See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/332411201

Cyber Risk Management, Procedures and Considerations to Address the Threats

of a Cyber Attack

Conference Paper · April 2019

CITATIONS READS

3 9,411

1 author:

Pedro Taveras
Pontificia Universidad Católica Madre y Maestra
30 PUBLICATIONS 101 CITATIONS

SEE PROFILE

All content following this page was uploaded by Pedro Taveras on 15 April 2019.

The user has requested enhancement of the downloaded file.

Taveras Cyber Attack Risk Management

Cyber Risk Management, Procedures and Considerations

to Address the Threats of a Cyber Attack
Pedro Taveras
Pontificia Universidad Católica Madre y Maestra
pedrotaveras@pucmm.edu.do

ABSTRACT
Organizations and their information systems face increasingly risks and uncertainties from a wide variety of sources, including
computer-based fraud, espionage, sabotage or cyberattacks. The present paper intends to provide a series of actions, procedures,
and considerations that any organization must contemplate when dealing with a cyber-attack. Certain sources of damage such
as intrusion attacks or denial of services are becoming more common, ambitious and sophisticated over the time. Absolute
security does not exist. That is why organizations must adopt methods and strategies that allow them to prioritize those risks
that, due to their probability of occurrence and level of impact, represent a greater potential harm to the business. When
preparing to deal with probable cyber-attacks, the key is understanding the logical flow of actions that could be performed
during the attack, incorporate best practices assess the levels of risk faced by the organization and proactively design a
handbook to react during these scenarios.
Keywords
Cyberattack, incident response, cybersecurity, cyber risk analysis

INTRODUCTION
There are two disturbing facts that every major organization needs to accept. First, that it is almost certainly possesses
commercially sensitive information which, if it fell into the wrong hands, could prove deeply damaging to the future of the
enterprise. And secondly, that a sophisticated cyber-attack targeting that data is almost certain to succeed. There are no magic
bullets available, an organization’s best option for detecting and deterring data exfiltration by advanced attackers is a
comprehensive defense-in-depth strategy determined by a thorough cyber risk assessment. Hence the need of identification of
computer assets, their vulnerabilities and threats to those who are exposed as well as their probability of occurrence and the
impact thereof, in order to determine the appropriate controls to accept, decrease, transfer or avoid the occurrence of risk (Cobb,
n.d). Hence, the pertinence of a formal method to develop a risk and vulnerabilities analysis.

METHODOLOGY AND TOOLS

According to Sumner (2009) and Rossi (2015), information security risk analysis has been studied from the audit perspective
for a long period of time. The most common approach is to develop a set of check lists to verify the security elements in place
and the based on the auditor judgment stablish the results of the assessments. For the purpose of this study a matrix-based
approach methodology suggested by Goel & Chen (2005) for information security risk analysis was implemented. The matrix
approach model allowed the development of a quantitative analysis at a broad scope. This methodology correlates the assets,
vulnerabilities, threats, and controls of the organization and determines the importance of different controls corresponding to
the assets of the organization. The organization’s assets are defined as things of value that it needs to protect. Assets can be
tangible such as data and networks and intangible such as reputation and trust. The evaluation process was reflected in a risk
matrix that shows the identified risk elements and their relationships. The present work presents a methodological proposal for
a quantitative risk analysis. The research used as a model and observation scenario a medium-sized technology company ( <
50 employees) dedicated to software development. The goal of the study is to provide a practical model that can be emulated
by small and medium businesses.

ENVIRONMENT

The sampled IT environment contains several layers of software technologies:

• Operational and development software tools.

• Administrative and financial software and databases for internal management.

Proceedings of the ForenSecure: Cybersecurity and Forensics Conference, Chicago, Illinois April 12th, 2019 1
Taveras Cyber Attack Risk Management

• Administration of customers’ applications running or virtual servers.

The system environment is a client/server environment consisting of a Microsoft SQL database (2008, 2008R2 & 2012) built
with Visual Studio .NET (C#, C++) programming code. Main platform contains source code, executable program files,
production and development data files, prototype and released application code. The production data files, consisting of source
code, compiled libraries, stored procedures and tables, are stored on a BlackArmor storage area network (SAN) connected to a
Dell Poweredge server running on Windows 2012 operating systems and running MS SQL 2008 R2 database engine. The
application code is distributed among various Dell servers running on Windows 2012. Local servers are housed in the main
building located in the East coast of the US. Executables/production systems reside on a set of virtualized servers running
Windows 2012 and hosted on a remote Data Center in Florida. Users are physically located in one location in the Caribbean.
Their desktop/laptop computers are physically connected to a wide area network (WAN). Programmers connect to the
development environment using the VPN tunnel. A business unit operates in the East coast of the US. This unit requires access
to administrative documents, sales presentations and email services. The enterprise network runs over multiple trusted domains
that are managed with Windows Sever 2012. Rolled Based Access Control is in place.

