What are you protecting?
To practice cybersecurity risk management, you can start with these steps:
1. Identify your business’ assets
List the types of information, processes, important people and technology your business relies upon.
![](https://www.infomanage.net/wp-content/uploads/2023/10/Screenshot-2023-10-29-at-6.54.45-PM-e1698620939331-1024x301.png)
2. Identify the value of these assets
![](https://www.infomanage.net/wp-content/uploads/2023/10/Screenshot-2023-10-29-at-6.55.43-PM-e1698620977445-1024x426.png)
3. Document the impact to your business from loss or damage to these assets
- Consider the impact to your business if each asset were lost, damaged, or reduced in value (e.g., intellectual property revealed to competitors).
- This impact may differ from the asset value determined in step 2.
4. Identify likelihood of loss or harm
- List the threats to each business asset.
- Evaluate the likelihood that the asset may be lost or damaged by the threat(s).
5. Prioritize your mitigation activities accordingly
- Compare your impact and likelihood scores. Assets with high impact and/or likelihood scores should be assigned top priorities.
- Identify your priorities.
- Identify potential solutions.
- Develop a plan, including funding, to implement the solutions.
Risk Matrix
![](https://www.infomanage.net/wp-content/uploads/2023/10/Screenshot-2023-10-29-at-6.57.03-PM-e1698978136257-1024x531.png)
Example Risk Assessment
Asset | Value of the Asset | Impact of Loss/Damage to the Asset | Threats to the Asset | Likelihood of Loss/Damage to the Asset | Prioritization of Protection of the Asset |
Patient health information | High, due to regulations | High | Hackers, ransomware | Medium | High |
Devices storing patient information (laptops, servers, mobile devices) | Medium | High | Thieves, malware, phishing | Low | Low |
Processing patient claims to insurance | High | Medium (can institute manual processes temporarily) | Denial of service, hackers | Low | Low |
Receiving payments from insurance and patients | High | High | Denial of service, hackers | Low | Low |
Third party email provider | Medium | Medium | Phishing, malware | Medium | Medium |