A new model for cyber risk management

What:  “Managing Cybersecurity Risk in Government: An Implementation Model,” a report from the IBM Center for The Business of Government

Why: While federal agencies are required to comply with the National Institute of Standards  and Technology’s Risk Management Framework and Cybersecurity Framework, they still must develop their approaches to managing cybersecurity risk. A single model for risk assessment, mitigation and monitoring allows agencies to tailor approaches for particular cyber challenges and creates an opportunity to harmonize approaches across agencies.

Findings: To improve agencies' cyber risk management, this report proposes a five-step decision matrix called PRISM, for Prioritize, Resource, Implement, Standardize and Monitor. The cybersecurity evaluation model will help cyber decision-makers create tailored approaches to risk management and better communicate the impact of investments in security resources on reducing targeted cyber risks.

Implementing PRISM  is a multi-step process:

1. Assess the likelihood of an attack and the impact of damage across the enterprise and prioritize major risk areas and attack vectors.
2. Annually review individual cyber factors to determine the agency’s current stage of preparedness and responsiveness to risk 
3. Examine and rate the resource allocations to reducing cybersecurity risk.
4. For each risk area, assign a risk score and a preparedness level.
5. Recommend improvements for each component of the PRISM model, standardize solutions and monitor for compliance.

The report also includes scorecards to help agencies prioritize and identify the precise risk vectors, leverage existing standards to resource  and implement a risk-mitigation strategy.

Verbatim: “Our proposed cybersecurity evaluation PRISM model will help agencies/organizations identify and  implement the most tailored risk management and cyber security approach applicable to their problems.  Our proposed model can also be used by agencies to set priorities, to explore gaps in current processes and to steer an organization I the right direction to resolve risk management and cyber risks  specific to an organizational strategy and its functions.”

Read the full report here.