Currently, we have a long list of all or the most NIST CSF controls and track to what extent we implemented the controls and what level of implementation would be desirable at the current state. The desirable grade of implementation is however just a best guess and from a personal POV. What I greatly miss in this approach is the mapping between controls to the underlying threats.

A simple example for clarification: NIST control DE.CM-1 states “The network is monitored to detect potential cybersecurity events”.

As a control, this is fine. But what I’m missing (and management as well) is the risk that we open up to when we do not implement this control. It also makes prioritization of implementation harder. What I try to do, is to create a list of common, prioritized risks (like the MITRE CAPEC) to the NIST CSF. This would look like this:

The risks

* CAPEC-94: Adversary in the Middle, Likelihood: High, Severity: Very high’ and
* CAPEC-125: Flooding, Likelihood: High, Severity: Medium

result in a combined risk of ‘high’ (probability * impact) and can be mitigated with control DE.CM-1 from NIST CSF.

I’d like to know how you do this in your organization? How do you inject cybersecurity risks into your normal, organizational risk management process?

Share This Discussion

1 Comment

Leave a Comment

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.