Hi folks, Ed here. Today, we're going to talk about risk. Now, in your personal life, the concept of risk is this informal thing that we assign sort of just an informal semantics to a definition. Like, you would say, it's risky to do this thing or it might be, don't do that, that's very high risk. We do it sort of informally. But in cybersecurity, we're actually going to use the term risk in a more quantitative way. So we're going to use it as a defined term that has some real meaning, mostly focused on the probability and consequence associated with a tax. So let's use a couple of simple examples. I always use these one examples that go outside of computing, then we'll bring it back to computing. But imagine, that you're driving in a car. And it's you alone in the car. You're driving along and I say, I would like to calculate the risk associated with you maybe getting into some sort of serious crash. So you would say, well, there are two dimensions to that. One is, how likely is it that I would get into a crash? And then second, if I get into a crash, what ultimately is the consequence of that? So it's those two dimensions, probability and consequence, that feed this. Does that make sense? So again, when we talk about computing, we're going to be focused more on networks and virtualization software and so on. But it doesn't hurt to think about a car and driving in it. So now let's imagine that I'm in a car and suddenly the road becomes very slippery. The temperature drops, there's precipitation, it freezes and I'm on an icy road. So the first question is, has the probability that I may get into a crash, has that [LAUGH] increased. Well, yes, of course, it's a slippery road. Now the consequence still is me. Some bad thing could happen to me or whatever's in the car with me. Let's say I have nothing of any value in the car, it's just me. Well, the consequence of whether I'm in a safe car or whether I'm in on icy road is the same. So we'd say the risk has increased because it's an icy road. But really it's just me in the car still, so that's the first case. Second possibility, let's say you're driving in the car. And nothing changes about the road, the traffic, the weather, nothing. You're not distracted, it's your driving. But now, imagine that there's a little baby in the back seat in a car seat. Are the consequences a little different now, of a car crash? You bet they are, right? [LAUGH] Now it's not just you, but you're bringing a little baby along. And if you get in an accident, then the first question anybody's going to ask is, is the baby okay? [LAUGH] They don't ask about you. It's because the consequences increased, do you follow? So there's really two ways that risk can be affected by some change in a system. Risk is inherently something that's measured based on change, and we'll get to that in a minute. But let's think about this. The first thing is the Probability of an Attack, in terms of cybersecurity, can increase or the Consequence of the Attack can increase. So for example, a system that's put in place that has customer records on it. Let's say it's 1,000 customer records. And I put it in a system and it sits behind a gateway that's not connected to the Internet. And it's just private and is x amount of risk. I don't want my customer records exposed, but it's on a network that's private. I think we're good. You'd measure that risk as some number. Now it's tricky because you'd say, what number? Like is there some universal scale that we all use, and we have unity risk at zero? It's not like that. What happens instead is that you pick some numeric scale. Sort of like the stock market, where there's a number. You buy a stock at a number. Does it matter how much that stock costs when you buy it? No, but it matters whether it goes up or down, and risk is like that as well. So what we would do is something called baselining. Do that a lot in system security engineering where you baseline a number. And you come up with some reasonable sensitivity in terms of probability and consequence. And you just say, this is my baseline unit risk at some of point in time. So does that make sense? So you baseline something. Now, let say you decide in this little local area network with 1,000 customer records on a server that you're going to connect to the Internet. You get your first Internet connection. And now people from the Internet can come in and do maintenance on your server or whatever reason you would be connecting. Well, guess what? The probability of attack has now gone way up. Have the consequence changed? No, [LAUGH] it's the same stuff. Your customers would be just as angry if you lost the data. That hasn't changed. But the probability that something could happen has gone way up because you connected to the Internet. Now let's unravel. Let's go back to the case where it's still private network with no Internet connection. I've got 1,000 customer records. And you suddenly realize, well, 1,000's just a small percentage of our customers, let's put all of them on. Let's put a million customers records on that server. How you feeling about risk now? It's gone way up because you have more consequential assets on its server. So there's these two ways that risk can be affected. Now, every one of you right now are thinking the correct question and that's, well, what if one goes up and one goes down, right? What if I went from 100 customer records to 10 at the same time that I connected to the Internet? Welcome to Security Risk Management. And you can see how that's a very subjective judgement that you have to make. That the discomfort that anybody doing cybersecurity has, particularly in a practical setting, is how informal a lot of this is. As an academic, particularly somebody who's always giving exams and helping students work out answers to questions and to problem, you always look for things that are quantitative. Where there's a number and they can't really argue with you one way or another. But cybersecurity doesn't work like that in practice. I wish it did, but it just doesn't. In practice, Judgment, Qualitative vs Quantitative judgement, and a question of, well, this one went down, a consequent went down. The probability went up, do they balance? Has the risk stayed the same? Did this drop more than this increased? Do you follow? It's very difficult to kind of go through that. And that's where experience and just having the willingness to try to make good decisions, good management decisions, about cybersecurity may be the most important factor here. So just some terms of sort of your additional learning here. Try and think about some scenarios in your own mind, say in your own personal life, where the increase in probability of something might increase your risk or where increase in consequence might increase risk. Think that through. I'm sure in your own life, maybe even in the context of things you do, either at work or school that maybe technically related. What decisions might one make that increase risk and, correspondingly, what sort of decisions might be made that can decrease risk? That'll be a good thought exercise for you as you think about this lecture and as you continue to advance in your understanding of risk management in cybersecurity. So, we'll see you on the next video.
