Lesson 7: Category B — Professional Cyber-Risk Management
Large organizations (Category B) don't settle for a checklist — they enter a structured, professional risk-management process. In this lesson we learn Stage Zero (corporate governance), how to measure Impact via the CIA model on a 1–4 scale, how to assess Likelihood, how a risk level is derived from
Measure Impact (via CIA, on a 1–4 scale) and Likelihood (4 inputs), combine them on a matrix to get a risk level, then choose how to treat it: mitigate, accept, transfer, or avoid.
- Corporate Governance
- The set of rules, procedures, and structures defining how an organization is managed and overseen; in cyber — setting responsibility, roles, and decision authority from the top.
- Risk Appetite
- The level of risk an organization is consciously willing to accept in pursuit of its business objectives.
- Impact Grade
- Severity of damage per CIA on a 1–4 scale: 1 negligible, 2 limited, 3 severe, 4 catastrophic.
- Likelihood
- An estimate of the chance an event occurs, based on four inputs: threat intelligence, incident history, attacker motives, and organizational vulnerability.
- Risk Matrix
- A table combining Impact and Likelihood into a risk level; values are predefined and not necessarily a simple arithmetic product.
- Risk Treatment
- The managerial decision on how to handle a risk: mitigate, accept, transfer (insurance), or avoid.
- Controls Bank
- A comprehensive catalog of defenses, aligned with standards like NIST, used to treat and reduce risks that have been identified and priced.
- Implementation Depth
- The idea that a control is not binary (present/absent) but implemented in levels — from a basic manual process to full automation.