IDENTIFYING REAL THREATS

Cyber risk analysis protects an organization that adopts IT, as part of their vision and mission, from a wide range of threats to
ensure business continuity, minimize damage and maximize return on investment and opportunities. Every process that support
information systems and networks are important assets of the organization (Marcus & John, 2000). The identification of threats
should help the management to generate controls to minimize the likelihood and impact of risks associated with vulnerabilities
and existing information security threats. Marcus & John (2000) asserts that and effective anticipation in the identification of
threats requires:

• Identification and classification of information assets present in the institution.

• Application of a risk assessment methodology designed to define the vulnerabilities and existing security threats and
assessing risks according to the defined scale.
• Suggesting management and control mechanisms that minimize the identified threats and vulnerabilities found in the
study of risk analysis performed.
• Preparing a report of recommendations where the findings are shown in order to allow the definition of an
information security system adjusted to the reality of the organization.

According to Wang & Chao (2013), existing risk assessment schemes use a converse thinking approach to develop theoretical
solutions for minimizing the threats of security breaches at a minimal cost. The same authors assert that risk assessment enables
defenders to identify appropriate countermeasures in accordance with three different defensive strategies associated with the
organization's security policy, as presented in Table 1.
Cost of defense
Countermeasure Max Min
Reduce residual risk ✓
Defend against maximum number of attacks ✓
Cover the maximum number of attack paths ✓
Table 1. Defensive strategies associated with organization security

RELATIONSHIP BETWEEN REAL THREAT AND RISK

An effective risk management, must necessarily know the situations that may affect the organization, that is:
• What should be protected,
• What resources are considered critical, and
• Whether the measures implemented to preserve or prevent will minimize any negative impact.

Threats are linked to potential causes with possible negative impact on the information, to the extent that the assets that could
be affected possess weaknesses or failures in the controls that protect them. The latter concept is summarized in the term
vulnerability, which when exploited by the threat exposes the organization to risk (Bard, n.d). This risk will emerge from the
analysis of their probability of occurrence and impact on the assets protected. In other words, no system can be vulnerable if

Proceedings of the ForenSecure: Cybersecurity and Forensics Conference, Chicago, Illinois April 12th, 2019 2
Taveras Cyber Attack Risk Management

not threatened, and there is no threat condition for an item, subject or system, if it is not exposed and vulnerable to the potential
action that represents such a threat. That is, there is no threat or independent vulnerability, as they are mutually conditioning
situations defined conceptually independently for methodological purposes and for a better understanding of risk (Marcus &
John, 2000).
In general, the concept of threat refers to a latent danger or external risk factor of a system; expressed mathematically as the
probability of exceeding a level of occurrence with a certain intensity, under certain conditions and for a given exposure to
time. This scheme is constantly changing due to the incorporation of new assets, the appearance of threats and vulnerability
discovery requires constant attention from professional dedicated to information security and poses a constant challenge to
achieve effective protection of the information (Demidecka, 2015; Forester Research, 2015; Hughes & Qu, 2012).

COMMON THREATS TO A COMPUTING ENVIRONMENT

The threat is any element that, using or exploiting a vulnerability, threatens the security of information or computing asset. The
threats arise from the existence of vulnerabilities, regardless of whether or not compromise the security of a system. In order
to identity threats on a given computing environment, once risks and resources to be protected are known, and how their damage
or failure may influence the organization, it is necessary to identify each of the threats and vulnerabilities that can cause
damages to resources (Creasey & Glover, 2013). As it was already mentioned there is a direct relationship between threat and
vulnerability to the point that if one does not exist the other one either. Existing threats are usually divided according to their
scope:

• Environmental disaster (Physical Security).

• System threats (Logical Security).
• Network threats (Communications).
• People threats (Insiders-Outsiders).
In order to construct our Information Security Protection Matrix threats were identified by looking at the organization, the
parent company and the industry. This tool acts as a defense-in-depth checklist at each level, and start responding the following
interrogations (NIST, 2012; Societe Generale, n.d; Sood & Enbody, 2014)):
• Determine the danger by asking if an attacker can pose a threat.
• Does someone have the motivation to exploit a vulnerability?
• Is there a history of successful exploit?
• Does someone have a history of targeting your industry?

