Risk management and risk treatment
Start course
1h 26m

Course Description 

This course takes a deeper look at the governance and risk elements of cybersecurity. It starts with a focus on cyber and legal frameworks, then moves into information assurance. After this, it moves into risk management and treatment, followed by service assurance and standards. Finally the course ends with software security assurance and threat modelling.


Learning Objectives 

The objectives of this course are to provide you with and understanding of: 

  • Legislation, chain of custody, reporting and assurance within the context of a legal framework. Inc. overview of Data Protection Act (DPA 2018) and the EU General Data Protection Regulation (GDPR) 
  • The drivers for UK Information Assurance, initiatives and programmes, risk assessment vs risk management, risk components 
  • Business context and risk management approach, risk management lifecycle, who delivers risk management - where in the lifecycle, understanding the context, legal and regulatory. Risk Treatment - Identify the ways of treating risks, methods of gaining assurance, understanding the nature of residual risk, collecting evidence that supports decisions, risk management decisions 
  • Assurance perspective – including CPA, CAPS, FIPS, CE, Common Criteria, SPF. Summary of common industry standards. (Inc. OWASP, ISO27001, PCI-DSS) 
  • Principles for software security, (securing the weakest link, defence in depth, failing securely, least privilege, separation of privilege), IA design principles 
  • What is threat modelling, threat modelling processes 
  • Risk mitigation options 


Intended Audience 

This course is ideal for members of cybersecurity management teams, IT managers, security and systems managers, information asset owners and employees with legal compliance responsibilities. It acts as a foundation for more advanced managerial or technical qualifications. 



There are no specific pre-requisites to study this course, however, a basic knowledge of IT, an understanding of the general principles of information technology security, and awareness of the issues involved with security control activity would be advantageous. 



We welcome all feedback and suggestions - please contact us at if you are unsure about where to start or if would like help getting started. 


Welcome to this video on Risk Management and Risk treatment. In it, you’ll learn about some of the issues you need to consider when creating a risk management framework, and deciding how best to implement any treatment plans created from a risk assessment process. We will focus on Risk assessment and management, risk assessment, risk assessment methodologies, the importance of understanding context, legal and regulatory requirements and HMG governance and risk management strategies.

We have already encountered the CIA triad, and you should understand that the considerations it focuses on will be what drives your risk assessment, and subsequent risk management processes. The diagram shows us a three phase approach to risk assessment, namely: Conduct a business impact assessment, or BIA – the first step is to understand how a given risk scenario could affect our organization.

Every organization will have a slightly different risk profile, even compared to its direct competitors, and it is important that the specific risks for the organisation are determined – and not just lifted wholesale from another. A threat and vulnerability assessment is the granular approach to determining risk. The BIA has looked at the overall impact on the business, but we will now look at individual threats and vulnerabilities. The results of this analysis can feed back to the overall BIA.

In phase three, we will be deciding how to manage our risk profile – what risk treatment plans best serve to reduce or manage our risk profile, and which controls should be implemented. The table in the diagram shows how using the concepts of Likelihood of a vulnerability being exploited, against the Consequences or Impact of it happening can give us an idea of the actual risk involved. This is the risk equation, and it can allow risk managers to make decisions about the order in which they can prioritise the treatment of any identified risks.

A risk assessment is the process of defining the level of risk that exists in any given activity using the risk equation. The assessment should identify and quantify the risk. Once this has taken place, the treatment of the risk can be determined and then prioritised. Risk assessment is not a onetime practice. It should be done regularly, as defined either by regulatory requirements or the organisation themselves. It should certainly be considered if the organisation is planning on a major change.

The planning and implementation of risk assessments should consider the entire organisation, bringing together the risk assessment processes carried out by individual business areas to create an overall risk profile. Any risk assessment process should always work to a pre-defined scope. It is very easy to enhance the coverage of a risk assessment process, but this does not help in producing timely results. Stick to the scope of the original plan, and create new plans if further risk considerations come to light.

There are many different risk assessment methodologies available. The important thing for any organisation is to choose a methodology that fits. In making this choice, the organisation should consider exactly what the scope of the assessment should be, and what the resource requirements of covering these scopes are. The difficulty of implementation, as well as investment in training or making changes to systems are further considerations.

Finally, the overall cost of implementation will always be at the top of any board level list of considerations. All organisations, even those who have direct competitors, will have unique needs which have to be factored into any risk assessment process. Creating a model of the organisation will assist in the initial phase of business impact assessment – the organisation can identify the basic building blocks of its business such as what its primary purpose is; who it sells to; its supply chain; the processes the business requires to run; and how the business is managed.

Organisations have to operate within the law, and any regulatory frameworks that apply to its area of business. This can add new requirements into any risk assessment process – a good example of this are the Payment Card Industry Data Security Standard, or PCI-DSS. The PCI-DSS is the worldwide Payment Card Industry Data Security Standard that was set up to help businesses process card payments securely and reduce card fraud. Although it is not a legally mandated standard, any organisation that processes card payment data must comply with it in order to work with other card data firms. 

There are many legislative standard that apply across the business landscape, no matter what the business entails. One of the recent additions to UK law, that has had an enormous impact across the entire economy, is the General Data Protection Regulations, or GDPR. This set of regulations originates from the European Union and is designed to standardise the approach to data protection across the whole of the EU. The UK implemented the GDPR in 2018, alongside an updated Data Protection Act, and the two need to be considered together.

Finally, the UK government published the Security Policy Framework in 2013, as a set of high-level policies on security, mainly affecting the government and its suppliers. All of these requirements must be factored in to any risk assessment process. According to the website, “The Security Policy Framework describes the standards, best-practice guidelines and approaches that are required to protect UK government assets such as people, information and infrastructure.

It focuses on the outcomes that are required to achieve a proportionate and risk-managed approach to security that enables government business to function effectively, safely and securely.” The SPF mainly applies to government institutions and the organisations that use them, but the principles can be applied to almost any other organisation and would provide a sound basis for creating a risk management programme. Much of the content of the SPF can be found in similar risk management frameworks, and is largely common sense.

The SPF provide guidance on a number of important job functions which can help with a risk management programme. The Senior Information Risk Officer will sit at the board level, and is the ultimate arbiter of the organisations risk and information security approach. A Departmental Security Officer, or DSO can manage everyday protective security. An Information Asset Owner is defined as the person with the ownership of a given information asset.

Finally, the SPF suggests that there should be risk and information security specialists employed to ensure that these subjects are ingrained into the organizations business practices. That brings us to the end of this video.


About the Author
Learning Paths

Paul began his career in digital forensics in 2001, joining the Kent Police Computer Crime Unit. In his time with the unit, he dealt with investigations covering the full range of criminality, from fraud to murder, preparing hundreds of expert witness reports and presenting his evidence at Magistrates, Family and Crown Courts. During his time with Kent, Paul gained an MSc in Forensic Computing and CyberCrime Investigation from University College Dublin.

On leaving Kent Police, Paul worked in the private sector, carrying on his digital forensics work but also expanding into eDiscovery work. He also worked for a company that developed forensic software, carrying out Research and Development work as well as training other forensic practitioners in web-browser forensics. Prior to joining QA, Paul worked at the Bank of England as a forensic investigator. Whilst with the Bank, Paul was trained in malware analysis, ethical hacking and incident response, and earned qualifications as a Certified Malware Investigator, Certified Security Testing Associate - Ethical Hacker and GIAC Certified Incident Handler. To assist with the teams malware analysis work, Paul learnt how to program in VB.Net and created a number of utilities to assist with the de-obfuscation and decoding of malware code.

Covered Topics