Threat: A potential cause of an unwanted Incident, which may result in harm to a System or Organization
Vulnerability: A vulnerability is a weakness of an asset or control that could potentially be exploited by one or more threats.
Risk: A combination of the probability of an Event and its Consequence
- Risk is the ‘effect of uncertainty on objectives’
- Risk management involves identifying risks; analyzing, evaluating and treating them; and monitoring & measuring them in order to control and minimize their impact
- ‘Risk Owners’ own the risks in their functional areas, and need to apply risk management principles to address and mitigate those risks
Risk Assessment is the total sum of
- Asset Assessment & Valuation
- ThreatAssessment & Valuation
- Vulnerability Assessment
Risk Analysis: A systematic use of information to identify sources and to estimate the Risk
Types of Risk Analysis: Quantitative & Qualitative
Possible options for Risk treatment include:
- Applying appropriate controls to reduce the Risks;
- Knowingly and objectively accepting Risks, providing they clearly satisfy the
- Organization’s Policy and criteria for Risk Acceptance;
- Avoiding Risks by not allowing actions that would cause the Risks to occur;
- Transferring the associated Risks to other parties, e.g. Insurers or Suppliers
Discover more from Information Security Blogs
Subscribe to get the latest posts sent to your email.