As an Officer, a leader and manager, one of your jobs will be to assess and manage risk; fortunately, you have been managing risk your entire life and continue to do so each day. All we are doing here is honing your risk management skills with a more formalized process and applying that process to the Cyber Domain.

Introduction to Risk Management

Every small and big decision made throughout the day is likely a risk decision. Should you hit the snooze button to get five more minutes of sleep and risk the cascading effects of things that can go wrong leading up to being late to morning formation? Do you buy a ticket now to go home on leave during the break before your leave has been approved? Do you go for another round of Minecraft when it's Monday morning at 0230? Do you splurge on GTA6 even though you have to borrow the money from someone else?

Whether it's financial, health, academic, or cyberspace, how much thought and consideration are being taken when it comes to understanding the risks involved? Consider this. How would you be impacted if access to your mobile devices were permanently lost? Did you have to first think what is it that would be lost? Before something of value can be considered, that something of value has to be identified right? Perhaps memorable keepsakes like plebe summer...ok maybe not plebe summer but how about the photos with your friends back home before leaving for plebe summer, photos with your family after plebe summer, and all of the things you've accomplished since then. If photos aren't your thing, then passwords. How much work would it take to figure out all of the accounts, notes, logins, sites, passwords, emails, authenticator codes, or other items used to access your accounts?

The Operational Risk Management (ORM) model is commonly used in the military, but other standards exist, such as the Factor Analysis of Information Risk (FAIR) model, which is relevant to the cyberspace domain as there are specific approaches to how risk is managed and assessed. This class will introduce risk management terminology, the risk management process, and provide insight into cybersecurity risk assessments.

Risk Management Terminology

Risk. A measure of the extent to which an entity is threatened by a potential circumstance or event.

Impact. An adverse effect that results from an event occurring.

Vulnerability.
 A weakness in a system that can be exploited by a threat that adversely affects the system, results in an adverse impact. [general context]
 A weakness in an information system that can be exploited to compromise a pillar of cyber security. [cyber domain context]

Threat. An actor or event (natural or technical) with the potential to adversely impact an information system.

Capability. The knowledge and skill set required by a threat to carry out an event.

Opportunity. The resources and positioning required by a threat to carry out an action.

Intent. The motivation of a threat to carry out an action.

The Risk Management Considerations

There is a fundamental tension between the services an information system provides (functionality), and security. A building with no doors or windows is quite secure, but pretty limited in its utility. Similarly, an information system with no way for data to flow in or out is very secure, but it is unable to provide a service. The more services you provide/allow, the more ways in and out of your system that need securing. Thus, for each service one needs to weigh the value of the service against the security implications of providing/allowing it. We weigh the risk against the functionality (benefits) and cost to make a decision on how to proceed.

Often times there is no one right answer as to whether a service should be provided/allowed, and the answer is highly situational. The amount of risk that is acceptable for your grandmother's computer is likely different than the computer used by the Chief of Naval Operations (CNO).

What process do we need to go through to assess risk? What are the factors we need to consider? You already have an intuition of what many of the important factors are. What are the benefits of providing or using the service? What are the impacts if the service is compromised? What vulnerabilities are there in providing or using the service? What threats are working to compromise the service? What are the risks inherent in providing/allowing that service? This requires a better understanding of the factors that comprise risk, and leads to developing a repeatable process to assess risk.

Risk Factors

In the cyberspace domain, just as in all domains, there are various factors that go into assessing risk. Risk evaluation can be viewed as a function with inputs, a process, and outputs. In general, risk is viewed as a function of the likelihood of occurrence of an event and impact of an event, risk( likelihood, impact ).

Intuitively, if we increase the likelihood of a negative event occurring, the risk severity increases, and vice versa. This is also the case with impact, if the impact of a negative event occurring increases, the risk severity increases.
      

Likelihood of Occurrence

Likelihood of occurrence can be decomposed into two main components: threat and vulnerability. Threat is any circumstance or event that has the potential to adversely impact our system. Threat can be adversarial (purposely caused by a person) or non-adversarial (caused by an accident or natural event such as a hurricane). Vulnerability represents a weakness in an information system that can be exploited, often by an adversarial threat actor.

