Learn the basic components of risk management, providing an effective framework for the rest of this course. This video serves to build the foundational concepts of risk management in order to frame the discussions throughout the rest of the course.
- Before we can dive deeply into the concepts of risk management, we must start with two basic questions. What is risk? And where does it exist? Risk, at its core, is the probability that a threat will be realized. Risk is a continual balancing act of a vulnerability versus a threat. In future lessons, we're going to discuss how we balance these against each other in order to manage risk as well. As cyber security professionals, our job is to minimize our vulnerabilities. Vulnerabilities are any weakness in the system design or implementation.
We're giving control over vulnerabilities because they come from internal factors, such as software bugs, mis-configured software, improperly protected network devices, lacking physical security and other such issues. Vulnerabilities are within our control, or at least within our organizations control. Whether we choose to address these vulnerabilities though, is the decision in risk management. Conversely, as cyber security professionals, we cannot fully control threats. Instead, we have to attempt to minimize or mitigate them.
This is because a threat is any condition that can cause harm, loss, damage or compromise to our information technology systems. These threats come from external sources, such as natural disasters, cyber attacks, data breaches, disclosure of confidential information, and numerous other issues that may arise during our daily operations. That brings us to our second question, where does risk exist? Risk exists in the inner section area, between threats and vulnerabilities.
And this is a key point, if you have a threat but there is no vulnerability, such as in the dark blue area, then there is no risk. The same holds true if you have a vulnerability, but you don't have a threat against it. There also would be no risk. Let's consider the example of trying to get to work on time in a morning. Your alarm clock goes off and it's just after 6am, so you hop out of bed. You've gotten dressed, you've eaten your breakfast, and now you're about to get from your house to your office. But there are vulnerabilities and threats all around you that could cause a bad outcome.
Such as you arriving late for work. This is the world of risk management. Let's consider a few possible vulnerabilities. One may be that you forgot to put gas in your car the day before and the vulnerability was the lack of preparation. Another might be that you forgot that it was your day to drop the kids off at school before going to work. And that's going to slow you down too. There are a lot of vulnerabilities to your plan of getting to work on time, but you can control these factors because vulnerabilities are internal factors. But, there are several other threats to you arriving on time that are outside your control.
What if there is a traffic jam this morning? That would certainly cause a delay to your commute, and you'd arrive late to work. Therefore, realizing the threat. Another threat could be from a natural disaster such as an earthquake, which could cause the road to your work to be destroyed. I know, it's a little mellow-dramatic, but you're getting the idea. You can't stop an earthquake. It's an external factor, and a threat to you arriving to work on time if it does happen. Now, we have several threats and several vulnerabilities identified in this example, but what can we do about them? Well, if we are worried about being late to work, one thing we could do is wake up earlier.
That way, even if the external threat of a traffic jam, or that earthquake destroying the road to work occurs, we can find an alternate route and still get there. This is what is referred to as risk management. Finding ways to minimize the likelihood of a certain outcome from occurring, and achieving the outcomes we want to achieve. In our case, that's to achieve things such as service continuity for our customers, and maintaining the security of our IT systems.
- Risk mitigation strategies and controls
- Data security classification
- Extreme scenario and worst-case scenario planning
- Risk management of new products, technologies, and user behaviors
- Business models and strategies
- Third-party outsourcing and security
- Integrating diverse industries
- Security, privacy policies, and procedures in risk management
- Metrics collection and analysis
- Analyzing security solutions