DEV Community

Cover image for Boring Cybersecurity Theory: Risk Management
Dzmitry Harbachou
Dzmitry Harbachou

Posted on

Boring Cybersecurity Theory: Risk Management

#cybersecurity #beginners #theory

Previously, we learned how security involves protecting organizations and people from threats, risks, and vulnerabilities. Understanding the current threat landscapes gives organizations the ability to create policies and processes designed to help prevent and mitigate these types of security issues. In this reading, you will further explore how to manage risk, so you are better prepared to protect organizations and the people they serve when you enter the cybersecurity field.

A 158-year-old company, KNP, collapsed within just three months after hackers from the Akira ransomware group guessed a single weak employee password. The result? £5 million in ransom demands, encrypted data, deleted backups, and 700 employees out of work. One mistake was all it took to bring down a century-old business.

Why is it Critical?

There’s a dangerous myth in cybersecurity: “We’re too small to be a target.

The truth? Cybercriminals don’t care about your company’s size - only about how easy you are to breach. A poorly configured server, an outdated system, or a single weak password can be enough to put you on their radar.

From my own experience, I can say that this is partially true. I enjoy following the development of modern applications, especially in the field of cryptocurrencies, and this principle proves itself time and time again. The problem isn’t that these companies are small, but rather that in many cases there is simply nothing worth taking from them - at least for now. But when the time comes and value appears, it’s often too late to start thinking about protection - the house is empty, and the safe is gone. That’s why I suggest preparing in advance. As the saying goes, fix the roof while the sun is shining.

Risk management in cybersecurity is really about answering three deceptively simple questions:

  • What could go wrong?
  • How likely is it to happen?
  • How much will it hurt if it does?

Every organization (from startups to global corporations) faces risks that could cause financial loss, reputational damage, legal trouble, or even total shutdown. The difference between those that survive and those that don’t often depends on how well they identify and prepare for these risks.

The primary goal of organizations is to protect assets. An asset is an item perceived as having value to an organization. Assets can be digital or physical.

Digital assets include personal information such as Social Security numbers, dates of birth, bank account details, and mailing addresses.
Physical assets may seem less “cyber”, but are just as critical — if someone can walk into your server room, they don’t need to hack anything. Examples include payment kiosks, servers, computers, and office spaces.

In the context of risk management, two terms often come up:

  • PII (Personally Identifiable Information) - data that can be used to identify a specific person. This includes names, addresses, phone numbers, email addresses, and account usernames.
  • SPII (Sensitive Personally Identifiable Information) - a more sensitive subset of PII. This includes information like Social Security numbers, biometric data, medical history, financial account numbers, or any data that could cause significant harm, identity theft, or fraud if exposed.

Whether you’re handling a customer’s shipping address or their passport number, understanding the value and sensitivity of the data is the first step toward protecting it - and toward making smart risk management decisions.

Managing risks isn’t about building an impenetrable fortress. It’s about knowing which battles to fight, which to avoid, and which to insure against - before the attackers make the choice for you.

What's really important?

Risk management isn’t a spreadsheet exercise - it’s detective work. You collect evidence about where problems might occur, who might try to cause them, and how bad the consequences would be if they succeeded.

Cybersecurity risk management is a structured process found in global frameworks like NIST Risk Management Framework, ISO/IEC 27005, and CIS Risk Assessment Method. These frameworks all boil down to one simple truth: you can’t protect everything equally, so you need to know what’s worth protecting most, what’s threatening it, and how to act before trouble strikes.

Also, in regulated industries, additional standards apply - for example, HIPAA in U.S. healthcare, which mandates risk assessments to protect patient data.

At the core, there are five key steps that repeat in a continuous cycle:

  1. Identify what matters most
  2. Identify who or what can harm it
  3. Find the weaknesses they could exploit
  4. Evaluate how bad and how likely each risk is
  5. Decide what to do about each risk

This isn’t theory - it’s the same structure Fortune 500 companies use, scaled down or up depending on the organization. Let’s break each step down.

Step 1 - Identify what matters most

Before you can protect anything, you need to know what’s worth protecting. In risk management, these are your critical assets:

  • Customer databases with personal data
  • Financial systems and transaction platforms
  • Proprietary designs, formulas, or source code
  • Critical infrastructure (servers, cloud services, network equipment)

Example: A SaaS company might identify its cloud-hosted application and customer records as top-priority assets because downtime or breach would lead to both massive financial loss and reputational damage.

Step 2 - Identify who or what can harm it

Threats can come from outside or inside:

  • External: cybercriminal gangs, hacktivists, state-sponsored groups, competitors
  • Internal: disgruntled employees, accidental mistakes, misconfigurations Environmental/technical: power outages, hardware failures, natural disasters

Example: For an online retailer, a likely threat could be credential-stuffing attacks by bots using stolen passwords from other breaches.

Step 3 - Find the weaknesses they could exploit

Every system has vulnerabilities - flaws that can be exploited. Common ones include:

  • Outdated software with known exploits
  • Weak or reused passwords
  • Poor network segmentation
  • Misconfigured cloud storage
  • Unpatched IoT devices

Tools like vulnerability scanners, penetration tests, and configuration audits help find them.

Example: A healthcare provider’s security team discovers an internet-facing medical records portal running outdated software vulnerable to SQL injection attacks.

Step 4 - Evaluate how bad and how likely each risk is

Not all risks are equal. You need to consider:

  • Likelihood - how probable is the event?
  • Impact - what’s the scale of damage if it happens?