Not all vulnerabilities are equal, there are factors that we can assess a vulnerability with. The risk assessment team will ask and answer questions such as (OWASP):

• (Discoverable) How easy is it for an adversary to discover the vulnerability?
• (Exploitable) How easy is it for an adversary to exploit the vulnerability?
• (Awareness) How well known is the vulnerability?
• (Detectable) How likely is an exploit to be detected?

      

Just as vulnerabilities, threats are also assessed using various factors. The risk assessment team will ask and answer questions such as (OWASP):

• (Capability) How technically skilled is an adversary?
• (Capability) How much does the adversary know about the target system?
• (Opportunity) Does the adversary have the resources (technology) to exploit a vulnerability?
• (Opportunity) Is the adversary in a position to exploit a vulnerability?
• (Intent) How motivated is an adversary to find and exploit a vulnerability?
• (Intent) Does the actor performing the exploit intend harm?

      

Risk Impact

Impact assessments focus on the resulting damage if a vulnerability is exploited. A single vulnerability may have multiple impacts within the cyber domain, both technological and non-technological. We can apply concepts from conventional operations such as: deceive, deny, disrupt, degrade, and destroy.

Technical impacts are associated with the Tenants of Cybersecurity. For example, a compromise of a web based service's password file is a loss of confidentiality. If the attacker uses the stolen credentials, the attacker can gain access to private information that the users' credentials protected (violating confedentiality), modify information without authorization (violating integrity), and change the passwords to deny the service to the legitimate users (violating availability).

Non-technical impacts are associated with the operations and relationships of an organization:

• (Personnel) To what extent are personnel put in physical danger if the vulnerability is exploited?
• (Equipment) To what extent is equipment put in physical danger if the vulnerability is exploited?
• (Operations) To what extent will the success of operations be endangered?
• (Capabilities) To what extent will the capabilities of the organization be damaged?
• (Reputation) To what extent will the organization's reputation be damaged?
• (Financial) What will the financial damage to the organization be?

The to what extent part of assessing impact is not always simple to quantify or qualify.

Risk Statements

As future leaders operating in a highly connected and digital world, it's important to be able to assess and clearly communicate risk. Whether you're managing a team, securing a system, or making operational decisions, you'll often need to explain what could go wrong, why, and what the consequences might be. A risk statement is a structured way to communicate a potential problem clearly and concisely. It helps others understand the nature of a risk so informed decisions can be made quickly and effectively.

A typical risk statement follows this structure:

If [cause], then [risk event], which may result in [impact/consequence].

For example:

• If unauthorized access controls are weak, then attackers may exploit system vulnerabilities, which may result in data breaches and loss of sensitive information.
• If software patches are not applied promptly, then known vulnerabilities may be exploited, which may result in system downtime or compromise.

The Risk Management Process

A common first question when presented with a formalized process is: Why is this process necessary? Following a formalized method allows for a given process to be repeated; the repeatability allows us to assess process changes and determine if improvement efforts actually achieved the desired results or not. In other words, formalized processes allow us to compare and contrast.

There are a number of different methods for assessing risk, most of the methods include a feedback (process improvement) step at the end, making a risk assessment a continual cyclic process. The following are general steps to assessing and managing risk:

Identify Risks

Risk assessment begins with identifying risks associated with a task or system. We will use crossing a road as an example. Here are some of the risks associated with crossing a road:

Risk
Trip and fall
Hit by bike
Hit by car
Fined for jaywalking

We can look at risk from the viewpoint of the pedestrian or the driver. In the cyber domain, we look at risk from the offensive or defensive viewpoint. In fact, being proficient at assessing and managing risks in the cyber domain requires looking at risks from both an offensive and defensive perspective; a yin and yang.

Analyze the Risk

Risks are assessed to determine severity based on the event's likelihood and impact. Risks can be assessed using a quantitative (assigned a numeric value) or a qualitative scale (assigned to a category such as low or high). The tables below are extracted from NIST SP800-30 and provide general guidance on how to define likelihood and impact both qualitatively and quantitatively.




Going back to the crossing the road example, we can now assign a qualitative value to each of the risks that were identified in the first step.

