Security Risk Management

Risk 101: Using Data to Better Understand Information Security Risk

Oren Falkowitz | January 15, 2014

The answer to the question of how organizations can evaluate information security risk depends on how we first think about risk in cyberspace. Good security risk management is a combination of data, processes, technology, and education. With new opportunities to observe and act on data in real-time, it has become possible to contextualize many different signals into information that supports decision-making for risk mitigation.    

Risk 101: is a new series of blog posts that explores risk vectors in cyberspace. The series emphasizes cybersecurity risks that can be objectively observed with data. Through the series we will provide in-depth exploration of signals that can be identified, and address methods for remediation.

Information Security Risk CategoriesThese risks will be organized into three categories:     

  • Misconfiguration & Mismanagement: Signals related to the implementation of specific technologies
  • Observation of Cyber Attack: Signals that reveal targeting of, motivation to, or successes in conducting a cyber attack
  • User Behavior: Signals that reveal high risk activity 

While companies continue to primarily search for threats within their networks, and share information post-attack (such as MD5 hashes of malware, IP addresses involved in attacks, malware signatures etc.), many organizations are ignoring or unaware of the risks present in the “virtual supply chain”. With this series, we hope to empower organizations to reduce risk holistically, which includes security risk from vendors, suppliers and other third parties with whom information is shared.

Our first post in The Risk 101 series will focus on the Sender Policy Framework (SPF), an e-mail validation technique to prevent malicious e-mail.   To receive automatic alerts when new content is published, subscribe to our email updates or follow BitSight on Twitter.  

Suggested Posts

3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...


Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...


Takeaways from the 2017 Gartner Security & Risk Management Summit

This year marked another great Gartner Security & Risk Management Summit with over 3,000 attendees, bringing together CEOs, CIOs, CISOs, IT Directors, Risk Managers, and other risk and security professionals to National Harbor, MD from...


Subscribe to get security news and updates in your inbox.