RISK ASSESSMENT
Performing the risk assessment implicates judging the level of risk identified during the analysis process with previously
established risk criteria. A practical qualitative methodology was used for risk. The first step of the analysis is to identify or
evaluate the assets to protect.

Impact Definition
When an asset is the victim of a threat, it is not affected in all its dimensions with the same impact. Once determined that a
threat will harm an asset, the probable impact in the event of an active threat needs to be estimated. According to Valero
(2002), impact is defined as the changes that might happen in the results of one or more objectives if the risk materializes. For
this work, risk impact is measured in a cardinal scale between 0 and 9. The following levels were used to determine the
magnitude of the impact as recommended by Caralli (2007).

Proceedings of the ForenSecure: Cybersecurity and Forensics Conference, Chicago, Illinois April 12th, 2019 3
Taveras Cyber Attack Risk Management

Magnitude of Impact Definition

Impact
Exercise of the vulnerability (1) may result in the highly costly loss of major
tangible assets or resources; (2) may significantly violate, harm, or impede an
Strong [9]
organizations mission, reputation, or interest.
Exercise of the vulnerability (1) may result in the costly loss of tangible assets or
resources; (2) may violate, harm or impeded an organization’s mission, reputation,
Moderate [3]
or interest.
Exercise of the vulnerability (1) may result in the loss of some tangible assets or
resources; (2) may noticeably affect an organization’s mission, reputation, or
Weak [1]
interest.
Table 2. Impact definition

RISK MEASUREMENT CRITERIA

Risks Associated with the environment

Software development is a highly competitive business where new software, algorithms and commercial apps are being
constantly developed. Thus, competitors constantly try to leapfrog each other. Information security is crucial to protect the
company assets and to prevent disruption of the software development operations. A risk calculation matrix was developed to
convert raw vulnerabilities into risks. The methodology was based on the following points:
• Categorizing vulnerabilities
• Pairing with threat vectors
• Assessing the probability of occurrence and possible impact

Impact Scale
In order to conduct qualitative risk analysis, different areas are defined where potential threats generate some level of impact
with respect to the operations of the company. It also quantifies the impact and likelihood of each, generating a baseline that
will create an action plan to address these risks when they occur.

Operational

Impact Area Weak Moderate Strong

Moderate impact on
Limited effect on the Severe compromise of
service delivery across
outcomes and/or the strategic objectives
Service Delivery one or more business
objectives of a and goals of
unit due to prolonged
business unit. the company.
service failure.
Table 3. Operational impact definition

Reputation and Customer Confidence

Impact Area Weak Moderate Strong

Reputation is Reputation is damaged, Reputation is

minimally affected; and some effort and irrevocably destroyed
Reputation little or no effort or expense are required to or damaged.
expense is required to recover.
recover.

Proceedings of the ForenSecure: Cybersecurity and Forensics Conference, Chicago, Illinois April 12th, 2019 4
Taveras Cyber Attack Risk Management

Less than 30% More than 80%

30 to 80% reduction in
reduction in customers reduction in customers
Customer Loss customers due to loss
due to loss of due to loss of
of confidence.
confidence. confidence.
Table 4. Reputation impact definition

Financial

Impact Area Weak Moderate Strong

Increase of less than Yearly operating costs Yearly operating costs

Operating Costs 20% in yearly operating increase by 20% to increase by more than
costs. 100%. 100%.

Less than 21% yearly 21 to 45% yearly Greater than 45%

Revenue Loss
revenue loss. revenue loss. yearly revenue loss.

Table 5. Financial impact definition

Fines and Legal Penalties

Impact Area Weak Moderate Strong

Fines between Fines greater than
Fines less than US$2,000.00 and US$40,000.00 are
Fines
US$2,000.00 are levied. US$40,000.00 are levied.
levied.
Non-frivolous lawsuit Non-frivolous lawsuit
Non-frivolous lawsuit or lawsuits between or lawsuits greater than
or lawsuits less than US$5,000.00 and US$50,000.00 are filed
Lawsuits US$5,000.00 are filed US$50,000.00 are filed against the
against the organization. against the organization.
organization.
Table 6. Legal impact definition

Likelihood Assessment (Probability)

To perform and objective assessment, a quantitative evaluation is required to measure the probability and consequences of risks
and considers their implications for project objectives. As recommended by Estevez (n.d), the main tools used are interviews,
sensitivity analysis, probability distribution, decision trees, and simulations. This section presents a qualitative scale that was
used to assess the likelihood of the risks under consideration.
Rating Description Meaning
5 Almost Certain Expected to occur within 1 – 6 months.
4 Highly likely Expected to occur within 6 – 12 months.
3 Possible Expected to occur within 12 – 36 months.
2 Possible but Unlikely Expected to occur within 3 – 5 years.
1 Almost Never Not expected to occur within 5 years.
Table 7. Probability threshold definition
In addition, sensitive information that plays a vital role on the daily activities of the company was also accounted. The resulting
items are classified into category groups according the use and the origin of the information asset.

