adversely
affect these very IT assets. An analysis is then done to determine the

26
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

likelihood of such attacks occurring and their impact on the business

processes.
• Finally, the results from this analysis are saved to serve as threat-level
indicators for auditing, compliance, and progress reporting.

Once the security team has a clear picture of the overall risk status, they can make
informed decisions about how to mitigate the risks – including implementing
defense solutions, plugging security holes, patching out-of-date technology, and
retiring legacy systems.
Process of cybersecurity risk management
The first step in the cybersecurity risk management process is defining the
scope – which can range from a single server for the entire network and even
extend beyond it to include the cloud. The wider the scope is, the more complex
an undertaking it becomes to ensure its security.
Examples of scope would be a business unit, a network segment, or a location. It
could also be a payment processing system or client-facing application.
An important fact here would be gaining the full support of all the stakeholders
covered by the scope. Their input, suggestions, and expert opinions help identify
processes, applications, and hardware at risk. They can even assist with resolving
issues and threats without impacting the business processes. Most importantly,
they won’t be irritated by the process itself.
Once the scope is known, it is time to start the cybersecurity risk management
process, which consists of the following steps:

27
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

1. Identify assets
Assets need to be identified before they can be protected. This initial step
identifies all the applications, services, and devices that are crucial to the business
– or support mission-critical processes.
Devices that face the Internet but are not part of these critical processes can also
be considered since they can be hijacked to serve as staging devices to perform
attacks from behind the defense perimeter.
2. Identify threats
Once each critical digital asset has been identified, it is time to identify all the
threats that could be made against them.
Each software, laptop, server, POS machine, and mobile device is assigned a
threat level depending on how prone or exposed it is to threats. The higher the
threat level it is ranked, the higher priority the device is assigned.
Assign each software, laptop, server, POS machine, and mobile device a threat
level depending on how prone or exposed it is to threats. Once the scope has been
defined, it is time to identify the risks facing each device in the scope, the dangers
that each one faces, and its effect on the overall performance of the business’ core
process.
The threats could be posed from viruses, hacks, user inexperience, policy laxness,
or old versions of unpatched solutions.
3. Identify consequences
Next, it is time to analyze the impact of having each system or device down for
specific amounts of time. This is, of course, taking into consideration that not all
issues can be resolved in minutes or hours. Therefore, the consequence analysis
should consider – and even simulate – the impact of a system or device being
offline for an undetermined amount of time would ensue.

A simple example to demonstrate the breakdown of an issue.

4. Identify solutions

28
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

Now that the devices, threats, and consequences have been identified and
analyzed, it is time to find temporary (short-term) and permanent (long-term)
solutions to address and prevent them. The answers could be tested while
identifying the consequences in the previous step. Ideally, this is done in a test or
dummy network.
Examples of solutions can be patching software, training users, implementing
new IT policies, installing antiviruses, and tightening access control.
Four strategies can be adopted while arriving at the ideal solution:
Treatment – finding security tools and best practices to resolve the issue causing
the risk; examples include installing firewalls, proxy servers, and antimalware.
Tolerance – accepting the risk is unavoidable and deciding to tolerate its
existence; this calculated risk should fall within established risk acceptance
criteria.
Termination – completely cutting the system, software, or hardware out and
redesigning affected processes to run without them.
Transferal – reducing the risk by dividing the risk with another party; examples
here could be outsourcing security to a technology company or buying insurance.
5. Implement solutions and monitor progress and effectiveness
Any identified resolutions should be implemented as soon as possible. They
should start protecting against threats immediately.
Once the testing has been completed successfully, the solutions can be moved
into the production environment.
Most software solutions for monitoring cybersecurity risks have dashboards that
show risk exposure levels. In the rare case that they don’t, there are many
application, server, and network monitoring tools that can be used to track the
health of assets.
Either way, round-the-clock monitoring should be implemented to make sure the
solutions provided are indeed helping in the resolution of threats. If there are
lapses in policies, weak defenses, or unforeseen (new) perils have been identified,
the whole process goes back to the first step, and the cybersecurity risk
management process starts over again.
This is to say that these five steps are part of an endless risk management cycle
that is repeated until all identified threats have been resolved. And then – even
when there are no more issues – the process still needs to run to make sure no
new problems pop up down the line.
RISK ASSESSMENT:

29
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

A cybersecurity risk assessment is the process of evaluating the threats to your

organization’s IT systems and data, as well as your capacity to safeguard those
things from cyber attacks.
Organizations may use a cybersecurity risk assessment to identify and prioritize
opportunities for improvement in existing information security programs. A risk
assessment also assists companies in communicating risks to stakeholders, and
making educated decisions about how to deploy resources to mitigate those
security risks.
How Do You Perform a Cybersecurity Risk Assessment?
To perform a cybersecurity risk assessment, it’s essential to assemble a team with
the right qualifications. A cross-departmental group is crucial to identify cyber
threats (which can come from both inside and outside your organization) and to
mitigate the risks to your IT systems and data. The risk management team can
also communicate the risk to employees and conduct incident response more
effectively.
At a minimum, your team should include the following:

• Senior management to provide oversight.

