Skip to Main Content Skip to bottom Skip to Chat, Email, Text

What companies need to know about cybersecurity risk management frameworks

Michael Feder

Written by Michael Feder

Kathryn Uhles

Reviewed by Kathryn Uhles, MIS, MSP, Dean, College of Business and IT

Hand stopping falling dominos to signify risk management

The state of cybersecurity: Risks and opportunities

Cybercrime continues to be a growing concern for businesses and individuals. Worldwide, the cost of hacks, data breaches and ransomware is currently estimated to cost $6 trillion per year — a figure expected to rise to $10.5 trillion by 2025. The numbers alone show that the problem isn’t going away. Rather, the question is one of risk level. How vulnerable is each company’s infrastructure to a cyberattack?

While hackers have begun employing newer strategies, such as encrypting data and asking for payment before decrypting it (ransomware attacks), instances of long-standing problems like phishing, extortion and identity theft have doubled in the past few years.

As a result, companies and individuals must protect themselves from an ever-growing list of cyber-related concerns and cybercriminals. Many of them are preventable. Running a cybersecurity risk assessment to seek out potential threats can be a start. A majority of hackers rely on stolen login credentials, malware, social engineering or other methods that companies can counteract by deploying security controls and cybersecurity practices, such as risk assessment and risk management frameworks. 

Here’s a closer look at how companies can use cybersecurity frameworks to manage security risk and combat hackers.

What is a cybersecurity risk management framework? 

According to the National Institute of Standards and Technology, a “risk management framework (RMF) provides a process that integrates security, privacy and cyber supply-chain risk management activities into the system development life cycle.”

A framework covers all aspects of cybersecurity and works to eliminate risks. It can be designed to identify, monitor, reduce and respond to risks. It is a comprehensive approach that integrates the framework into the design of a network. This makes identifying, assessing and remediating cyber risks more effective.

In addition to protection and prevention, the framework should include traffic monitoring and other tools that detect suspicious activity. The framework then assesses the activity and decides whether it poses a risk. If it does, operators can categorize the danger and decide on the best response. 

Because it lays out each step in the process and accounts for all possibilities, a cybersecurity framework provides a more holistic approach than other types of measures. 

Who needs a cybersecurity risk management framework? 

Risk management frameworks are typically for mid-size and large companies or organizations. Individuals and small companies can use some of the risk management strategies that larger firms rely on, but an overall framework isn’t necessary unless the company is involved in handling sensitive data or has some other heightened risk factor. 

The number of digital systems continues to grow, and the list of possible threats is growing with it. For large organizations and companies, a risk management framework is becoming ever more important. 

What threats do frameworks protect against? 

The goal of a risk management framework is to protect against as many types of threats as possible. In today’s cybersecurity climate, such systems pay special attention to three types of dangers. 

Malware

In 2018, there were more than 812 million malware infections. Malware refers to malicious software that is downloaded by unwitting users and remains on the system.

Malware can do a lot of damage, including:

  • Transmitting data to a hacker
  • Providing access to a hacker
  • Tracking keystrokes or activity of system users
  • Installing ransomware programs that encrypt system data and make it unusable 

There are different types of malware, but a vast majority of these unwanted programs come from email downloads, downloads via app stores or malicious sites masquerading as legitimate ones. 

In addition to teaching users and employees to avoid such downloads, a company can improve its email filters and handle downloads via non-administrator accounts, which limit access to sensitive areas of the network. Network monitoring can also help locate unusual activity. 

Ransomware

Ransomware is a kind of malware that encrypts files on a system or device, making it unusable. Hackers have a method for encrypting the data, but before they give it to the company that owns the system, they demand payment. 

The potential profits have made these attacks more prevalent. However, companies can fight back. The most effective way, aside from standard anti-antimalware measures, is to fully back up the system data. Then, if a hacker breaks into the system and encrypts the data, you can immediately switch to the backup and continue operations. 

Data breaches

In a data breach, hackers steal personal data, financial information or trade secrets, which they can sell to third parties. 

Recent targets have included healthcare service providers. While healthcare organizations have been targets of ransomware (the urgency of healthcare services make them more prone to paying hackers), breaches can be just as destructive. Hackers have stolen medical records, Social Security numbers and other patient data. One of the most well-known hacks of all time involved a data breach of a credit reporting bureau, which compromised financial information of millions of people.

These breaches typically involve unusual traffic patterns because the data is sent out of the network. Encryption, anti-malware software, multifactor authentication, and partitioned networks requiring special credentials for entering an area with sensitive data can help mitigate the risk of a data breach.  

Types of frameworks

There are several types of frameworks. Each relies on slightly different steps and strategies to mitigate risk. Here is a look at four of the most common options for companies and organizations. 

NIST CSF

The NIST Cybersecurity Framework favors proactivity. Cybersecurity team members assess more than 100 components of the NIST system, looking for vulnerabilities. They also pay attention to the latest cybersecurity intelligence and add protections that account for new threats. 

With this information, the team assesses the risk level of each threat, weighing both its likelihood of occurrence and the potential damage it could cause. They can then prioritize protection and mitigation for the most serious threats. 

ISO/IEC 27001

The International Organization for Standardization (ISO) provides guidelines for risk management. This framework focuses on researching and identifying risks. It requires creating and constantly updating risk criteria and then repeatedly assessing threats based on the latest criteria. 

