Cyber Risk Analysis: Scenario‑Based Threat Pathways (Privileged Account Abuse & Third‑Party Vendor Breach)

Overview:

This project contains two scenario‑based cyber risk analyses designed to evaluate how realistic security incidents can escalate into material business risk. The scenarios; Privileged Account Abuse and Third‑Party Vendor Breach demonstrate how threats originating either inside or outside the organization can lead to data exposure, operational disruption, regulatory scrutiny, and reputational harm.

Rather than focusing solely on control gaps, each analysis traces a full threat pathway from initial compromise to organizational impact, supporting informed executive decision‑making and risk prioritization.

Technologies & Tools Used:

• Microsoft Word (formal risk analysis report)
• NIST SP 800-53
• Organization-defined 5×5 impact and likelihood risk matrix
• Scenario-based risk assessment methodology
• Quantitative risk scoring (Impact × Likelihood)

Deliverable Features:

• Clear, narrative‑driven cyber risk scenarios (internal and external threat origins)
• Defined threat pathways illustrating how compromise leads to business impact
• Identification of affected assets, data types, and business functions
• Quantitative inherent risk scoring using a 5×5 matrix
• Business‑focused impact and likelihood analysis
• Evaluation of risk treatment options with a recommended course of action
• Executive‑ready summary language suitable for governance and oversight discussions

Notes for Reviewers:

These analyses prioritize clarity, business relevance, and accessibility for executive and non‑technical stakeholders. Plain English is used to describe threat scenarios, impacts, and decisions, while maintaining a NIST‑aligned structure and defensible risk methodology. The goal is to communicate risk in a way that supports governance, not overwhelm readers with technical detail.

Start to Finish Process:

Each analysis began by defining a realistic cyber risk scenario. One involving misuse or compromise of privileged access, and another involving a breach at a third‑party vendor with access to sensitive data.

For both cases:

1. A threat pathway was developed to show how the incident could escalate into organizational impact.
2. Impact and likelihood were assessed using a five‑by‑five risk matrix to calculate inherent risk.
3. Risk treatment options were evaluated based on their ability to reduce likelihood, limit exposure, and align with organizational risk tolerance.
4. A recommended mitigation strategy was provided to support leadership decision‑making.

Key Takeaways & Discoveries:

• Both internal and external dependencies introduce significant cyber risk.
• Scenario‑based analysis provides clearer insight than control‑only or checklist‑driven assessments.
• Quantitative scoring strengthens prioritization and executive understanding.
• Privileged access and third‑party relationships require continuous oversight, not one‑time reviews.
• Mapping realistic threat pathways helps organizations understand why a risk matters, not just that it exists.

Why Scenario-Based Analysis Matters:

Scenario‑based cyber risk analysis bridges the gap between technical security failures and real business impact. By tracing how an incident could realistically unfold. Whether through insider misuse or vendor compromise, this method helps leadership understand the consequences, prioritize resources, and make informed governance decisions. It provides a level of clarity that abstract ratings or questionnaires cannot.

Value to Cyber Risk Management:

These analyses demonstrate how scenario‑based methods can be used to identify, quantify, and communicate cyber risk in a way that supports governance, prioritization, and executive oversight. They highlight cyber risk analysis as a decision‑support function that strengthens both internal security practices and third‑party risk management programs.

Growth & Next Improvements:

This project strengthened my ability to assess cyber risk through a business and governance lens across both internal and external threat vectors. Future enhancements may include:

• Comparative scoring across multiple scenarios or vendors
• Integration with formal risk registers or GRC platforms
• Expanded modeling of privilege escalation pathways
• Vendor tiering and continuous monitoring frameworks

Video Walkthrough:

Understanding.the.Risks.of.Privileged.Account.Abuse.in.Cybersecurity.mp4