Posts tagged with “Risk Management”

Proceed at your own RISK

Sunday, 26 April, 2009

riskRISK is a very common word. In the IT World, it had been becoming more and more used not only within the management realms but also going down the end-users. Risk is a big deal when it comes to Security. More often, it is tied with a value or even worse, reputation. That’s why when it comes to managing it, the most important aspect everyone should adhere to is senior management awareness and approval.

Let’s dive into the meaning of the word risk in IT Security world. The simplest way of putting it is:


A risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. (All-in-One CISSP, Risk Management; Shon Harris). Before expanding that meaning, let’s take a look at what threats and vulnerabilities are.

A threat, as we all know, is any potential danger. Threat agents are the medium that carry out the threat. So a threat is someone or something that can identify a weakness and take advantage of it. For instance, if I know a website is running an application that is not written properly, I could exploit it to defaced it or to cause denial of service. In this case, I am a threat agent. My inappropriate actions are threat to this website.

The site’s buggy code is subject to exposure, which is its instance of being exposed to losses from a threat agent.

A vulnerability is a weakness in the infrastructure. And weakness is always represented by an absence or lack of ability to safeguard itself. So in our previous example, the poorly written website is a weakness. Without a proper safeguard in place to protect it, it is a vulnerability that a threat agent is ready to exploit.

Safeguard was mentioned earlier. This is the countermeasure that must be in place to prevent and mitigate the potential risk. Mitigating risk comes in many flavors, which we’ll try to cover them in brief details later.

So in brief, the order of concepts for all of these is:

Threat > Exposure > Vulnerability > Countermeasure/Safeguard > Risk


Risk Management involves: Risk Identification, Risk Analysis and Assessments, and Risk Mitigation. This is the process where identified group (most likely the Risk Management team) identify the risk (threats and vulnerabilities), analyze, and mitigate it to an acceptable level. The goal is to implement countermeasures to reduce the risk at a level that is acceptable to the security policy.

Read the rest of this entry »