Here is an example of how to manage an IT /Cyber risk using the DREAD framework:
Let's say that a company wants to implement a new CRM IT system that will process sensitive customer data on-prem or in the cloud. The company's IT department identifies a risk associated with the new system, which is that the system may be vulnerable to cyber attacks that could compromise customer data.
To manage this risk using the DREAD framework, the following steps could be taken:
- Damage potential: Assess the potential damage that could result from a cyber attack, such as the loss of customer data or damage to the company's reputation.
- Reproducibility: Assess the likelihood of the cyber attack being reproducible, or whether it is a one-time occurrence or can be repeated.
- Exploitability: Assess the easiness with which a cyber attacker could exploit the vulnerability in the system.
- Affected users: Assess the number of users who could be affected by the cyber attack.
- Discoverability: Assess the easiness with which the vulnerability could be discovered by cyber attackers.
- Once these factors have been assessed, the IT / Cyber security department can use the results to prioritize the risk and determine the appropriate risk response. For example, if the assessment shows that the potential damage from a cyber attack is high and the exploitability is also high, then the IT department may choose to implement more rigorous security controls to mitigate the risk.
By following these 6 steps using the DREAD framework, the company can effectively manage the IT / Cyber risk associated with the system, the company can prioritize its risk response, and effectively manage the risk of cyber attacks.
