Let’s dive into the meaning of the word risk in IT Security world. The simplest way of putting it is:

THREAT + VULNERABILITY = RISK

A risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. (All-in-One CISSP, Risk Management; Shon Harris). Before expanding that meaning, let’s take a look at what threats and vulnerabilities are.

A threat, as we all know, is any potential danger. Threat agents are the medium that carry out the threat. So a threat is someone or something that can identify a weakness and take advantage of it. For instance, if I know a website is running an application that is not written properly, I could exploit it to defaced it or to cause denial of service. In this case, I am a threat agent. My inappropriate actions are threat to this website.

The site’s buggy code is subject to exposure, which is its instance of being exposed to losses from a threat agent.

A vulnerability is a weakness in the infrastructure. And weakness is always represented by an absence or lack of ability to safeguard itself. So in our previous example, the poorly written website is a weakness. Without a proper safeguard in place to protect it, it is a vulnerability that a threat agent is ready to exploit.

Safeguard was mentioned earlier. This is the countermeasure that must be in place to prevent and mitigate the potential risk. Mitigating risk comes in many flavors, which we’ll try to cover them in brief details later.

So in brief, the order of concepts for all of these is:

Threat > Exposure > Vulnerability > Countermeasure/Safeguard > Risk

RISK MANAGEMENT

Risk Management involves: Risk Identification, Risk Analysis and Assessments, and Risk Mitigation. This is the process where identified group (most likely the Risk Management team) identify the risk (threats and vulnerabilities), analyze, and mitigate it to an acceptable level. The goal is to implement countermeasures to reduce the risk at a level that is acceptable to the security policy.

Identifying potential risks start in a good way of identifying vulnerabilities. Various vulnerability assessment tools are out there to assist security professional undertake this rigid tasks. Assets must be properly identified in this area. On one hand, another assets, which are the users, do lack of understanding about threats in particular, and security in general. So keep that in the scope that the users, who unfortunately, are the weakest link in security and their lack of knowledge are also risk. Having users understand the scope of security policy is a must.

After identifying vulnerabilities and threats, it’s time to quantify or qualify them. The Quantitative and Qualitative Risk Analysis approaches can be selected depending on the nature of the assets. Quantitative is a risk calculation where monetary value are assign to assets. Qualitative is through judging the intrinsic value of an asset.

Risk mitigation comes in after analyzing the risk. This is the time where you decide what to do with the risk based on the value of the asset and the actual loss if it is exposed. As a general rule, it is not recommended to spend more to protect an asset than it is worth. So if the cost to mitigate the risk outweigh the value of the asset, it is a good idea to accept the risk than to spend money less its worth. Next, let’s cover different options on deciding how to mitigate these risks.

It’s too risky, are you sure?

RISK ACCEPTANCE. Well, let’s just accept the risk. This is when you decide to accept the risk and don’t do anything about it and chose to live with it. The reason is the cost to mitigate it is too high and the impact is too low. for example, if the cost of putting an IDS (Intrusion Detection System) in an environment is too high for the value of the total potential loss there, it may be safe just to accept the risk.

RISK AVOIDANCE. I wanna avoid the risk, let’s go somewhere else. This is when management decide not to continue with the activity that is introducing the risk. For example, if users uses a particular email client that posses many risks around it, they can chose to mandate stop the use of this email client if there is not enough business need. They can go around by using a different email client that has less risks.

RISK REDUCTION. Okay, let’s implement what you were suggesting. This is when you decide that a countermeasure will reduce the loss if an event occurs. This is the real risk mitigation. Earlier, users were mentioned as the weakest link, because of their lack of knowledge. A countermeasure for this is proper awareness and training. This approach will reduce the level of risk to business acceptable level. Implementing firewalls, IDS to where it is needed, antivirus are good risk reduction approaches.

RISK TRANSFERENCE. This is too much for me now, let’s give it to someone else. This is when management choose to transfer the risk to somebody else. A good example is buying an insurance to handle the risk for you. Instead of you taking care of the risk, the insurance company will take care of the risk for you.

RISK IGNORANCE. Ignore it? Are you sure? This is tricky, while it sounds easy and very tempting to take, this is NOT an acceptable risk mitigation strategy. Don’t ignore any risk, after all, risk sometimes spells RI$K.

Risk Management is important in Security. In an enterprise, where there are various and different assets, it could be very challenging. But the concept is relatively straightforward. In our homes, or daily normal users of computers, it could be in a different form and challenge. The gist of it is that, risk equates to value. And value has a cost. You need to do something to protect its value so that it is not compromised or lost.