Identification should include
- defining risk management as the process of identifying possible vulnerabilities and quantifying potential risk as it pertains to systems
- addressing risk-management strategies, including but not limited to
- risk mitigation -- reducing the likelihood of the risk
- risk transfer -- transferring the risk to another company, such as an insurance firm
- risk avoidance -- avoiding the possibility of the risk (e.g., not using a specific software program would avoid any known risks of that program)
- risk acceptance -- understanding and accepting the risks associated with use of a system or feature.
Process/Skill Questions:
- What mechanisms are in place to manage cyber risk?
- How is risk assessment incorporating cyber issues?
- How does an organization create a cyber marketing security plan?