Welcome to our Risk Management Concepts , Risk Definitions Module. Risk is the probability that a threat source will exercise a particular vulnerability and the resulting impact of that adverse advent on your organization. The likelihood of the threat to occur is considered over a given period of time, and the impact is the magnitude of the effects that would arise if that event actually occurred. A vulnerability is a flaw, or weakness in one of our assets, such as our computer systems, and an asset is anything that we consider valuable to our organization, everything from our facility to our employees, to our computer systems. Anything that we consider valuable. A threat is a potential danger. This could be either an accidental trigger or an intentional exploitation by an attacker to one of your assets. If a threat agent decides to take advantage of a certain vulnerability in that asset. You should be familiar with these definitions for the CISSP exam, you should know that a vulnerability is a flaw or weakness in one of your assets, that a threat is when a threat agent takes advantage of one of those vulnerabilities, and the risk is the function of your likelihood of that threat source to take advantage of that vulnerability, creating an undesirable impact on your organization. You may see questions where you are required to select a vulnerability or select a threat agent, and then be given four choices, and have to select the correct answer. A vulnerability, also known as a threat exposure, is an opportunity for a threat to occur causing a loss to your organization. A loss is some type of devaluation in one of your assets, and an event or an exploit is the instance of loss that you experience. A threat agent or a threat source is anything or anyone that has the potential to cause a threat to your organization. We put controls in place to protect us from vulnerabilities, and to protect us from threat agents. Controls are also known as safeguards or countermeasures, and they can include technical, administrative, and physical controls that are designed to manage the risk that we have in our organizations. Here are just some examples of threats that can negatively impact our organization's computer security. A threat to our confidentiality would be a data exposure or the theft of our confidential data. Social engineering is very popular, where we trick an employee into providing information that the attacker should not have. Shoulder surfing where an individual looks over a person's shoulder to capture their password, or other sensitive data, as well as impersonation attacks where a person pretends to be an authorized user on your system. We also have man-in-the-middle attacks where a person places themselves between two individuals communicating with each other in order to capture that data or modify it. We can also have integrity attacks where someone modifies our data without our permission. They might be able to modify a message while it's being transmitted, change our accounting records, or modifying of system logs, or even modify or configuration files. Finally, attacks on our availability attempts to disable a resource or prevent unauthorized users from accessing it. This can be caused by a man-made disaster or a natural disaster. It could be caused by a terrorist attack, a component failure, or even a denial of service attack, or distributed denial-of-service attack. We must be familiar with the process of managing the risks to our organization. First, we have to identify the risks, then analyze them, and then reduce the risk to a level that we consider to be acceptable. The risk assessment process is where we identify all of our assets, locate any risks that might be associated with those assets, determine the potential loss that our organization could suffer if an event occurred. During this process, we must come up with detailed estimates of the likelihood, and impact of events. Use that to determine whether we should place a countermeasure in place. The first step in the risk assessment process is to plan for and prepare for the risk assessment. You should remember that for the CISSP examination. During the risk mitigation process, we reduce our risks by selecting appropriate, cost-effective countermeasures to reduce our risk. It is very important to remember for the CISSP examination that we only put controls in place that are cost-effective. For example, if we only have $1000 worth of assets in our building, we would not want to spend a million dollars on a security system to protect our $1000 worth of assets because that would not be cost-effective. It is also important to know that once we select a control and put it in place, we must continually evaluate to make sure that the process is working correctly and that the control is doing what it is supposed to do. We do not place a control and then just simply never worry about it again, we must make sure that we're monitoring it, and evaluating it continuously. This concludes our Risk Management Concepts Module. Thank you for watching.
