Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • The Security Leadership Issue
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity Education & TrainingCybersecurity News

Assess Cyber Risk Using the COBIT2019 Framework

By Fredric Greene
It's Time to Change Your Perception of the Cybersecurity Professional
July 18, 2019

The COBIT2019 framework includes a holistic approach to manage cyber risks. Although the framework consists of 40 objectives, in this article we will discuss the one objective most relevant to cyber risk management – ‘managed risk’ (APO12). We emphasize the need to leverage experienced cybersecurity professionals who fully understand risk in technology infrastructure.

The COBIT2019 objective on 'managed risk' includes detailed guidance on specific practices, metrics and information flows with inputs and outputs. This objective in the ‘Align, Plan & Organize’ (APO) domain of the framework, can be used specifically for managing cyber risk within an organization’s overall enterprise risk management (ERM).

Below we present the key risk management practices with suggestions for practical use in an organization.

‘Collect data’ (APO12.01) on risks to an organization’s information and technology. Data can be collected and organized using a cyber-threat taxonomy that facilitates a consistent risk analysis and a sustained cybersecurity roadmap. Two such taxonomies are the US NIST 800-30 Threat Event taxonomy and the European Union's ENISA Threat Taxonomy. These taxonomies can be scaled up or down in complexity depending on the organization, but we suggest to keep it simple for full adoption and added value.

To illustrate the collection of data, an organization may identify the most relevant NIST 'adversarial' threats (e.g. obtain unauthorized access, malware delivered to internal systems, exfiltration of sensitive information). The threat taxonomy can then be used to establish a set of scenarios for the consistent collection of data, period after period, with corresponding metrics (e.g. volume of security incidents and problems, endpoint systems infected with malware, externally facing systems). Relevant data should be accumulated that aligns with these threats.

‘Analyze risk’ (APO12.02) with supporting evidence for the risk assessment and associated decisions. Risk scenarios are analyzed by considering internal risk factors (e.g. vulnerability scan results, patch status, externally facing systems) and external factors (e.g. government and industry notifications on malware, trends in exploits and attacks). Analysis of specific scenarios (e.g. unauthorized 'insider' privileged access, ransomware attack, theft of intellectual property) should be customized within the organization's context (e.g. assets affected, repositories with sensitive data, critical business processes). Expand the analysis with estimated impact and probability of each scenario. The technical response to counter each threat should also be analyzed and documented.

In the analysis of risk, consult with cybersecurity professionals to understand the full capabilities of cyber-threat actors e.g. organized crime, nation-state hacking groups. It is also worthwhile to consider the full range of cyber tactics and techniques as documented in the Lockheed Martin ‘Cyber Kill Chain’ or MITRE Att&ck framework.

‘Maintain a risk profile’ (APO12.03) for a set of risk scenarios by category (cyber-threat), business line or functional area. Present worst case and most probable risk scenarios that will enable management to balance risk and mitigation. The risk profiles should be maintained with a quantitative approach that rates impact (1-5) and likelihood (1-5) to get a risk rating (high, normal, low) for each scenario. These profiles can then be prioritized and actioned. Note that the data collected, analyzed and aggregated into risk profiles as described above should yield actionable intelligence for decision making.

‘Articulate risk’ (APO12.04) through communication with relevant stakeholders. It may be worthwhile to consolidate this internal articulation of risk with third part assessments, internal audit reports or quality assurance reviews. We suggest using actual examples of cyber-attacks that are conceivable in the organization. An excellent source of such examples is the annual Verizon 'Data Breach Investigations' report which covers actual data breaches and security incidents in good detail. High profile breaches that reflect possible threats to an organization will get attention from senior management (e.g. Petya ransomware, data theft from Marriott, Equifax and others).

‘Define a risk management action portfolio’ (APO12.05) where each scenario has a corresponding control activity for mitigation. Specific mitigating actions should be documented e.g. compromise of privileged access is mitigated by granting only temporary and restricted access to system administrators; malware is prevented through scanning, patching and robust firewalls.

‘Respond to risk’ (APO12.06) by taking action in actual risk events. We suggest to prepare, maintain and test plans for the most significant risks. Develop scripts or runbooks of actions to take when a specific event occurs. Plan and run periodic exercises with realistic simulations of adverse events.

The practices described above in managing risk represent the COBIT2019 formal and methodical approach. Each practice can be customized and elaborated to match any organization. Managing risk is a continuous process that is most appreciated when risk becomes real with an actual adverse event.

KEYWORDS: cyber threats cybersecurity ransomware risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Fredic greene

Fredric Greene, CISSP is a director of IT Audit at UBS in New York. His experience is in audit and risk in information and cyber-security as well as the IT infrastructure, cloud services, systems, networks and databases. He has had several articles published in industry publications and provided training in cybersecurity and risk assessment.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
close

1 COMPLIMENTARY ARTICLE(S) LEFT

Loader

Already Registered? Sign in now.

Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Person holding large ball of twine

Preventing Burnout in The Security Industry

Harrods

Harrods’ Cyberattack: Cybersecurity Leaders Weigh In

2025 Security Benchmark banner

Events

September 29, 2025

Global Security Exchange (GSX)

 

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cybersecurity risk evaluation

    Using risk quantification to assess cyber risk

    See More
  • cyber security

    GAO: Cyber premiums rise as insurers struggle to assess risk

    See More
  • risk management freepik

    New York’s DFS publishes a Cyber Insurance Risk Framework

    See More

Events

View AllSubmit An Event
  • October 17, 2024

    How to Assess and Hone Your Security Program

    ON DEMAND: In this webinar, Erik Antons, a security risk management executive with more than 20 years of working in the Federal Government, energy, hospitality, and manufacturing sectors, shares his perspective on the building blocks of a successful manufacturing security program.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!