Not every vulnerability needs to be patched or even strengthened. To make an informed decision, risks need to be put into context.
However, on the human side, most businesses do not have a good way of viewing or understanding their risk context.
The key elements of cyber security risks are:
1. Asset value – What’s the potential impact of a breach?
2. Threat level – What’s the capability and likelihood of each threat?
3. Vulnerability level – Inverse of “strength” of a control or safeguard
When any of these increases, the risk rises. All risks need to be ordered and compared, and a risk tolerance level established.
When you have this methodology in place, it’s much easier to decide when it is appropriate to patch a vulnerability.
Photo via Getty Images & Unsplash+
For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges. (Limited time offer. Normally valued at $999 USD)
Use Promo Code: 6WEEKS
This is really important with “people”, because we can easily overwhelm people with too many tasks and things to remember. It’s better to show people the key principles and have them practice them regularly, in order to absorb them into the culture, rather than saying, “…and you need to do this, and avoid this other thing.”
Keep it simple, and focus on the most important, actionable processes, from a risk perspective.
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.