• The chief information security officer to review network architecture.
• A privacy officer to locate personally identifiable information, as required
by the EU General Data Protection Regulation (GDPR).
• The compliance officer to assure compliance with the National Institute of
Standards and Technology’s (NIST) Cybersecurity Framework, the Health
Information Portability and Accountability Act (HIPAA), and other
security standards.
• Someone from the marketing team to discuss the information collected and
stored.
• Someone from the product management team to assure product security
throughout the development cycle.
• Human resources, to give insight into employee personally identifiable
information.
• A manager from each central business line to cover all data across the
enterprise.
• Taking a risk-based approach to cybersecurity starts with understanding
and aligning business objectives to information security and
cybersecurity goals. Hence you need cross-functional input.

Step 1: Catalog Information Assets

Your risk management team should catalog all your business’s information assets.
That includes your IT infrastructure, as well as the various Software-as-a-Service

30
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

(SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS)

solutions used throughout the company. It also includes the data that those
systems process.
The assets that your third-party vendors use should be included in your
list. Unfortunately, third-party vendors remain a significant data breach risk.
To understand the types of data your company collects, stores, and transmits, as
well as the locations involved, ask these questions:
What kinds of information are departments collecting?
Where are they storing that information?
Where do they send that information?
From where are they collecting it?
Which vendors does each department use?
What access do those vendors have?
Which authentication methods, such as multi-factor authentication, do you use
for information access?
Where, physically, does your company store information?
Which devices do workforce members use?
Do remote workers access information? How so?
Which networks transmit information?
Which databases store information?
Which servers collect, transfer, and store data?
Step 2: Assess the Risk
Some types of information are more critical than others. Not all vendors are
equally secure. So once you’ve identified your information assets, it’s time to
assess their risks and your enterprise.
Which systems, networks, and software are critical to business operations?
What sensitive information or systems must maintain availability, confidentiality,
and integrity?
What personal information do you store, transmit, or collect that needs to be
anonymized in case of an encryption failure?
Which devices are most at risk of data loss?
What is the potential for data corruption?

31
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

Which IT systems, networks, and software might cybercriminals target for a data
breach?
What reputation harm might arise from a security incident?
What financial risks are posed by a potential data breach or data leak?
What business operation risks would stem from a cybersecurity event?
Do you have a business continuity plan that allows you to return to business
operations rapidly after an IT disruption?
The risk assessment process considers risks to the information assets in your
catalog and what harm breaches of each IT asset might cause to your enterprise.
That includes harm to business reputation, finances, continuity, and operations.
Step 3: Analyze the Risk
Risk analysis assigns priority to the risks you’ve listed. For each risk, give a score
based on the following:
Probability. The likelihood of a cybercriminal’s obtaining access to the asset
Impact. The financial, operational, strategic, and reputational impact that a
security event might have on your organization
To establish your risk tolerance level, multiply the probability by the impact.
Then, for each risk, determine your response: accept, avoid, transfer, or mitigate.
For example, a database containing public information such as the definition
of NIST or New York State Department of Financial Services (NY DFS)
requirements might have few controls securing it, so the probability of a breach
might be high. On the other hand, the damage would be low since the attackers
would only be grabbing information that’s publicly available. So you might be
willing to accept the security risk for that particular database, because despite the
high probability of a breach, the impact score is low.
Conversely, if you’re collecting financial information from customers,
the probability of a breach might be low, but the harm from such a breach could
be severe regulatory penalties and a battered corporate reputation. So you may
decide to mitigate this risk by taking out a cybersecurity insurance policy.
Step 4: Set Security Controls
Next, define and implement security controls. Security controls will help you to
manage potential risks so that the risks are eliminated or the chance of them
happening is significantly reduced.

