Cybersecurity Risk and Compliance 

1. Executive Summary of Cyber Security Risk Assessment

While progressing through such process of risk assessment, one can recognize your business's architecture, what is your important key data and how one can run and protect your company better. One should then develop a risk management strategy that lays out what the company needs to do regularly to track its security posture, how threats are handled and alleviated, and how you can take the next risk. No company is resistant to the possibility of a breach. One particularly disgusting aspect of cybersecurity is that businesses might only recognize that they were compromised when they are notified by some outside agency, including the FBI. Moreover, then there is the issue of what the organization can consider after a violation is found. The structures need to be examined and repaired. Yet there is a lot more to it.

Table of Content

Executive Summary.

Context Establishment

Risk Assessment

3.1. Risk Identification.

3.2. Risk Analysis.

3.3. Risk Evaluation.

Risk Treatment / Recommendations.


2. Context Establishment

A small law organization was employing about ten individuals: two associates/supervisors, three professional prosecutors, two young solicitors, one management consultant, a legal advisor, and an executive assistant. The offices are located throughout the Adelaide CBD as well as the assumption of their IT facilities. They hired an IT management firm to operate and maintain its IT climate. An incident has taken place that implies that workers can no longer function at the workplace. The IT technology company is introducing plans to encourage all workers to start their job from house. The managers are usually danger-averse, and the literacy and numeracy level is very small. The document will also be exchanged with its technology agency to advise and direct their IT product deployment.

According to PwC's 20th Global CEO Research study, cyber-attacks are amongst the top concerns of the US CEOs. As per a recent McKinsey study, 76 per cent of specialists recognize cybersecurity as the highest priority of their companies, but still, only 17 per cent assume the companies were well-prepared to deal with a real cybersecurity threat. Throughout this report, we will analyze the existing cyber risk climate, learn when to prevent the common errors of developing a cybersecurity strategy, and figure out where to efficiently develop the business's next level of cyber-attack protection – the cybersecurity risk assessment strategy (Bingham, 2019).

3. Risk Assessment

Cybercrime is projected to cost the globe $7 trillion per annum by 2021, further lucrative than that of the international trade in all big illicit drugs together, as per Cybersecurity Projects. According to a recent survey by Verizon, Ransomware threats are estimated to become the biggest cybersecurity risk to companies today and is now attacking industry-critical systems that cause financial damage, slowdown. NIST describes cyber-risk assessments as risk assessments which are used to classify, quantify, and evaluate threat for operational activities, institutional resources, persons, certain entities, as well as the Nation arising from the activity and the use of data systems. The predominant objective of cyber-risk assessment would be to help educate judgment-makers and facilitate an effective solution. They also have an objective overview to assist managers and management in making educated safety decisions. The method of risk evaluation of cybersecurity is associated with addressing the following issues:

  • What are the other valuable assets of computer technology in the organization?
  • Which security breach would have a significant effect on our company, be it due to malicious software, cyber-attack, or mechanical failure?
  • What are the appropriate warnings and publications of menace to our organization?
  • What are the vulnerabilities, internally and externally?
  • What is the effect if we leverage certain weaknesses?
  • What are the odds of oppression?
  • What malware attacks, cyber challenges, or safety accidents could impact the business' capacity to function?
  • My company is happy with what degree of danger?

When you can ask those concerns, you will find out what to cover. That implies they can establish risk reduction IT protection measures and confidentiality techniques. However, following is required to be considered:

  • What's the threat I reduce?
  • Is this the greatest risk to health primary consideration?
  • What is the least price-effective way to reduce the risk?

There have been a variety of factors you would like to conduct a cyber risk assessment and a couple of factors you need to do so. Let's step over them:

Lengthy-term risk decrease: detecting possible risks and weaknesses, instead of trying to minimize them seems to have the ability to avoid or minimize protection issues that will save the money for the company leading to long-term consequential damages.

Offers an information security risk assessment model for long term assessments: cyber risk evaluations weren't one of the procedures, one has to constantly update them, about to make a nice 1st move ensures reproducible procedures also with employee turnover.

Stronger organizational understanding: realizing institutional security flaws gives you a clear understanding as to where your organization brings to the table.

Avoid data breaches: data violations could have a huge economic and financial impact on any organization

Avoid legal issues: consumer data that has been stolen since you have fails to comply to HIPAA, PCI, DSS or APRA, CPS 234

Prevent downtime of implementation: inner or client-facing structures have to be accessible and work for employees and customers to do the employment.