Proceedings of the ForenSecure: Cybersecurity and Forensics Conference, Chicago, Illinois April 12th, 2019 5
Taveras Cyber Attack Risk Management

Asset Location Group Priority

Employee Data Undisclosed M (3)
Financial Data Undisclosed H (9)
Data about Customers Undisclosed Financial H (9)
Company Databases Undisclosed Administration H (9)
Backups Undisclosed and Operations H (9)
Customers Databases Undisclosed H (9)
Software Design Document Undisclosed Software Engineering H (9)
Algorithms Documentation Undisclosed Resources H (9)
Compiled Apps & Libraries Undisclosed M (3)
Source Code Undisclosed H (9)
Password for Network Equipment Undisclosed M (3)
Password for Server Equipment (Production) Undisclosed H (9)
Password for Server Equipment (Development) Undisclosed System Administration M (3)
Table 8. Asset group definition

RISK MATRIX
A risk matrix was developed to construct the quantitative assessment on the risk level associated with possible threats and
vulnerabilities. Followed by a total risk rating matrix, that stablished the weight of the threats in accordance with the companies
threats and likelihood of occurrences, as shown in Table 4 and Table 5.

Strong 9 18 27 36 45

Moderate 3 6 9 12 15
Impact

Weak 1 2 3 4 5

Almost Possible but Possible Highly Likely Almost

Never Unlikely Certain
Likelihood
Table 9. Risk scale matrix.

Threat Likelihood Impact Risk

Score
Denial of Service Attacks 5 Certain 9 Strong 45
Spoofing Masquerading 3 Possible 3 Moderate 9
Malicious Code 3 Possible 5 Strong 15
Human Errors 4 Highly 3 Moderate 12
Insider Attacks 3 Possible 9 Strong 27
Intrusion 4 Highly 5 Strong 20
Spamming 3 Possible 3 Moderate 9
Physical Damage to Hardware 2 Unlikely 9 Strong 18
Web application vulnerabilities: e.g. SQL 2 Unlikely 9 Strong 18
injection, cross-site scripting
Web service vulnerabilities 3 Possible 9 Strong 27

Proceedings of the ForenSecure: Cybersecurity and Forensics Conference, Chicago, Illinois April 12th, 2019 6
Taveras Cyber Attack Risk Management

Compromised user computer: e.g. malware 3 Possible 3 Moderate 9

infection
Compromised developer/admin computer: e.g. 3 Possible 9 Strong 27
malware infection
Vulnerable test servers Possible 33 Moderate 9
Guessing passwords Likely 49 Strong 36
Database server vulnerabilities Possible 39 Strong 27
Full System Failure Unlikely 29 Strong 18
Database Corruption Unlikely 29 Strong 18
Natural Disaster Possible 33 Moderate 9
Total Risk Score 353
Table 10. Total Risk Rating: [ 0 – 100 LOW] , [101 – 175 Medium], [+175 High]

VULNERABILITY MATRIX
To identify vulnerabilities on the technology platform, tools such as checklists and specialized software that determine
vulnerabilities at the operating system and network level are used. The resulting matrix was computed following the guidelines
from Goel & Chen (2005). This methodology correlates the assets, vulnerabilities, threats, and controls of the organization and
determines the importance of different controls corresponding to the assets of the organization. As defined in the following
formula, let assume that there are q controls that can help mitigate p threats and is the impact of control Z on the threat T.
𝑙=𝑝

𝑍0 = ∑ 𝑒𝑜𝑙 ∗ 𝑇𝑙
𝑙=1

Vulnerability Matrix
9 = Strong
3 = Moderate
Information Integrity
Lost Sales / Revenue

Service Availability
Reputation (Trust)

Hardware System
1 = Weak
Software System
Priority / Impact

Communication

0 = Not Related
Impact/ Priority Ranking
5 = Key Driver Total Score
4 = Important

