1. Risk Management in CyberSecurity
https://www.youtube.com/watch?v=1aX29t2wBYQ
In the video, the presenter describes steps that businesses and
other entities can take to assess, manage and secure their
operations from cyber attacks. In the initial section, the
presentation asserts that Cyber-attacks have today become more
pervasive than ever. Each and every business in the world
today, whether small or large, is at a risk of cyber-attack. Some
of the issues addressed by the video include the breach lessons
learnt in 2014 and the threats that were experienced in 2015.
More importantly, it deals with issues of the drivers behind
CuberSecurity risk management adoption. In addition, the video
talks about the most important impacts that CyberSecurity
threats have on businesses all over the world. Furthermore, it
deals with the frequency of assessing the risks and the benefits
of continuous monitoring of security. Moreover, a tool known
as Aegify automated tool is described in details. The tool is
used in the management of risk, security and compliance.
Today in the world of technology, there have been numerous
inventions such as Machine Learning (ML) and Artificial
Intelligence (AI) (Sun, pg. 4). Consequently, these new
technologies have come with the capacity to enhance the
productivity, user engagement and revenue of a company.
Nevertheless, these new technologies also come with an
increased risk pertaining to Cyber-attacks which has devastated
many businesses. Therefore, it is important for students to gain
the knowledge about these new technologies and the risks
attached to them. More importantly, the video suggest that
students need to gain the knowledge on how to assess, manage

2. and secure important assets from the impending attacks by the
technologies. From the video, students are exposed to the
factors that drive companies to adopt CyberSecurity risk
management strategies. Thus, it exposes them to important
source of information which they can employ in their future
careers as IT professionals to secure businesses from risks.
https://www.youtube.com/watch?v=Z1w0wCIOHHw
The video is a short presentation of the most fundamental
principles that should be considered to ensure formulation of an
effective CyberSecurity risk management program.
Organizations are today faced with the emergence of new
regulations on CyberSecurity risk management. CyberSecurity
risk programs incorporates computer hardware, software,
algorithms, and programming. Nevertheless, the impact of these
programs are only felt upon interaction with humans. For an
organization to claim to have an effective risk management
program, it is required to have everything, from incidence
response plan to program policies as well as breach notification
procedures. The video provides an example of the banking and
insurance companies that have to prove compliance to their
industry regulators. More importantly, however, the video
asserts that each and every business needs to understand the
importance of approaching CyberSecurity risk management
programs in a holistic manner. Furthermore, one ought to know
what to do before the real risk occurs. Finally, it is apparent
that there are certain important components of modern
CyberSecurity programs. Fundamentally, 10 principles of risk
management are provided in the presentation. The principles
include simplicity, abstraction, least privileged, domain
separation, process isolation, resource encapsulation, layering,
modularization, minimization and information hiding.
Therefore, it is pivotal for students to understand that there are
a set of principles that must be followed in-order to achieve an
effective CyberSecurity risk management (Sun, pg. 2). Risk
management principles pertain to how people and organizations
make decision concerning the use of technology. The 10

3. principles of risk management helps students to identify the
important factors to consider when engaging in the process of
risk management. For instance, when handling a less
complicated system comes with the advantage that it becomes
easier to monitor, troubleshoot and fix. In addition, it becomes
less likely to encounter any problems. All these are presented
by the principle of simplicity. On the other hand, the principle
of abstraction requires that the process comes up with a fancy
word that summarizes the events and becomes easier to
understand. Finally, the principle of least privileged states that
there should be a boundary and limits on access to your
information.
https://www.youtube.com/watch?v=9-3UXZhYyMk
The video focuses on CyberSecurity risk assessments. In the
video, data and information is presented concerning a study on
CyberSecurity risk management by different managers. The vied
therefore begins by asking the question “how effective is your
IT governance structure and what is your risk appetite?” The
presentation examines the IT structure of companies and
questions managers concerning IT compliance practices. Among
the factors that are considered are whether there is an effective
risk governance structure, whether there are effective
information risk policies and whether an adequate cyber
insurance is present. More importantly, the video provides data
on these topics for easier interpretation. For instance, that 12%
of the worst breaches in security are as a result of giving less
priority to security by managers. In addition, in the past one
year, 26% of the IT departments have not presented to their
boards reports on CyberSecurity risk management. However,
this is taking place in the age when the IT world is full of
threats.
Students benefit from the information presented in the video by
first understanding that the IT world is full of threats and these
threats require effective means to mitigate. Furthermore, the
most fundamental information from the video is the need to
form an effective risk assessment process. In-order to counter