You can do this qualitatively (low/medium/high), quantitatively (financial values, probability percentages), or a mix. Many use a risk heat map to visualize priority.

Example: A phishing attack might be very likely but low-impact if you have strong detection and quick response, while a ransomware breach on critical servers might be rare but catastrophic.

Step 5 - Decide what to do about each risk

You have four basic options:

  • Avoid - eliminate the risk source
  • Reduce - add protections to lower the chance or impact
  • Transfer - shift responsibility
  • Accept - consciously live with the risk if it’s low enough

Example: A small business might choose to avoid the risk of hosting its own email server by moving to a managed service with built-in security.

Cybersecurity risk management isn’t about chasing every possible threat, but it’s about clarity and focus. The five steps give you a repeatable, structured way to move from uncertainty (we don’t know where we’re vulnerable) to informed action (we know our critical risks and how we’re handling them).

Whether you’re a startup founder or part of a global security team, this process scales. It forces you to prioritize, to think like an attacker, and to make conscious decisions before an incident makes them for you.

In the next section, we’ll explore exactly how to reduce those prioritized risks - and how to choose the right strategy for each one.

Reduce Risks

In every recognized risk management framework - such us NIST to ISO/IEC 27005 or CIS RAM - the same truth emerges: when you strip away the details, there are only four possible ways to respond to a risk.

Why? Because any action you take will ultimately fit into one of these categories:

  • You remove the risk completely → Avoidance
  • You make it smaller by adding defenses → Reduction
  • You hand it off to someone else to handle → Transfer
  • You live with it after making a conscious choice → Acceptance

This is true whether the risk is financial, operational, or cybersecurity-related. More “options” you might hear - like mitigation, sharing, or outsourcing - are actually just variations or combinations of these four fundamentals.

Why four is enough

  1. Logical completeness - these cover all possible actions you can take toward a risk.
  2. Clarity - having just four categories avoids decision paralysis.
  3. Scalability - works for a small business, a Fortune 500, or even national-level security.
  4. Alignment - since global standards agree on these four, using them keeps your approach consistent with industry best practice.

Think of them as the four cardinal directions in navigation - you can go northeast if you want, but it’s still a mix of north and east.

Avoid the Risk

Eliminate the source of the risk entirely.
Example: If a legacy on-premise email server is riddled with vulnerabilities and costly to maintain, you might shut it down and move to a secure cloud provider.
Best for: High-risk systems that you don’t critically need or can easily replace.

Reduce the Risk

Put in controls to lower the likelihood or impact.
Example: Implementing multi-factor authentication (MFA) to reduce the risk of account compromise from stolen passwords.
Best for: Risks that can’t be avoided but can be significantly minimized.

Transfer the Risk

Shift the financial or operational impact to a third party.
Example: Purchasing cyber insurance to cover costs from a ransomware attack.
Best for: Risks that are difficult to reduce internally or require specialized expertise.

Accept the Risk

Make an informed decision to live with it.
Example: A small startup decides not to invest in enterprise-grade DDoS protection because the likelihood and impact are both low.
Best for: Low-likelihood, low-impact risks where mitigation is not cost-effective.

A single risk may require a combination of strategies. For example, you could reduce the chance of a phishing attack with employee training, transfer some financial exposure via insurance, and accept the residual risk.

Framework(s)?

In previous articles, you’ve already encountered security frameworks. Now, it’s time to see how they work in practice for risk management.

One of the most respected in the field is the NIST Risk Management Framework (RMF), developed by the U.S. National Institute of Standards and Technology. While originally designed for U.S. federal agencies, it’s now used globally by organizations of all sizes.

The RMF provides a structured, repeatable process for identifying, evaluating, and responding to risks in a way that aligns with business objectives and compliance requirements. It ensures that security isn’t just a technical checklist, but a strategic decision-making process.

7 Steps of the NIST RMF

  • Prepare - Understand the mission, context, stakeholders, and risk tolerance of your organization.
  • Categorize - Classify information systems based on the potential impact of a breach or compromise.
  • Select - Choose security controls proportionate to the risk level and system classification.
  • Implement - Put the chosen controls into operation, integrating them into processes and systems.
  • Assess - Test and verify that the controls work as intended.
  • Authorize - Grant formal approval for the system to operate based on residual risk.
  • Monitor - Continuously track changes, emerging threats, and system performance to adjust controls.

The RMF naturally guides you toward one of the four risk response strategies we discussed earlier:

  • If a system is too risky and cannot be secured → Avoid
  • If a risk can be brought down to an acceptable level → Reduce
  • If another party can handle it more effectively → Transfer
  • If the residual risk is acceptable within business tolerance → Accept

A framework like NIST RMF removes guesswork. It gives you a shared language, a clear process, and a proven foundation for deciding which risks to tackle, which to hand off, and which to live with.

Even the most fortified castle can fall - history has proven it time and again. In cybersecurity, the same rule applies: no system is invincible. That’s why smart organizations don’t chase “perfect” security - they manage risks so that one breach doesn’t become a catastrophe. It’s about knowing which defenses matter most, preparing for the attacks you can’t prevent, and building resilience to recover faster than the damage spreads. Less glamorous than an impenetrable wall, yes - but far more effective. In the end, the goal isn’t to be untouchable; it’s to ensure that when the walls are tested, your company is still standing the next day.

Top comments (0)