Pass your certification exam. Faster. Guaranteed.

Risk Definitions Transcription

Welcome to our risk management concepts, risk definition module. Risk is the probability that a threat source will exercise a particular vulnerability, and the resulting impact of that adverse advent on your organization. The likelihood of the threat to occur is considered over a given period of time. And the impact is the magnitude of the effects that would arise if that event actually occurred.

A vulnerability is a flaw or weakness in one of our assets, such as our computer systems, and an asset is anything that we consider valuable to our organization. Everything from our facility to our employees, to our computer systems, anything that we consider valuable. And a threat is a potential danger.

This could be either an accidental trigger, or an intentional exploitation by an attacker to one of your assets. If a threat agent decides to take advantage of a certain vulnerability in that asset. You should be familiar with these definitions for the CISSP exam. You should know that a vulnerability is a flaw, or weakness in one of your assets.

That a threat is when a threat agent takes advantage of one of those vulnerabilities. And the risk is the function of your likelihood of that threat source to take advantage of that vulnerability, creating an undesirable impact on your organization. You may see questions where you are required to select a vulnerability, or select a threat agent, and then be given four choices and have to select the correct answer.

A vulnerability also known as a threat exposure is an opportunity for a threat to occur causing a loss to your organization. A loss is so type of devaluation in one of your assets, and an event or an exploit is the instance of loss that you experience. A threat agent or a threat source is anything or anyone that has the potential to cause a threat to your organization.

We put controls in place to protect us from vulnerabilities, and to protect us from threat agents. Controls are also known as safeguards or counter measures, and they can includes technical, administrative and physical controls that are designed to manage the risk that we have in our organizations. Here are just some examples of threats that can negatively impact our organization's computer security.

A threat to our confidentiality would be a data exposure or the theft of our confidential data. Social engineering is very popular, where we trick an employee into providing information that the attacker should not have. Shoulder surfing where an individual looks over a person shoulder to capture their passwords, or other sensitive data ,as well as impersonation attacks where a person pretends to be an authorized user on your system. We're also having men in the middle attacks where a person places themselves between individuals communicating with each other. In order to capture that data or magnify. We can also have an integrity attacks or someone modifies or data without our permissions. They might be able to modify a message well is being transmitted, change our counting records, or modify our system logs, or even modify our configuration files.

And finally attacks on our availability, attempt to disable a resource or prevent authorized users from accessing it. This could be caused by a manmade disaster or a natural disaster. It could be caused by a terrorist attack, a component failure, or even a denial of service attack, or a distributed denial of service attack.

We must be familiar with the process of managing the risks to our organization. First, we have to identify the risks, then analyze them, and then reduce the risk to a level that we consider to be acceptable. The risk assessment process is where we identify all of our assets, locate any risks that might be associated with those assets, and determine the potential loss that our organization could suffer if an event occurred.

During this process, we must come up with detailed estimates of the likelihood and impact of events, and use that to determine whether we should place a countermeasure in place. The first step in the risk assessment process is to plan for, and prepare for the risk assessment. And you should remember that for the CISSP examination.

During the risk mitigation process we reduce our risks by selecting appropriate cost effective counter measures to reduce our risk. It is very important to remember, for this CISSP examination, that we only put controls in place that are cost-effective. For example, if we only have $1,000 worth of assets in our building, we would not want to spend $1 million on a security system to protect our $1,000 worth of assets, because that would not be cost-effective.

It is also important to know that once we select a control and put it in place. We must continually evaluate to make sure that the process is working correctly, and that the control is doing what it is supposed to do. We do not place a control, and then just simply never worry about it again.

We must make sure that we are monitoring it, and evaluating it continuously. This concludes our risk management concepts module. Thank you for watching.