Which statement correctly describes the relationship between IO risk management and cyber risk management?

• A. They are completely separate disciplines with no overlap.
• B. One is a subset of the other.
• C. They share critical activities such as threat modeling, risk assessment, and resilience planning.
• D. Cyber risk management only concerns hardware vulnerabilities.

Answer: (C)

Both IO risk management and cyber risk management follow the same risk-management lifecycle, including threat modeling, risk assessment, and resilience planning. Because information operations rely on digital networks, data, and cyber capabilities, the risks to IO outcomes are inherently tied to cyber risk considerations. This overlap means they are not separate silos but connected disciplines that share core activities used to identify threats, evaluate their likelihood and impact, and plan for continuity and recovery. It’s not about one being a subset of the other, and cyber risk management covers more than hardware vulnerabilities—extending to software, networks, people, processes, and the broader information environment.