Risk assessment

- [Instructor] Risks are bound in the world of cybersecurity from hackers and malware to lost devices and missing security patches. There's a lot on the plate of cybersecurity professionals. Now, of course, addressing each one of these risks takes both time and money. Therefore, cybersecurity professionals need to prioritize these risks in order to spend these precious resources where they will have the greatest security effect. That's where risk assessment comes into play. Risk assessment is the process of identifying and triaging the risks facing an organization based upon the likelihood of their occurrence and their expected impact on the organization. First, we need a common language. In everyday life, people often use the terms threat, risk, and vulnerability interchangeably, but these are actually three very different concepts. A threat is some external force that jeopardizes the security of your information and systems. Threats might be naturally occurring, such as hurricanes and wildfires, or man-made, such as hacking and terrorism. You can't normally control what threats are out there. They exist independent of your organization. Now there is one related term that you should know for the exam. A threat vector is the method that an attacker uses to get to your target. This might be a hacker toolkit, social engineering, or physical intrusion. Vulnerabilities are weaknesses in your security controls that a threat might exploit to undermine the confidentiality, integrity, or availability of your information or systems. Vulnerabilities might include missing patches, promiscuous firewall rules, or other security misconfigurations. You do have control over the vulnerabilities that exist in your environment, and as security professionals, we spend much of our time hunting down and remediating vulnerabilities. Risks occur when your environment contains both a vulnerability and a corresponding threat that might exploit that vulnerability. For example, if you haven't updated your antivirus signatures recently, and hackers release a new virus on the internet, you face a risk. You're vulnerable because you're missing a security control and there is a threat, the new virus. There is no risk if either the threat or the vulnerability factor is missing. For example, if you live in an area far from the coast, it doesn't matter if your building is vulnerable to hurricanes because there isn't any threat of a hurricane in your region. Similarly, if you store your backup tapes in a fireproof box, there isn't any risk from a building fire because your storage container isn't vulnerable to fire, and once you've identified the risks facing your organization, you probably still have a somewhat overwhelming list. The next stage in the process of risk assessment ranks those risks by two factors, their likelihood and their impact. The likelihood of a risk is the probability that it will actually occur. For example, there is a risk of earthquake in both California and Wisconsin. However, when you look at the data, you find that the probability of an earthquake occurring is far higher in California where almost 5,000 significant earthquakes occurred over the last 25 years. During that same time, Wisconsin didn't experience a single major earthquake, therefore, risk managers in California might have to be hypervigilant about the risk of earthquakes while those in Wisconsin can probably ignore that risk. The impact of a risk is the amount of damage that will occur if the risk materializes. For example, an earthquake might cause devastating damage to a data center while a rainstorm might not cause any damage at all. When we perform risk assessments, we have two different categories of technique that we can use to assess the likelihood and impact of a risk, qualitative techniques and quantitative techniques. Qualitative techniques use subjective judgment to assess risks. Typically, categorizing them as low, medium, or high on both the likelihood and impact scales. Quantitative techniques use objective numeric ratings to assess likelihood and impact. Here's an example of a qualitative risk assessment chart. When considering a specific risk, the assessor first rates the likelihood is low, medium, or high, and then does the same for the impact. The chart then categorizes the overall risk. For example, a high probability, high impact risk would be categorized as a high risk overall while a medium probability, low impact risk would have an overall rating of low. I'll cover the second risk assessment technique, quantitative risk, in the next video.