4. the threats of Cyber-crime, it is imperative that companies come
up with better strategies. Risk assessment refers to the process
of conducting internal security audits which help companies to
keep up with the compliance programs (Lavelanet, pg. 1).
Apparently, the study carried out shows that most risk occur as
a result of negligence. Furthermore, most IT departments fail to
report the risk management processes to their boards and this
further enhances the risks. Assessing and reporting the risk
makes it easier for the company to deal with the risk. Therefore,
assessments and reporting of the risks should be conducted on a
regular basis.
https://www.youtube.com/watch?v=kOPm7rWm-J4
The video is on risk avoidance and it kicks off by stating that
risk avoidance means stopping participating in high risk
activities. In other words, risk avoidance is the direct opposite
of accepting the risk. Furthermore, the video suggests that risk
avoidance is all or nothing kind of undertaking (Bugajenko, pg.
1). The video provides the example of universities and colleges
which have access to open internet thus people take advantage
by downloading very risky materials. However, the
administration acknowledges that the open access to the internet
may be good but there is need to avoid the risk. A decision has
to be always made on a business perspective on whether it is
something worth risking. More importantly, the video suggests
that one of the ways to avoid the risk is to transfer it to
someone else. For instance, if we expect a hurricane to occur,
then we need to insure our assets so that in case it really takes
place, the insurance company bears the risk. Acceptance is
another way to avoid risks and this entails taking a bold
business decision that the company has to take the risk of
engaging in a project.
Students benefit from the information since it presents ways in
which risks can be avoided and in case it cannot be avoided
totally, how it can be transferred or accepted. The information
is pivotal for the students in learning about risk management.
For instance, in an insurance situation, when you get rid of a

5. risky object from your vicinity before it harms you is a risk
avoidance. In this case, the insurance company has avoided the
impending risk that the object imposed on an individual.
Nevertheless, it is the practice of most of companies to sit back
and wait for the harm to be caused thus incurring a lot of costs.
The same applies to IT industry where some organizations
simply decide that taking part in a project is too risky and
cannot be continued anymore.
https://www.youtube.com/watch?v=3SMQ-O1cHWU
The first video presents a reporting framework for
CyberSecurity risk management as presented by AICPA. AICPA
has developed a new framework for reporting risk pertaining to
CyberSecurity to help organizations to communicate and report
on CyberSecurity risk management programs (AICPA, pg. 2).
Thus, the organization aims at providing pivotal engagements
that can assist their clients to strengthen their own programs. In
addition, they also offer examination engagement as well as
opinion on the entity’s description and effectiveness of
controls. The presentation begins by offering an in-depth
description of the meaning of the concept of CyberSecurity risk
management. According to the video, there are certain core
principles of CyberSecurity risk management that organizations
ought to learn in-order to formulate better management and
mitigation strategies. Furthermore, the principles of risk
mitigation and risk assessment should employ the use of both
qualitative and quantitative methodologies in-order to become
effective. Fundamentally, risk management as a whole forms the
foundation of much of IT decisions within a company. As a
consequence, these are important in assisting other students to
learn about issues of CyberSecurity risk management.
Companies often present CyberSecurity reports to boards, audits
and risk management committees on a regular basis. As a
consequence, they are required to formulate and evaluate a risk
reporting framework which is an essential component of this
process. AICPA's CyberSecurity Risk Management Reporting
Framework is therefore designed to enable companies gain

6. confidence as well as guidance on how to approach the Board of
Directors on issues pertaining to CyberSecurity risk
management. Furthermore, the framework is designed to help
the compliance and information security teams to better
approach issues of CyberSecurity. All the stakeholders of a
business are expected to receive actionable and contextualized
intelligence on cyber risk which is then used to enhance proper
escalation and notification procedures to ensure that any
pending issue is effectively resolved. The main advantage of the
reporting framework is that it is based on agreed standards for
both internal and outsourced data related processes.
Furthermore, AICPA's CyberSecurity Risk Management
Reporting Framework is based on data confidentiality, policies,
availability and integrity of the risk management processes of a
business.
Works Cited
AICPA. Risk Reporting Framework. AICPA. 2019.
Bugajenko, Olga. Risk Avoidance vs. Risk Mitigation.
Study.com. 2019. Retrieved from
https://study.com/academy/lesson/risk-avoidance-vs-risk-
mitigation.html
Lavelanet, Natacha. The Importance of Security Audits and
Assessments. New Era Technology. 2017. Retrieved from
https://www.neweratech.com/2017/08/14/the-importance-of-
security-audits-and-assessments/
Sun, Tong. Cybersecurity Risk Management. edX Inc. 2019.
Retrieved from https://www.edx.org/course/cybersecurity-
risk-management