32
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

Controls are essential for every potential risk. That said, they require the entire
organization to make an effort to implement them and to assure that those controls
are continuously carried out. Examples of controls include:
Network segregation
At-rest and in-transit encryption
Anti-malware, anti-ransomware, and anti-phishing software
Firewall configuration
Password protocols
Multi-factor authentication
Workforce training
Vendor risk management program
Step 5: Monitor and Review Effectiveness
Historically, organizations have relied on penetration testing and periodic
audits to establish and assure their IT security. But as malicious actors keep
changing their tactics, your organization needs to adjust its security policies and
maintain a risk management program that continuously monitors your IT
environment for new threats.
Your risk analysis needs to be flexible, too. For example, as part of the risk
mitigation process, you must consider your response mechanisms to maintain a
robust cybersecurity profile.

33
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

Likelihood and impact assesment

Formula to Determine Risk Likelihood and Impact
The standard described in NIST SP 800-53 implies that a realistic assessment of
risk requires an understanding of these areas:
Threats to an organization
Potential vulnerabilities within the organization
Likelihood and impacts of successfully exploiting the vulnerabilities with those
threats

34
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

For handling the most basic level of risk assessment, risk managers can follow
this simple formula:
Risk = (Threat x Vulnerabilities) x Impact
The first part of the formula (Threats x Vulnerabilities) identifies the likelihood
of a risk. For example, if there’s a known security flaw in older versions of
software you use, there’s the threat of hackers exploiting that particular
vulnerability to compromise your system. But if you’ve applied the latest
software patches that fix the problem, then the vulnerability cannot be exploited,
and the threat has been eliminated.
Impact measures how much disruption you’ll face if the threat actually occurs.
Combining likelihood and impact produces a residual risk rating of Low, Medium
or High. Each organization’s residual risk rating may differ based on the
likelihood and impact that each control deficiency introduces.
You could also represent this concept with a simple chart like this one:

For example, let’s consider the risk of a hacker getting access to a folder
containing all of your public-facing marketing materials. That event may have a
medium likelihood, but it has a very low impact. Those materials are already
publicly available on your website, etc., so unauthorized access to them does no
harm. That risk gets a Low rating.
But the formula changes if the risk is an employee in the Accounts Payable
department clicking a phishing link. There’s at least a medium likelihood of one
of those employees making this mistake. And the impact would be very high if a
hacker got access to a user account that controls financial transactions. That risk
gets a High rating.

35
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

Keep in mind that a very High impact rating could make a risk a top priority, even
if it has a low likelihood. If a breach could shut down a hospital’s life-support
equipment, for example, that risk obviously deserves serious consideration on
your priority list.
Drilling Down on Specific Residual Risk
Now that you know the formulas for determining likelihood and impact during a
risk assessment, it’s time to focus on specific risks.
1. Inherent risk – This is the risk level and exposure your system faces without
taking into account any mitigating measures or controls that are actively in place.
Where is your system at its weakest when no other security measures are in place
to protect them? Which risks deserve the highest rating based on their likelihood
and potential impact?
2. Residual risk – An area with a higher likelihood and impact of a threat on the
organization, from an inherent risk level, may need additional controls to reduce
the level of risk to an acceptable level. After you apply those controls, you are
left with what we call “residual risk.” If the residual risk level after mitigating
controls is still higher than you prefer, then additional risk management measures
and techniques should be introduced.
Mitigating measures you may apply include:
Avoidance – Elimination of the cause of the risk. You could, for example, prevent
employees from accessing certain parts of your system on mobile devices.
Mitigation – Reduction of the probability of a risk’s occurrence or of its impact.
Adding multifactor authentication, for example, greatly reduces the probability
of a hacker getting into a user’s account.
Transfer – Sharing of risk with partners, such as through insurance or other
ventures.
Acceptance – Formal acknowledgement of the presence of risk with a
commitment to monitor it.
SECURITY MANAGEMENT:

The NIST Cyber Security Framework.

NIST is a set of voluntary security standards that private sector companies can
use to find, identify, and respond to cyberattacks. The framework also features
guidelines to help organizations prevent and recover from cyberattacks. There
are five functions or best practices associated with NIST:

36
UNIT 1 PLANNING FOR CYBERSECURITY MCA ,II SEM

• Identify
• Protect
• Detect
• Respond
• Recover

• Identify

To manage the security risks to its assets, data, capabilities, and systems, a
company must fully understand these environments and identify potential weak
spots.

• Protect

Companies must create and deploy appropriate safeguards to lessen or limit the
effects of potential cyber security breaches and events.

• Detect

Organizations should put in motion the necessary procedures to identify cyber

security incidents as soon as possible.

• Respond

Companies must be capable of developing appropriate response plans to contain

the impacts of any cyber security events.

• Recover

Companies must create and implement effective procedures that restore any
capabilities and services damaged by cyber security events.

37