risk management (oatawa/Shutterstock.com)


A new model for cyber risk management

What:  “Managing Cybersecurity Risk in Government: An Implementation Model,” a report from the IBM Center for The Business of Government

Why: While federal agencies are required to comply with the National Institute of Standards  and Technology’s Risk Management Framework and Cybersecurity Framework, they still must develop their approaches to managing cybersecurity risk. A single model for risk assessment, mitigation and monitoring allows agencies to tailor approaches for particular cyber challenges and creates an opportunity to harmonize approaches across agencies.

Findings: To improve agencies' cyber risk management, this report proposes a five-step decision matrix called PRISM, for Prioritize, Resource, Implement, Standardize and Monitor. The cybersecurity evaluation model will help cyber decision-makers create tailored approaches to risk management and better communicate the impact of investments in security resources on reducing targeted cyber risks.

Implementing PRISM  is a multi-step process:

  1. Assess the likelihood of an attack and the impact of damage across the enterprise and prioritize major risk areas and attack vectors.
  2. Annually review individual cyber factors to determine the agency’s current stage of preparedness and responsiveness to risk 
  3. Examine and rate the resource allocations to reducing cybersecurity risk.
  4. For each risk area, assign a risk score and a preparedness level.
  5. Recommend improvements for each component of the PRISM model, standardize solutions and monitor for compliance.

The report also includes scorecards to help agencies prioritize and identify the precise risk vectors, leverage existing standards to resource  and implement a risk-mitigation strategy.

Verbatim: “Our proposed cybersecurity evaluation PRISM model will help agencies/organizations identify and  implement the most tailored risk management and cyber security approach applicable to their problems.  Our proposed model can also be used by agencies to set priorities, to explore gaps in current processes and to steer an organization I the right direction to resolve risk management and cyber risks  specific to an organizational strategy and its functions.”

Read the full report here

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at [email protected] or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.

Defense Systems Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.