Risk Management Process

1. Assessing and analyzing risk should be a continuous and comprehensive exercise in any organization.

2. Risk - is  a measure of the extent to which an entity is threatened by a potential circumstance or event.

3. Risk is expressed as a combination of:

   1. the adverse impacts that would arise if the circumstance or event occurs

   2. the likelihood of occurrence

4. Information security risk

   1. reflects the potential adverse impacts that result from the possibility of unauthorized information and/or information systems:

      1. access

      2. use

      3. disclosure

      4. disruption

      5. modification

      6. destruction

   2. represents that risk is associated with:

      1. threats

      2. impact

      3. likelihood

      4. indicates that IT risk is a subset of business risk

5. An asset is something in need of protection

6. A vulnerability is a gap or weakness in those protection efforts.

7. A threat is something or someone that aims to exploit a vulnerability to thwart protection efforts.

8. Threat - is a person or thing that takes action to exploit (or make use of) a target organization’s system vulnerabilities, as part of achieving or furthering its goal or objectives.

   1. Insiders

      1. (either deliberately, by simple human error, or by gross incompetence).

   2. Outside individuals or informal groups

      1. (either planned or opportunistic, discovering vulnerability).

   3. Formal entities that are nonpolitical

      1. (such as business competitors and cybercriminals).

   4. Formal entities that are political

      1. (such as terrorists, nation-states, and hacktivists).

   5. Intelligence or information gatherers

      1. (could be any of the above).

   6. Technology

      1. (such as free-running bots and artificial intelligence , which could be part of any of the above)

Managing vulnerabilities starts with one simple step: Learn what they are.

Impact - is the magnitude of harm that can be expected

A vulnerability is an inherent weakness or flaw in a system or component, which, if triggered or acted upon, could cause a risk event to occur

1. Risk identification - recurring process of identifying different possible risks, characterizing them and then estimating their potential for disrupting the organization.  

2. Risk assessment -  is the process of identifying, estimating, prioritizing risks and should:

   1. result in aligning (or associating) each identified risk resulting from the operation of an information system with the goals, objectives, assets or processes that the organization uses, which in turn aligns with or directly supports achieving the organization’s goals and objectives.

3. Risk treatment - decisions about the best actions to take regarding the identified and prioritized risk

   1. decisions made are dependent on:

      1. the attitude of management toward risk

      2. the availability

      3. risk mitigation cost

When risks have been identified, it is time to prioritize and analyze core risks through qualitative risk analysis and/or quantitative risk analysis. This is necessary to determine root cause and narrow down apparent risks and core risks. Security professionals work with their teams to conduct both qualitative and quantitative analysis.

When making decisions based on risk priorities, organizations must evaluate the likelihood and impact of the risk as well as their tolerance for different sorts of risk.

Understanding the organization and senior management’s attitude toward risk is usually the starting point for getting management to take action regarding risks.

Calculating the downtime that is likely to occur with varying lengths of downtime will help to define a company’s risk tolerance.

If a company has a low tolerance of the risk of downtime, they are more likely to invest in a generator to power critical systems.

A company with an even lower tolerance for downtime will invest in multiple generators with multiple fuel sources to provide a higher level of assurance that the power will not fail.