Stepping Through Cybersecurity Risk Management by Jennifer L. Bayuk - A Book Review

Posted on April 7, 2025  •  7 minutes  • 1420 words

The Book and Author

Jennifer L. Bayuk is a CISSP, Ph.D. and an information security expert. She has years of working experience with Financial Institutions on Wall Street. She wrote many books in the information security field.

That’s her detailed biography:

The book “covers the professional practice of cybersecurity from the perspective of enterprise governance and risk management.” She published it on March 26, 2024. It is available to purchase on Amazon.

In the book, she first explains the fundamental concepts, like threats, events, and controls, and then focuses on risk management. She describes the other subjects of assessments, issues, metrics, people, risks, and analysis. She has provided various visual materials and figures to explain complete processes. They are beneficial for understanding the frameworks.

For instance, she explains that the risk framework focuses on people with that diagram. (p.12)

I want to mention specific points from her book.

The Citations

Too many people also think that changing one’s mind based on new information is a weakness despite that being a fundamental component of the scientific process. (p.11)

If the estimated countermeasure costs are deemed to be more than the expected annual impact of a successful attack (the risk), then a decision‐maker may instead decide to accept the risk. (p.18)

…the probability of a successful attack after the security enhancement has been made is not zero, even if it reduces a known vulnerability. (p.21)

…it is important that decisions based on cybersecurity risk assessment be continuously revisited as systems and associated threats evolve. (p.24)

…we who practice cybersecurity have a very specific expertise: the instinct to recognize patterns of potential misuse of technology. (p.27)

Risk management is the art, not the science, of identifying potentially negatively impacting events and avoiding them. (p.33)

…if the target is not actively combatting the adversary, then the adversary has an advantage. (p.43)

Reliable studies of aggregated cyberattack statistics place insider threat actors as involved in only 18% of total cyberattacks. (p.50)

The only real solution is to minimize the number of staff who have such power and do your best to make sure they are happy at work. (p.51)

In the external attack, the initial access starts with phishing, which phonetically sounds like “fishing” and is so called because it uses a lure to bait its targets. The “ph” is a throwback to the earliest days of hacking when computer abuse mostly consisted of telephone fraud. (p.56)

The Open Web Application Security Project (OWASP) and the SysAdmin, Audit, Network and Security (SANS) are two organizations that maintain lists of the most common mistakes that programmers and administrators (admins) make that leave systems vulnerable to hackers. (p.57)

Banking security operations staff and cybersecurity vendors who market “threat intelligence” also scan the dark web looking out for this type of activity. (p.58)

The cybersecurity analogy is that security vulnerabilities are like the unattended nests and the cuckoo’s egg is the vulnerability nestling inside: unauthorized, undetected, but lying in wait to spring (Stoll). (p.65)

Boyd emphasized that one must be constantly aware of what is going on around you when you are in a small plane. Situational awareness is key to survival. (p.82)

Even if enterprise controls reinforced the training, staff cannot be prevented from falling prey to accidental or malicious malware installs on their home devices. (p.89)

The awareness starts with the recognition that there are three basic types of environments from which an enterprise’s set of risk events is collected: internal, external, and scenario. Internal events are attacks on the enterprise. External events are attacks on organizations that have processes and technology footprints similar to our own. Scenario events are hypothetical exercises in threat and response awareness. (p.92)

Where successful attacks happen to a competitor using the same business processes and same technology operating in the same cyber ecosystem, a cybersecurity risk organization may systematically collect information about external events from news reports and threat intelligence vendor data feeds. (p.92)

When customers are compensated for service interruptions without requesting compensation, this is referred to as “goodwill” in financial circles. It shows that public relations had a hand in minimizing the possibility that this event would generate hostility toward the enterprise on social media. (p.100)

…fail safe is a foundational security principle, sometimes referred to as the principle of fail safe defaults. It is a requirement to deny any and all access that is not explicitly authorized. It means that when a system is delivered, it should be configured to do nothing unless there is a security configuration that authorizes an authenticated user to perform some function. (p.108)

Security Principles Complete Mediation (p.114)

• All access requests are intercepted by a reference monitor to verify authentication and authorization.
• Comprehensive Accountability: All administrative and business functional and data access is monitored, audited, and automatically analyzed as appropriate to identify and alert on probable misuse of system resources.
• Defense in Depth: All access to resources requires authorization through multiple layers of separately configured controls.
• Economy of Mechanism: Keep the design as simple and small as possible.
• Fail Safe: Deny access unless it is explicitly authorized.
• Least Common Mechanism: Minimize the resources allocated to each user when multiple users share the same system mechanism.
• Least Privilege: Users have exactly the permissions they need to perform their responsibilities, and no more.
• Multifactor Authentication: Authentication sequence work factors are commensurate with risk of compromise.
• Open Design: Never assume that design secrecy will enhance security.
• Psychological Acceptability: Requirements for identification, authentication, and authorization features include ease of use and operation.
• Recovery Point Objective: System requirements must include archive and availability of a known good state from which system operation may safely resume after an outage.
• Recovery Time Objective: System requirements must include the length of time a system outage can be tolerated without breaching risk appetite.
• Segregation of Duties: Ensure that functionality to complete high‐risk tasks is divided and access to all required subtasks cannot be performed by a single user.
• Separation of Privilege: Do not grant special system privileges based on a single technical configuration. Verification and Validation: Critical controls are tested for compliance with design requirements as well as functional ability to achieve intended control objectives in a production environment.
• Zero Trust: Enforce per‐request identification and authorization mechanisms that do not rely on an assumption that it is possible to secure a network.

ITIL refers to this type of security process as “security management” and emphasizes that it cannot work in isolation. Rather, it is critical that security processes be integrated with each of the other IT process management teams to meet both internal and external (i.e., customer and regulatory) security requirements. (p.118)

This is difficult to do in all cases, so procedures are often accompanied by videos that demonstrate how to perform the task. (p.137)

…scope sometimes changes in the course of an assessment. For example, if the technology under review is not completely known at the time the objective is set and the set of underlying technology to be reviewed turns out to be larger than originally thought, the scope expands. This situation is disparagingly referred to as “scope creep.” (p.148)

After a patching process, a rescan for the same vulnerabilities wherein none are found would be considered an indicator that the control meets its objective. (p.185)

A requirement for transparency in cybersecurity metrics program helps keep one’s focus on metrics that are valid in a way that scientists call “face valid,” which reflects general agreement in the layperson’s opinion that a given measurement technique is suitable for its expected use. (p.188)

However, large budgets for SecOps were becoming the norm, so a conference of specialists in cybersecurity metrics was arranged by industry analysts, drawing dozens of volunteer program committee participants as well as sponsors. They called it Metricon. (p.189)

Now, years after NotPetya it should be clear that the first thing everyone needs to know about cybersecurity risk is that you do not have to be a target to get attacked. (p.222)

Many CISOs publish this guideline: “Every time you send an email, consider the possibility that it may end up in the headlines.” (p.231)

The probability of an attack event may be estimated with relative frequency using threat intelligence data or industry statistics such as the Verizon Data Breach report. (p.244)

Conclusion

The book provides good implementation ideas and practices for integrating cybersecurity risks and business. If you’re looking for a reference to implement that aspect, you should check it out.

Dear Dr. Jennifer L. Bayuk, thank you for your book and all your contributions to the field.