Risk	Likelihood of Occurrence	Impact
Trip and fall	Low (2)	Very Low (0)
Hit by bike	Moderate (5)	Moderate (5)
Hit by car	High (8)	High (8)
Fined for jaywalking	Low (2)	Very Low (0)




Prioritize the Risk

Organizations do not have infinite resources and therefore cannot eliminate or even address all possible risks. Risks must be prioritized by severity so that an appropriate strategy can be developed in line with resource constraints. Generally, this just consists of ordering the identified risks from most severe to least severe by assigning quantitative values based on the qualitative values above.

Priority	Risk	Likelihood of Occurrence	Impact
1	Hit by car	High (8)	High (8)
2	Hit by bike	Moderate (5)	Moderate (5)
3	Fined for jaywalking	Low (2)	Very Low (0)
4	Trip and fall	Low (2)	Very Low (0)




Address the Risk

Once a risk has been identified, assigned a severity, and prioritized we can determine how the risk will be addressed. There are four strategies for addressing risk:

How the NSA Mitigates Risk

The National Security Agency has provided this list of its recommendation for the top ten ways to mitigate (control) risk in cybersecurity.
• Avoid - Avoid activities that would make you incur the risk
• Control - Apply measures to reduce (mitigate) the risk
• Accept - Accept all of the risk and continue the activity
• Transfer - Transfer the risk to someone else

Note that ignoring risk is not a legitimate strategy. The table below shows our road crossing example with risk strategies applied.

Priority	Risk	Likelihood of Occurrence	Impact	Strategy
1	Hit by car	High	High	Control - Look both ways before crossing
2	Hit by bike	Moderate	Moderate	Control - Look both ways before crossing
3	Fined for jaywalking	Low	Very Low	Avoid - Only cross at designated crosswalks
4	Trip and fall	Low	Very Low	Accept

It is impossible to nullify risk; there is risk in any action. Any risk that remains after a strategy has been applied is known as residual risk. For example, we choose to control our risk of being hit by a car by looking both ways before crossing. While this greatly reduces our risk it does not eliminate it. There is residual risk that a car may suddenly accelerate or take some other unexpected action.




Monitor the Risk

Risk management is a process. After strategies have been applied to each risk they need to be continually monitored to determine their effectiveness. Questions to ask include:

• Are you using resources effectively?
• Is the risk management strategy working as expected?
• Have any new risks been identified?
• Have any risks changed?
• Have any new threats or vulnerabilities been identified?
• Are new controls available?

If you can answer yes to any of those questions the risk management process should be repeated, and results updated. Regardless, the risk management process should be executed on a periodic basis.

Risk Assessments

Implementing a risk management program is the first step to understanding a situation but it's also very subjective based on someone's experience, training, and abilities. That doesn't factor in any human biases that could potentially influence the process and is why the number of controls continue to change and adapt to the environment. The early forms of computer security requirements to be implemented by the U.S. Government were published in the early 1980's in a series of different colored books that were referred to as the Rainbow Series.

Today, the National Institute of Standards and Technologies (NIST) maintains Special Publications (SP) as part of the Computer Security Resource Center (CSRC) that contains the industry's latest cybersecurity guides and controls for a wide range of technologies that are also available both public and private entities. The DoD follows NIST standards but also the stricter Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs). Every approved software configuration, from the application layer encryption and transport layer port number to how it's installed and configured on a system, contains controls that will be evaluated against a requirement and risk evaluation.

Commercial Risk Assessments

There are several feasible cybersecurity frameworks and controls outside of the Department of Commerce (DOC) NIST standards. There's the IEC 27001, Center for Internet Security (CIS), and Control Objectives for Information Technologies (COBIT) but the private industry also has many areas in which cybersecurity compliance is regulated. Major sectors like healthcare and finance have many layers of internal and external auditors that regularly conduct cybersecurity risk assessments through programs like Payment Card Industry (PCI) Data Security Standard (DSS), American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC), Gramm–Leach–Bliley Act (GLBA), Sarbanes-Oxley (SOX) Act, Federal Financial Institutions Examination Council (FFIEC), Health Insurance Portability and Accountability Act (HIPAA), and others.