Rank
3 = Important, not Key Driver
1 = Not Important
Vulnerabilities 7 6 5 4 3 2 1
Firewalls 5 9 9 9 9 9 9 9 315 10
Data Transmission 5 9 9 9 9 9 9 9 315 9
Databases 5 9 3 9 9 9 9 3 255 8
Application Architecture 5 9 9 9 3 3 9 3 225 7
Internet Servers 4 9 9 3 9 3 3 9 180 6
Password Strength 3 9 3 3 3 3 3 3 81 5
Client Nodes 3 3 3 3 3 3 3 9 81 4
Internet Based Services (DSL, VPN) 4 2 1 1 7 9 0 0 80 3
Table 11. Vulnerability matrix

THREAT AND CONTROL MATRIX

The data in the vulnerability matrix was calculated and sorted to establish the relative significance of vulnerabilities. A second
variable named KEY DRIVER was incorporated, to determine the weight of the threats. This value is multiplied by the probable
impact. The final sum of the values in each intersection, provides de Risk Score for each threat. The table is sorted to show the

Proceedings of the ForenSecure: Cybersecurity and Forensics Conference, Chicago, Illinois April 12th, 2019 7
Taveras Cyber Attack Risk Management

highest threats on the top. The relative impact of different controls on the threats was established applying subjective/empirical
assessment.

Threat Matrix
9 = Strong

Application Architecture
3 = Moderate

Internet Based Services

1 = Weak

Wireless Networks
Data Transmission

Password Strength
0 = Not Related

Internet Server

Power Outage
Client Nodes
Ranking

Total Score
Databases
5 = Key Driver

Firewalls
Priority
4 = Important

Rank
3 = Important, not Key Driver
1 = Not Important
Threats 10 9 8 7 6 5 4 3 2 1
Intrusion (Hacking, PSW attacks) 5 9 9 9 3 9 9 9 9 9 9 420 11
Server Failures 5 9 3 9 3 9 3 3 3 9 9 300 10
Physical Damage to hardware 5 3 3 9 3 9 3 3 3 3 9 240 9
Extortion 3 3 3 9 3 3 3 9 3 3 3 126 4
Insider Attacks (Malicious) 5 3 3 3 9 3 9 3 3 3 3 165 5
Spoofing & masquerading 3 9 3 3 3 3 3 3 3 3 1 102 2
Denial of Service 5 3 3 3 3 9 3 3 3 9 9 240 8
Human error (Accidents) 5 3 3 3 1 9 3 9 3 3 9 230 7
Theft of computers (laptops/servers) 5 3 3 3 3 9 3 9 1 3 1 190 6
Malicious Code (Viruses, Worms, etc.) 3 3 3 3 9 3 3 3 3 9 1 120 3
Buffer Overflow attacks 5 3 3 3 3 1 1 1 1 1 1 90 1
Table 12. Threat matrix

Control Matrix

Malicious Code (Viruses, Worms,

9 = Strong

Hurricanes \Natural Disaster

3 = Moderate
Spoofing & masquerading

Human Error (Accidents)

Physical Damage to HW

1 = Weak
0 = Not Related
Intrusion \ Hacking

Theft of computers
Denial of Service

(laptops/servers)
Priority Threats

Ranking
Insider Attacks
Server Failures

Total Score
5 = Key Driver
Extortion

4 = Important Rank
etc.)

3 = Important, not Key Driver

1 = Not Important
Controls 11 10 9 8 7 6 5 4 3 2 1
Security Policy 5 9 3 9 3 9 9 9 3 9 9 3 375 10
Hardening of Environment (physical) 4 9 3 9 3 9 1 3 3 9 3 9 256 8
Firewalls 5 9 3 9 3 3 3 9 3 3 9 1 275 9
Configuration of Architecture 5 9 3 3 3 3 9 3 9 3 3 3 255 7
Employee Training 3 3 3 9 9 3 3 1 9 3 3 9 165 4
Auditing & Monitoring-IDS 4 3 3 3 9 9 3 3 3 3 3 1 172 5
System Administrative Due diligence 3 3 3 3 3 3 9 3 9 9 3 1 120 2
DMZ 4 3 3 3 9 3 3 9 3 3 3 1 172 6
Single Sign-on 3 3 3 3 9 3 3 1 9 3 1 1 117 1
User disclosure of credentials 4 3 3 3 9 3 3 1 3 1 1 1 124 3
Table 13. Control matrix.

