Risk

In Secure Yourself Now I just had you do the highest impact activities possible to minimize your risk... but what is risk?

Risk is a somewhat quantifiable function of the likelihood of the vulnerability being exploited and the impact it would cause the organization if the vulnerability is exploited.

A common equation for risk is:

 Risk = Probability of Threat x Impact of Vulnerability

or even more simply:

 Risk = Probability x Loss

Let's define the rest of the equation.

A threat is anything that has the potential to disrupt the normal functioning of an organization or in general cause harm to the organization. Determining the probability of a threat is a very difficult proposition.

A vulnerability is a defect in a process, system, infrastructure, or procedure that can be exploited to cause harm to the organization by an external or internal actor. Identifying vulnerabilities is straightforward, but identifying the potential impact is even more difficult than trying to determine the probability of a threat. If you can identify the impact, you have the most important part of the equation locked down. Splitting out asset value helps us focus in on the importance of identifying impact, rather than getting focused on potential threats and vulnerabilities.

Each decision you make can be based on this equation, and big decisions are actually a combination of hundreds of these risk equations. Then, based on what your acceptable level of risk is, you make your decisions.

It is almost impossible to completely rid a system of risks without affecting its operability. There is always a constant battle to find the balance between security and functionality, and as the person who is managing risk, it is on them to determine the balance point. In a world of perfect security, availability falls to the wayside, and people who need information can't get it. Being a security professional means weighing the costs and benefits of risk.

Briefly, ignoring the hundreds of frameworks and complex policy papers, the risk management process consists of the following general steps:

As it is a cycle, after the feedback stage we can determine whether the mitigation that was put in place was effective and the cycle continues. Risk management is very complicated, but using a framework as a mental model is a good start.

Answer these questions:

  1. What is a threat?
  2. What is a vulnerability?
  3. How do we define asset value?
Hoppers Roppers 2024            Date: 2024-02-25 22:06:00

results matching ""

    No results matching ""