Information demise: theft of secrets, code, or any other information funds could result in you losing market share to rivals. In addition, cyber risk evaluations are essential to data risk administrators and the broader risk management policy of any company. The company preferably requires in-house staff that can manage it. This involves having IT employees with comprehension as to how the digital and network technology works, and also some managers who comprehend how information is shared, and any open source administrative comprehension that might be helpful throughout the evaluation. Administrative accountability is essential to a comprehensive evaluation of cyber risk.

Small companies may not have had the right kind of people in-house to do a comprehensive job, so they may well have to subcontract a third-party evaluation. Agencies also transform to cybersecurity operating systems to track the score for cybersecurity, stop violations, send protection quizzes, and mitigate the risk to third party companies.

3.1. Risk Identification

Hacking or Unidentified threats can be avoided if basic protection measures are pursued (Daria & Massel, 2018).

  • Layering network protection needs to be built in layers, too. A security measure may also be fairly easy as such an attacker to circumvent – ideally, a protection method should be layer by layer, increasing the probability that an attacker will also possess the expertise as well as tools to hack every layer after layer of defences. Often a warped tactic can be effective at preventing additional attacks.
  • Restricting access to information removes the risk against everyone. And those who merely want to use the knowledge should be exposed to it. Hence, the amount of coverage offered to someone would be limited to what someone else a person needs to know. Layers would also have to be special (various)–if criminals reach one level, similar approaches cannot be used to break through to the other grades.
  • Using various types of security will not compromise the whole system. The circumstance of anonymity sometimes doesn't expose the type of computer, operating system, software, including internet access used by a program. An attacker who knows the information can more quickly identify the weaknesses that the system needs to fix.
  • Security at knowledge is difficult, which by its meaning. Specific safety systems can be challenging to understand, customize and sometimes even feel more comfortable about. To the degree possible, a secure program should be easily understandable and also use by anyone on the underneath it.

3.2. Risk Analysis

PwC's 2017 Annual Corporate Directors Survey found that almost 40 per cent of managers are sure they already know their business has recognized perhaps the most important and critical digital properties, and that about 25 per cent have little to no confidence anywhere that the organization has recognized possible threats and hackers. This is why risk identification is an essential step in establishing a risk management strategy for cybersecurity. It includes describing the firm's specific risk and attackers, recognizing the corporation's most valuable possessions, and evaluating the company's existing digital readiness and focused cybersecurity framework.

Throughout this point, companies will concentrate more on choosing the right information regarding the current state of cybersecurity in the company and developing relationships with that of the technology and management leaders in the organization, so that they may provide a deeper understanding of whether the business is doing too much. Companies just have to collect and analyze essential knowledge about the business's own IT landscape (and its cyber-risk abilities across the whole investigation/supply chain) and equate its output with that of industry benchmarking. Without that context, it will be difficult to accurately assess the amount of risk facing the business (de Gusmão, 2018).

Cyberspace appears to be the set of computer-controlled information and communication networks for all. This is indeed a broad technologically-enabled network that incorporates ways to navigate, a representation of artifacts of interest, and elements of communication and management services for critical processes and processes. The Web is the single most important component of intelligence gathering, with its presence in more than 221 countries of the world and around only a million applications. The cloud is primarily focused on state and international communications infrastructure, along with all the landline phones of most group telecommunications and networks for the internet, including satellite telecommunications. These telecommunications facilities rely more heavily on computer technology beyond the internet. So, our understanding makes them a part of virtual environments.


This is linked to any potential economic loss, inconvenience, or harm to the reputation of an organization resulting from some kind of deterioration in its information management framework.


Any malicious act that aims to gain authentication to computing resources through permission or consent from any of the shareholders.

Threat actor

A path or instrument which is used by an intimidating individual to reach the target.

Security vulnerabilities

A hardware misstep that could make it vulnerable to exploitation. This refers to any type of weakness in a communications network, or an agency's policies and procedures that undermine correspondence security.

Attack vector

Threat vector

Analysis, identification, and target selection, often represented as spreading bookmarking sites, including social networking sites, organizational conferences, and passwords and credentials conversation forums, social interactions, or relevant technical aspects.

Attack surface

The primary objective is typically knowledge exfiltration which requires the information of offender knowledge to be collected, encrypted, and extracted.

3.3. Risk Evaluation

Organizations of all types and sizes working with information to reach their goals are confronted with such a range of challenges that can often influence data management operations. Computer networks can be responsible for processing, distributing, or controlling data to achieve various goals for the organization.

