What are you protecting?

To practice cybersecurity risk management, you can start with these steps:

1. Identify your business’ assets

List the types of information, processes, important people and technology your business relies upon.

2. Identify the value of these assets

3. Document the impact to your business from loss or damage to these assets

  • Consider the impact to your business if each asset were lost, damaged, or reduced in value (e.g., intellectual property revealed to competitors).
  • This impact may differ from the asset value determined in step 2.

4. Identify likelihood of loss or harm

  • List the threats to each business asset.
  • Evaluate the likelihood that the asset may be lost or damaged by the threat(s).

5. Prioritize your mitigation activities accordingly

  • Compare your impact and likelihood scores. Assets with high impact and/or likelihood scores should be assigned top priorities.
  • Identify your priorities.
  • Identify potential solutions.
  • Develop a plan, including funding, to implement the solutions.

Risk Matrix

Example Risk Assessment

AssetValue of the AssetImpact of Loss/Damage to the AssetThreats to the AssetLikelihood of Loss/Damage to the AssetPrioritization of Protection of the Asset
Patient health informationHigh, due to regulationsHighHackers, ransomwareMediumHigh
Devices storing patient information (laptops, servers, mobile devices)MediumHighThieves, malware, phishingLowLow
Processing patient claims to insuranceHighMedium (can institute manual processes temporarily)Denial of service, hackersLowLow
Receiving payments from insurance and patientsHighHighDenial of service, hackersLowLow
Third party email providerMediumMediumPhishing, malwareMediumMedium