Let's just think then in our second module about risk and how risk relates to us as individuals and the choices we make because we use risk to inform our approach to security in our homes. But also we'll look at how we use this in a more enterprise environment. Because the same things apply but we want to be more systematic about how we do it. In our home, if we have a household with maybe four people, five people, they may all do things slightly different and it may not be a big issue. May be a big issue, may not be a big issue. But in a large organization, we want to make sure that our approach to risk is considered, approved, well thought through, so we need to think, who's going to approve this process? Who's going to make the decisions? But also we want a structured way that it will take place, that's going to be repeatable. We're not going to be doing things in different ways. Some parts of security governance, risk and compliance, are about providing that framework, that structure to make sure that we have a consistent, systematic way of operating. For security has a wide variety of roles. From encryption, some of the technology roles through to some of the less technical roles around governance, risk, and compliance that just is important. We will start by looking at some key concepts and definitions around risk. Will then link those to security, how risk relates to security. We'll talk about risk appetite, the process of risk assessment, and of risk management. Let's start by thinking about what a risk is because commonly people confuse the risk and the threat. Working with large organizations, I still see this happen, people confuse those two terms. You guys will have an advantage because you won't do that. You will know the difference between these two terms. The risk is the thing that could cause the harm, that could cause the damage. The risk is the outcome. The threat is what can actually cause the harm. Let me just break that down into an example to make it clearer. In the image there you see a lightening strike. The lightening strike is the threat. That's the thing that can actually cause the problem. A hacker might be the threat. The actual risk then is the outcome. We can think about the risk as being the outcome. For the threat of a lightning strike, what is the risk? The risk might be that it damages electrical equipment. That it means our availability is compromised, may be that it damages live systems and compromises the integrity, causes data loss or a change to our data. With an attacker, with a hacker, if they deploy ransomware or some malware, maybe again, it removes availability to our information. The threat would be the hacker, the risk would be a loss of confidentiality. Maybe the hacker is breaking into a network and reading sensitive information. Maybe they're using ransomware to encrypt it so that we can't access and that would be an attack on availability. The threat would be the hacker in that example, the risk would be the loss of availability, the loss of confidentiality to our information assets. Two other terms we want to consider when we're talking about risk. The first is the probability of this happening. How likely is this to materialize? A lightning strike, I am going to say that is very unlikely. Therefore, even though the risk, the outcome, would be quite bad, the likelihood is very low. That might shape how we deal with that particular risk. Then we look at the term vulnerability. A vulnerability is a weakness of some sort that will affect the likelihood and maybe the level of impact. A vulnerability might be, for example, on a computer-based system, a vulnerability might be a missing patch. You haven't updated the system, it's missing a patch. If you have the patch the malicious software, the malware won't work, or its impact may be limited. If you're missing the patch then the malware could cause significant damage, maybe has an easier time spreading across the network. How vulnerable you are will affect the likelihood, the probability, but also potentially the impact from the threat. We want a way of considering risks to our hardware, to our software, to our information, to our physical assets, to our logical assets, that physical world and the logical world. You can see just that interplay on the screen there. On the left axis we see probability, how likely something is, the amount of damage it causes. The quadrants on this chart that would cause as most concern are the ones that are most likely to happen and have the highest impact. The blue areas, they are still may be of concern but less concern. We're starting to prioritize, and you do this in your own home. You protect things according to their value. You protect things according to the risk that they face. How probable problem is, how much damage they could cause. We might consider the probability the impact for all of the different risks, but we would react differently. This acting, we assess the risks, which is what this chart is showing me, the assessed risks when we do something about them, where we would seek to work first, is up here in the top right. The highest risk, the highest impact, the highest probability of a problem, this is where we would be willing to invest more to prevent a problem. This process of reacting to the risk assessment is called risk management. We are trying to manage the risk and we prioritize. We cannot invest, if we have a million dollar security budget, we're not going to apply that budget evenly across everything. We're going to prioritize it for the things that are most at risk that have the higher probability of a problem and the higher impact may be on our organization. That could be in terms of reputation or financial loss. The risk assessment then, in order to perform an effective assessment of these risks, the very first thing we have to have, is knowledge of what we have of our physical assets. We need an asset register. An asset register for our physical assets covering things like servers, laptops, and so on. But also a separate asset register, usually for our software, maybe our configurations, but certainly for our information. We're not going to protect all information equally, some might be very sensitive, top-secret. Some might be public information that's already shared with the public. There is little point in protecting the confidentiality of a public catalog or a public brochure, where our top secret intellectual property or military information or patient data, those things we would want to protect to a higher extent. Information is a type of asset, and if we were doing risk management, well, we should have an information asset register as well. I'm looking to manage threats, the threats themselves we can seek to manage as part of risk management. For example, environmental risks, things like flooding. If you are in an area where you have heavy rain or a history of floods, or a predicted future incidents of floods because of climate change, then maybe we don't locate our datacenter in the basement or on the ground floor. That may sound silly. But I have seen datacenters located in areas that flood in the basement. We can mitigate some of these risks through effective future planning as well. We want to think about threats that we already introduced the idea of accidental versus intentional threats. Somebody trying to do something versus an accidental problem. An accident tend to be a my experience more common than a deliberate intentional threats. But we need to consider both in our risk assessment. Once we've identified vulnerabilities, we want to manage them and we can manage vulnerabilities in the technical world using a vulnerability scanner, we can scan a network for known vulnerabilities. When we find them, we can mitigate them. A lot of regulated industries like banking, health care, they require you to perform regular vulnerability management scans to look for missing patches, out-of-date software on your networks. As part of the risk assessment process, we're also trying to estimate the impact and the likelihood, how likely this is to occur. To estimate likelihood, we can look at past historical information, but also information we have about the future. We could say that crime in a city is rising or falling. If crime has risen every year for 10 years, maybe that changes how we think about building a new site in that city. If we look at an area that doesn't have floods, but we see a pattern of floods increasing in that territory, well then maybe that affects again, how we design the building, where we locate electrical outlets and so on. None of this is about very careful planning. Risk assessments typically occur at a minimum on an annual basis. There are lots of different approaches to perform a risk assessment, again, there's no right or wrong. What's important is that we're consistent and that we are doing it on a regular basis. Again, risk assessments, risk management usually mandated we then most regulated industries, telecoms, health care, finance, government, military, and so on.