Introduction to ransomware

Ransomware is a kind of maliciously designed to disconnect the computer from the app before the customer pays the money. Ransomware is only time-consuming, intimidating individuals. Over time the consumer has to spend a premium of the Ransomware software described transactions. Although cybersecurity is usually intended for individuals, it's only a matter of time before the business is threatened too. The idea of just how virus or malware gets into some kind of computer is analogous: texts and emails claiming to contain important files, downloading try driving-through sites or maybe even ads that appear to give safe, bogus anti-malware/anti-virus replacements, bogus alerts for popular applications, electronic exploitation methods, social networking sites partners encouraging people to click some communications.

Businesses must frequently monitor their cyber information management and crisis response plan to keep it up-to-date and appropriate depending on the risk landscape and the requirements of the business. A business's answer to an accident must be driven by a strategy specific to that of the sector of the business as well as fine-tuned through simulations of the mock breach (Garman, Johnson & McFarland, 2018). The contingency strategy for incidents is a key component of cybersecurity managing risk since it includes a descriptive, comprehensive sequence of actions.

It was developed and put into practice by all the company's tabletop drills, centred on the information in its potential threats as well as attackers, its own regulate procedures and abilities as well as its project management mechanisms. Daily plan evaluation and simulations via tabletop exercises are important for evaluating the consistency of defined duties and responsibilities for those concerned and identifying weaknesses in prevention and contingency planning procedures. The management as well as other managers must be interested, as a consequence during the last exercise, and will also ask what improvements or adjustments have been introduced to that of the program.

As unique ransomware variations occur frequently, the different iterations can be striving to measure informed about. Every one of those different flavours of malware is distinctive, they often rely on similar requirements to start taking advantage of this situation and to operate with impunity to flesh passwords. Let us take a deeper look at increasing Ransomware circumstances.

Bad Rabbit: A ransomware version which has attacked businesses in Russia and Eastern Europe. Bad Rabbit advances to malicious sites perhaps some kind of fraudulent Adobe Flash upgrading. Whenever a device is killed by the ransomware, customers are directed to a payment page demanding the cryptocurrencies of .05.

Crysis: Crysis ransomware encrypts files on loaded, downloaded, and routing drives for such an impenetrable encryption mechanism that makes it almost impossible to crack into such an acceptable time timeframe. It is typically transmitted via documents that contain the double-file mark files, having the information function as a file that could not be implemented. That can also be remembered as a legitimate developer.

GoldenEye: GoldenEye is close to infamous Petya malware. Cybercriminals distribute GoldenEye ransomware through a massive campaign that damages human resource organizations. A procedure begins when the file is downloaded which encrypts documentation on the computer. GoldenEye connects a serendipitous 8-character set of numbers of every file it encodes, as seen at its final. Otherwise, the ransomware alters the customer's MBR hard drive.

Locky: The technique of Locky is similar to a few other types of malware. The malware is distributed as a database, in a mail packet. The transaction is distorted when downloaded, as seems to be the consumer being instructed to let the macros interpret the document. Locky starts encrypting a diverse range of software packages using AES encryption when macros are permitted. Anything other than that, the malware replaces the hard drive of the client's MBR.

The working mechanism

Several vectors have also been created that can enable ransomware to access a computer. Many of the most common procedures of dissemination are the malware in this kind of communication of the defendant's ransomware data, identified as a document with which people want to believe. Once retrieved, they might well take full control of much of the defendant's devices, especially when they have built-in web engineering operating systems that try to manipulate by allowing rights and benefits for administration. Several other, more aggressive forms of ransomware, such as NotPetya, exploit protection weaknesses when trying to trick consumers into compromising computers.

There are several things the malware can do after removing the victim's computer, but by far the least frequent technique is to encrypt some or all of the personal information. But by far the most important thing to consider is that at the end of the process the documents can not be decoded, even without the need for a cryptographic password known to just the offender. The user is told that the records will still be inaccessible and therefore can be authenticated if the attacker charges even an impossibility to detect bitcoin fees to the offenders. With this kind of variety of malware, the attacker can be pretending to be a federal agency that closes the complainant's computer because there are pornography or copyrighted applications on it and requesting "tax" reimbursement, perhaps to make survivors more likely to encounter the assault on officials.

Potential threats

While almost every ransomware attacks are duplicitous, spread by unjustified intrusion methods such as the one described above, cyberattack attackers deliberately target a consumer in some very extreme instances. It can occur whenever performers realize that somehow a weak entity has been compromised, or because of specific infecting efforts. The functionality of Ransomware variations has already progressed also to include privilege accumulation of information, participation in hierarchical phishing scams, and anti-detection components. A further alternative is the tendency to pull web-based documents while backed up data centres are already in the backdrop. Numerous models resolve both smartphones and the Internet of Things devices.

