Bias and Risk Management Framework

Types of Bias

Cognitive and Motivational Biases

Motivational biases are distortions motivated by incentives or motivations that are conscious or unconscious.

When we make judgments, cognitive biases are consistent deviations from norms or rationality.

Nonverbal Bias

In this condition, nonverbal behavior is seen in a negative manner toward specific social groups.

Affinity Bias

Affinity bias refers to the tendency to gravitate toward individuals with similar characteristics

Similarity Bias

In similarity bias, individuals who are similar to ourselves rather than those who appear to be dissimilar to us.

Contrast Effect Bias

A contrast effect bias occurs when we compare two things rather than evaluating them separately.

Attribution Bias

An attribution bias occurs when an individual misunderstands the motivations and behaviors of others due to their cognitive predispositions.

Confirmation Bias

Confirmation bias results when an individual's belief is influenced directly by his or her desire.

Conformity Bias

In most contexts, conformity bias refers to our tendency to follow others' actions rather than making our own judgements based on our own experience.

Risk Management Framework (RMF)

Through the Risk Management Framework, security, privacy, and cyber supply chain risk management tasks can be incorporated into the development life cycle of a system. This method takes into account performance, efficiency, and limitations imposed by applicable laws, decrees, executive orders, policies, norms, or guidelines. Also, successful information security and privacy program requires managing organizational risks; RMF can accommodate new or systems, any technology, and any organization, no matter what its size or sector.

Following are the steps involved in the RMF Process:

Prepare: Managing security and privacy risks requires essential preparations for the organization
Categorize: Analyze the impact of processing, storing, and transmitting information
Select: Depending on the risk assessment, select the set of NIST SP 800 controls to protect the system
Implement: Develop a plan for deploying controls and document how they are implemented
Assess: Determine if controls are operational, if they are producing the intended results, and if they are achieving the intended goals
Authorize: A senior official decides whether the system (can be operated) should be authorized.
Monitor: Regularly assess the effectiveness of control implementations and the system's risks

Author:

Hasan Hashim

Cyber Security and Digital Forensics