LOGBOOK

HELP

Quiz Entry - updated: 2026.05.31

In cyber-security risk management, what is the role of a Leitlinie ("policy" / governance) versus Controls, and where does each cost?

Leitlinie = the strategic "eye" watching the whole picture. Controls = the operational "wheel" reducing exposure and weakness. Both cost money — and so does the residual risk itself.

The standard picture has three cost lines, marked with $ icons:

  1. Leitlinie (policy / governance, the eye 👁): Top-down direction — risk appetite, who owns what, which standards apply.
  2. Massnahmen / Controls (the ship's wheel ☸): Concrete measures aligned with frameworks like NIST CSF or ISO 27002. These reduce Exposure and Weakness (the controllable parts of risk).
  3. Asset value: The CIA triad (Confidentiality, Integrity, Availability) defines what's at stake if controls fail.

Three places money flows:

  • Setting up policy and oversight (the eye).
  • Buying and operating controls (the wheel).
  • Paying for the loss when residual risk materialises — the third $.

The point of risk management is to balance the three so you don't overspend on controls protecting a low-value asset, nor underspend and absorb catastrophic loss.

From Quiz: ISF / Risk Management | Updated: May 31, 2026