Risk Treatment / Recommendations

Many institutions don't have an unrestricted knowledge risk mitigation spending plan so it's possible to limit the breadth to some of the most key business resources. That will minimize time and resources afterwards, spend time setting a norm to decide what an asset is essential for. Most companies have a value of the assets, legal status, and market significance (Vincent, M., et. al., 2019).

To assess interest, there are several queries you may request:

  • Are there other financial or legal consequences connected with revealing or destroying this data?
  • How valuable to a rival is that evidence?
  • Can the knowledge be recreated from ground up?
  • However long does it take, what the extra costs will be?
  • Will the loss of that knowledge influence sales or productivity?

Classify and manage resources. The very first process is to classify assets for evaluation and scope determination. This helps you to decide what properties to analyze. You might not want to analyze every house, worker, electronic information, business information, car, and office supplies item. Remember, not all assets are equivalent in value.

To build a database among all-important properties, they will have to collaborate with corporate users and leadership. Gather, where appropriate, the following details for each asset: Device, Hardware Information Gateway, Middle-users, IT Security Policy, IT Security, Framework, Network topology, Computer storage, Information flow, Technical security checks, Data security checks

Now it is time to switch from what will occur to what has the potential to happen. Vulnerability seems to be a limitation that could be exploited by an attacker to compromise protection, damage your company as well as steal sensitive information. Vulnerabilities are identified via weakness assessment, inspection documents, vulnerability registry of the National Institute of Standards and Technology (NIST), supplier information, information management team members.

The National Institute of Standards and Technology (NIST) suggests including cybersecurity risk assessment training for staff and business associates in the onboarding phase. It is incredibly essential for corporate managers to convey their risk assessment strategy for cybersecurity to all staff, and ensure that they recognize what was at risk, and therefore it is essential.

  • Concentrate group meetings (assess the situation of the organization, current information security policy, the kinds of cyber threats facing the organization and the existence of the essential company's assets)
  • Participation at international initiatives and seminars (focused on cyber risk monitoring)
  • Request law enforcement (e.g. FBI) as well as other cybersecurity specialists to address the latest danger.

4. References for Cyber Security Risk Assessment

Bingham, S. J. (2019). U.S. Patent No. 10,193,921. Washington, DC: U.S. Patent and Trademark Office., 2020.

Daria, G., & Massel, A. (2018). Intelligent System for Risk Identification of Cybersecurity Violations in Energy Facility. In 2018 3rd Russian-Pacific Conference on Computer Technology and Applications (RPC) (pp. 1-5).

de Gusmão, A. P. H., Silva, M. M., Poleto, T., e Silva, L. C., & Costa, A. P. C. S. (2018). Cybersecurity risk analysis model using fault tree analysis and fuzzy decision theory. International Journal of Information Management, 43, 248-260.

Garman, J. A., Johnson, B., & McFarland, J. J. (2018). U.S. Patent Application No. 15/704,676.

Khalid, Y., & Shahbaz, N. (2020). U.S. Patent No. 10,587,647. Washington, DC: U.S. Patent and Trademark Office, 2020.

Vincent, M., Thioux, E., Vashisht, S., & Kindlund, D. (2019). U.S. Patent No. 10,341,363. Washington, DC: U.S. Patent and Trademark Office, 2020.

Remember, at the center of any academic work, lies clarity and evidence. Should you need further assistance, do look up to our Computer Science Assignment Help

Get It Done! Today

Applicable Time Zone is AEST [Sydney, NSW] (GMT+11)
Not Specific >5000
  • 1,212,718Orders

  • 4.9/5Rating

  • 5,063Experts


  • 21 Step Quality Check
  • 2000+ Ph.D Experts
  • Live Expert Sessions
  • Dedicated App
  • Earn while you Learn with us
  • Confidentiality Agreement
  • Money Back Guarantee
  • Customer Feedback

Just Pay for your Assignment

  • Turnitin Report

  • Proofreading and Editing

    $9.00Per Page
  • Consultation with Expert

    $35.00Per Hour
  • Live Session 1-on-1

    $40.00Per 30 min.
  • Quality Check

  • Total

  • Let's Start

500 Words Free
on your assignment today

Browse across 1 Million Assignment Samples for Free

Explore MASS
Order Now

Request Callback

Tap to ChatGet instant assignment help

Get 500 Words FREE
Ask your Question
Need Assistance on your
existing assignment order?