Navy Risk Assessments

Cyber Security Inspection and Certification Program (CSICP)

U.S. Fleet Cyber Command’s Office of Compliance and Assessment (OCA) serves as the Navy’s executive agent for the Joint Force Headquarters-DoD Information Networks (JFHQ-DoDIN) CSICP. As the executive agent, OCA conducts Cyber Security Inspections (CSIs) and Cyber Operational Readiness Assessment (CORAs) of Naval command around the world. These inspections provide actionable recommendations for improving Navy networks and their cyber readiness.

Navy/Marine Corps Inspector General (IG)

The Naval Inspector General inspects or directs the inspection of security, technology protection, and counterintelligence activities at Navy and Marine Corps Research, Development, Test, and Evaluation (RDT&E) facilities.

The Inspector General of the Marine Corps (IGMC) facilitates Marine Corps efficiency, integrity, and institutional readiness through objective and independent assistance, assessments, inspections, and investigations to enhance the Marine Corps' mission success and the welfare of its Marines, Sailors, and their families. Functional Area Checklists (FACs) provide assessments at which Action Officers (AOs) supporting the Inspections Division would evaluate commands under Cyber Security Management.

Navy Blue Team (NBT)

NBT conducts nearly 100 CSICP inspections each year. As part of the Computer Network Defense (CND), NBTs validate network security configuration by evaluating STIG compliance and vulnerabilities.

Navy Red Team

The Navy Red Team is certified by the National Security Agency and accredited by U.S. Cyber Command as a Department of Defense Cyber Red Team. A DoD Cyber Red Team is an independent, multi-disciplinary group of DoD personnel authorized to emulate a potential adversary’s attack capabilities against a targeted mission or system to highlight vulnerabilities to improve cybersecurity.

During a traditional red teaming event, few system operators are aware of the test ahead of time to best simulate the real conditions of an adversarial attack. Following the event, Red Team generates a report of vulnerabilities found and measures that can mitigate risk. But these surprise readiness assessments are not the only tests that Red Team conducts. The Red Team may work with systems that are still in development to perform exhaustive penetration tests and what they call cyber table tops – high-level, low-fidelity system walkthroughs to point out big picture security issues. Where a red teaming event is unannounced and from the adversarial perspective, a penetration test is completed in tandem with the system operators to meticulously scour all aspects of the system for potential weaknesses.

Supplemental Media:

A Beginners Guide to Cybersecurity Risk Management

Review Questions:

1. What are the tradeoffs that are considered when making a risk decision?
2. What are the functions of risk?
3. What are the five steps of the risk management process?
4. What are the four strategies for addressing risk?
5. Why are cybersecurity and risk assessments important?
6. Who is responsible for conducting risk assessments for the Navy?
7. What are the concepts and purposes of Navy blue and red teams?

References

1. Naval Postgraduate School, “Operational Risk Management (ORM),” NPS Safety, accessed July 2025. [Online]. Available: nps.edu/web/safety/orm
2. U.S. Navy, OPNAVINST 3500.39, “Operational Risk Management,” c. latest revision, accessed July 2025. [Online]. Available: cnic.navy.mil/…/Operational-Risk-Management/
3. Joint Task Force Transformation Initiative, NIST Special Publication 800-30 Revision 1: Guide for Conducting Risk Assessments, Sept. 2012. [Online]. Available: csrc.nist.gov/sp/800-30/rev-1
4. SailPoint, “NIST SP 800-30 Guide for Conducting Risk Assessments,” SailPoint Blog, accessed July 2025. [Online]. Available: sailpoint.com/…/nist-sp-800-30
5. The FAIR Institute, “A FAIR Framework for Effective Cyber Risk Management,” FAIR Institute, accessed July 2025. [Online]. Available: fairinstitute.org/…/integrating-fair-models
6. CISecurity, “FAIR: A Framework for Revolutionizing Your Risk Analysis,” CIS, accessed July 2025. [Online]. Available: cisecurity.org/…/fair-a-framework
7. Marine Corps Training Command, “Operational Risk Management B130786 Student Handout,” c. 10 years ago. [Online]. Available: trngcmd.marines.mil/…/B130786
8. GetGDS, “9 Steps to a Comprehensive Cyber Security Risk Assessment,” GetGDS Blog, accessed July 2025. [Online]. Available: getgds.com/…/9-steps-to-a-comprehensive-security-risk-assessment