Proceedings of the ForenSecure: Cybersecurity and Forensics Conference, Chicago, Illinois April 12th, 2019 8
Taveras Cyber Attack Risk Management

CONCLUSION

This paper attempted to presents a methodological proposal for a quantitative risk analysis, using as a model and observation
scenario a medium-sized technology company ( < 50 employees) dedicated to software development. A matrix-based approach
methodology suggested for information security risk analysis was implemented. This methodology correlates the assets,
vulnerabilities, threats, and controls of the organization and determines the importance of different controls corresponding to
the assets of the organization.When preparing to deal with probable cyber-attacks, the key is understanding the logical flow of
actions that could be performed during the attack, incorporate best practices assess the levels of risk faced by the organization
and proactively design a handbook to react during these scenarios.

Figure 1. Process diagram for security risk analysis and matrix development

The main purpose is project is to provide a guide that can be emulated by small companies, providing the foundation to support
the process required to develop a cyber security risk assessment. Also stablishing a quantitively method as an objective tool
that support the estimation of the risk analysis process. As a next step, we would observe the company for a period of 6 months,
to collect data related to cyber security incidents. The risk matrixes will be recalibrated every 60 days and the various steps of
the risk analysis proces will be compared, in order to determine the effectivenes of the model, and stablish metrics that can
demonstrate if any improvement can be achieved related to cyber security events within the company under observation.

REFERENCES

1. Bard, S. (n.d.). Risk assessment steps five and six: Identify threats and determine vulnerabilities. Retrieved from
http://searchsecurity.techtarget.com/tip/Week-23-Risk-assessment-steps-five-and-six-Identify-threats-and-
determine-vulnerabilities
2. Caralli, R. (2007). The OCTAVE Allegro Guidebook, v1.0. Carnegie Mellon University.

Proceedings of the ForenSecure: Cybersecurity and Forensics Conference, Chicago, Illinois April 12th, 2019 9
 Taveras Cyber Attack Risk Management

3. Creasey, J., & Glover, I. (2013). Cyber security incident response guide. Retrieved from http://www.crest-
approved.org/wp-content/uploads/CSIR-Procurement-Guide.pdf
4. Demidecka, K. (2015). Communicating a Cyber Attack - A Retrospective Look at the TalkTalk Incident. Retrieved
from http://www.contextis.com/resources/blog/communicating-cyber-attack-retrospective-look-talktalk-incident/
5. Estevez, J. (n.d.). Towards the unification of critical success factors for ERP implementations. In: 10 th annual BIT
conference. Manchester UK
6. Forester Research. (2015). Protect Your Intellectual Property And Customer Data From Theft And Abuse. Retrieved
from https://www.forrester.com/reports/
7. Goel, S., Che, V. (2005). Information security risk analysis a matrix based approach. Retrieved from
http://www.albany.edu/~GOEL/publications/goelchen2005.pdf

8. Hughes, K., & Qu, Y. (2012, 11-14 June 2012). A generic cyber attack response resource risk assessment model.
Paper presented at the Intelligence and Security Informatics (ISI), 2012 IEEE International Conference on.
9. Marcus, R., & John, B. (2000). Access Control Systems and Methodology Information Security Management
Handbook, Four Volume Set: Auerbach Publications.
10. NIST. (2012). Computer security incident handling guide. Retrieved from
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
11. Rossi, B. (2015). Critical steps for responding to cyber attacks . Retrieved from http://www.information-
age.com/technology/security/123459644/6-critical-steps-responding-cyber-attack
12. Societe Generale. (n.d.). Incident response methodology. Retrieved from
https://cert.societegenerale.com/resources/files/IRM-6-Website-Defacement.pdf
13. Sood, A., & Enbody, R. (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware:
Syngress Publishing.
14. Sumner, M. (2009). Information Security Threats: A Comparative Analysis of Impact, Probability, and
Preparedness. Information Systems Management, 26(1), 2-12. doi: 10.1080/10580530802384639

15. Valero, I. (2002). Risk management as a critical factor for success. Retrieved from
http://www.willydev.net/descargas/WillyDev_GerenciadeRiesgosFactorCriticodeExito.pdf

16. Wang, P., Chao, K. M., & Lo, C. C. (2013, 11-13 Sept. 2013). A Novel Threat and Risk Assessment Mechanism for
Security Controls in Service Management. Paper presented at the e-Business Engineering (ICEBE), 2013 IEEE 10th
International Conference on.

Proceedings of the ForenSecure: Cybersecurity and Forensics Conference, Chicago, Illinois April 12th, 2019 10

View publication stats