Stine, K.
, Quinn, S.
, Ivy, N.
, Barrett, M.
, Witte, G.
, Feldman, L.
and Gardner, R.
(2021),
Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.8286A, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=933223
(Accessed April 26, 2024)
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management
Published
Author(s)
, , , Matthew Barrett, Greg Witte, Larry Feldman, Robert Gardner
Abstract
This document supplements NIST Interagency or Internal Report 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM), by providing additional detail regarding risk guidance, identification, and analysis. This report offers examples and information to illustrate risk tolerance, risk appetite, and methods for determining risks in that context. To support the development of an Enterprise Risk Register, this report describes documentation of various scenarios based on the potential impact of threats and vulnerabilities on enterprise assets. Documenting the likelihood and impact of various threat events through cybersecurity risk registers integrated into an enterprise risk profile helps to later prioritize and communicate enterprise cybersecurity risk response and monitoring.Citation
NIST Interagency/Internal Report (NISTIR) - 8286A
Report Number
8286A
NIST Pub Series
Pub Type
NIST Pubs
Download Paper
Keywords
cybersecurity risk management, cybersecurity risk measurement, cybersecurity risk register, enterprise risk management (ERM), enterprise risk profile.
Citation
Created November 12, 2021, Updated November 29, 2022