Cyber Security

CIR RAR-BIA Risk Treatment for The Human Element

Written by Moh Heng Goh | Nov 9, 2022 3:43:13 PM

Risk Treatment

The risk treatment summarized by Verizon (2017) surveys for the following cybersecurity risk is as appended below:

  • The Human Element
  • Conduit Devices
  • Configuration Exploitation
  • Malicious Software
Threats Resulting from The Human Element

Risk Treatment Strategy for The Human Element


S/No

Threat Scenario

Risk Treatment

Description of Risk Treatment/Control

Accept (A)

Mitigate/ Reduce (MR)

1

Social Engineering

-

  • Incident Response and Management

-

  • Create an inventory of authorized and unauthorized software.
  • Program secure configurations for hardware and software.
  • Set up defences against malware.
  • Install boundary defences.
  • Manage access control based on access requirements.
  • Train and create awareness among employees.

2

Financial Pretexting

-

  • Incident Response and Management

-

  • Maintain, monitor and analyse audit logs.
  • Install protections for email and web browsers.
  • Manage access control based on access requirements.
  • Train and create awareness among employees.

3

Digital Extortion

-

  • Set up defences against malware.
  • Develop measures to ensure the organisation is capable of recovering its data.

4

Insider Threat

-

  • Control usage of administrative privileges.
  • Maintain, monitor and analyse audit logs.
  • Install controls to protect data.
  • Monitor and control account usage.

5

Partner Misuse

-

  • Incident Response and Management

-

  • Maintain, monitor and analyse logs.
  • Install boundary defences.
  • Install controls to protect data.
  • Monitor and control account usage.

6

Hacktivist Attack

-

  • Conduct vulnerability assessment continuously.
  • Remediate identified vulnerabilities.
  • Control usage of administrative privileges.
  • Install protections for email and web browsers.
  • Monitor and control account usage.
  • Manage security levels of application software.

7

Disgruntled Employee

-

  • Create an inventory of authorised and unauthorised devices.
  • Maintain, monitor and analyse logs.
  • Develop measures to ensure the organisation is capable of recovering its data.
  • Install controls to protect data.
  • Monitor and control account usage.

Risk Treatment Strategies for “The Human Element” Threats

CIR Risk Treatment Strategies

Risk Treatment Strategy

The Human Element 

Conduit Devices Config-uration Exploitation

Malicious Software

Back To: Overview of RAR and BIA

 

 

Do You Want to Continue BCM Training onsite or online?

Competency-based Course
Certification Course

Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.

Reference: Chapter 6Risk Analysis and Review and Business Impact Analysis 6.9 Risk Treatment

Note: This version was the draft 2nd Edition being updated by 2023. The numeric in the square bracket [X.X] cross-refers to the actual chapter and section in the 1st Edition.