NIST has released Draft NISTIR 8286A, Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management (ERM), for public comment. This report provides a more in-depth discussion of the concepts introduced in NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). It specifically highlights that cybersecurity risk management (CSRM) is an integral part of ERM-both taking its direction from ERM and informing it. The increasing frequency, creativity, and severity of cybersecurity attacks mean that all enterprises should ensure that cybersecurity risk is receiving appropriate attention within their ERM programs by ensuring the CSRM program is anchored within the context of ERM. This document is intended to help individual organizations that are already familiar with NISTIR 8286.<o:p></o:p>
The public comment period for this draft is open through February 1, 2021. See the publication details for a copy of the draft and instructions for submitting comments.<o:p></o:p>
I think it would be useful to add fault analysis and risk scenario's to the paper - as that allows better articulation of risk impact at board level - what are your thoughts before I suggest the update?
I see that various scenarios (risk, what-if, impact) are discussed throughout the paper though you may have something specific in mind that is not discussed that you want to recommend.
I also see that tree analysis is discussed throughout so you may want to look at that to see if those discussions fit with your idea regarding fault analysis.
I think it was just making it more explicit, and using fault tree. In terms of risk scenrios, it was the clear description of actor, threat, event, asset, impact and time in a table. The fault tree analysis can then be used to find the cause of the control failure is what I was thinking.....