In addition to auditing the risk assessment process to ensure it produces accurate results, the framework is meant to identify risks for breaches and other types of cybersecurity threats. Team members can then respond based on the level of risk. 

FAIR™ framework

The FAIR Institute uses a risk management framework that has very specific steps. It favors a proactive strategy that involves creating and perfecting risk models and assessing risks in a way that produces enough data to make informed management decisions. 

There is also a holistic element to the FAIR framework because it assesses cybersecurity risk as a whole, including people, processes and policies. It is described as a cost-effective option because it does not simply focus on adding new technology or investing in new systems. 

As you can see, there are various risk management frameworks. Which one a company may use depends on factors such as company size, level of security risk and other specific needs. Those who work with these frameworks directly contribute to the mission-critical processes that keep a company safe.

Finding the right cybersecurity risk management program after a thorough assessment can help curb security issues long term, so it’s important to find the right one for your organization or business.

Cybersecurity programs at University of Phoenix

Does cybersecurity risk management interest you? Consultants and IT employees who deal with risk management frameworks typically have a technology degree. While a bachelor’s in information technology will typically give you the background necessary for a job in the cybersecurity field, you can also pursue a more specialized education with a degree like a bachelor’s in cybersecurity.

If you work for a large corporation or government agency, you may choose to pursue a master’s degree in cybersecurity.

University of Phoenix offers online course collections, certificates, bachelor’s degrees and master’s degrees to accommodate established and aspiring IT professionals looking to enhance their knowledge in this field. Learn more about undergraduate and graduate online technology degrees from UOPX and start your IT journey today!

  • Associate of Science in Cybersecurity: The International Council of E-Commerce Consultants (EC-Council) and University of Phoenix teamed up to launch the Associate of Science in Cybersecurity degree and elective courses that align with three EC-Council certification exams: Certified Ethical Hacker (CEH), Certified Network Defender (CND) and Certified Secure Computer User (CSCU). Awarded the EC-Council’s 2019 Academic Circle of Excellence Award as a result of this partnership, this program is designed to help you develop the problem-solving skills and techniques needed to defend the cyber domain from cybersecurity risk.
  • Bachelor of Science in Information Technology: Learn skills including business process, cybersecurity, information systems, operations and systems analysis. You’ll also learn how to apply key principles of systems analysis and design to selected business processes among other valuable skill sets.
  • Bachelor of Science in Cybersecurity: This online program teaches skills such as security policies, network security, cybersecurity and more. You’ll also learn how to examine an organization’s infrastructure to ensure compliance with cybersecurity standards and policies and how to prevent cyberattacks.
  • Master of Science in Cybersecurity: This online program explores cybersecurity, security policies and vulnerability. Learn how to design elements of an enterprise using standards and tactics in cybersecurity, consider ethical and privacy protocols in enterprise cybersecurity, and implement cybersecurity frameworks and policies in risk management.
  • Advanced Cybersecurity Certificate: Within this program, you can develop the technical knowledge to step into the fast-growing field of IT security, helping keep computer systems safe from data breaches and cyber attacks. Get real-life experience through hands-on IT labs and simulations while developing a broad knowledge of cybersecurity to help prepare you for your technology career.
  • Cyber and Network Defense Certificate (Undergraduate): Learn how to address a data breach or cyberattack before it happens. This certificate can show you how to take a proactive approach to network security by spotting weaknesses before hackers can exploit them. Content in this certificate program educationally prepares you to take the EC-Council Certified Ethical Hacker (CEH) exam.
  • Certified Ethical Hacker Course Collection: This course collection can help you prepare to sit for the EC-Council Certified Ethical Hacker (CEH) certification exam. Topics include the phases of ethical hacking, recognizing weaknesses and vulnerabilities of a system, social engineering, IoT threats, risk mitigation and more.
  • Certified Incident Handler Course Collection: This course collection can help you prepare to sit for the EC-Council Certified Incident Handler (ECIH) certification exam. This specialist certification focuses on how to effectively handle security breaches. 
  • Certified Network Defender Course Collection: This course collection can help you prepare to sit for the entry-level EC-Council Certified Network Defender (CND) certification exam. Courses focus on protecting a network from security breaches before they happen.
  • Computer Hacking Forensics Investigator Course Collection: This course collection can help you prepare to sit for the EC-Council Computer Hacking Forensics Investigator (CHFI) certification exam. Learn about the latest technologies, tools and methodologies in digital forensics, including the dark web, IoT, malware, the cloud and data forensics.
Headshot of Michael Feder

ABOUT THE AUTHOR

A graduate of Johns Hopkins University and its Writing Seminars program and winner of the Stephen A. Dixon Literary Prize, Michael Feder brings an eye for detail and a passion for research to every article he writes. His academic and professional background includes experience in marketing, content development, script writing and SEO. Today, he works as a multimedia specialist at University of Phoenix where he covers a variety of topics ranging from healthcare to IT.

Headshot of Kathryn Uhles

ABOUT THE REVIEWER

Currently Dean of the College of Business and Information Technology, Kathryn Uhles has served University of Phoenix in a variety of roles since 2006. Prior to joining University of Phoenix, Kathryn taught fifth grade to underprivileged youth in Phoenix.

checkmark

This article has been vetted by University of Phoenix's editorial advisory committee. 
Read more about our editorial process.

Read more articles like this: