Lesson 5 Flashcards
The chance of a negative event
Risk
A chance that something unexpected will happen
Risk
It is the combination of threats and vulnerabilities
Risk = Threats x Vulnerabilities
This definition leaves the possibility open that risks can produce positive outcomes. This is no doubt based on the philosophy that problems represent opportunities
Risk, ISO 31000
Something bad that might happen
Threat
From a security perspective the first threat that pops to mind is ?
Security Attack
What is the range of a threat?
It can range from human errors to natural disasters
What are the 6 categories of threats?
- Acts of human error
- Compromises of Intellectual Property
- Deliberate acts of espionage/trespass
- Deliberate acts of information extortion
- Deliberate acts of sabotage/vandalism
- Deliberate acts of theft
Who said that ‘Vulnerability is the birthplace of innovation, creativity and change’
Brene Brown
What is common definition of vulnerability?
“weakness” or “inability to cope”
A better definition for vulnerability
“exposure”
Example of a vulnerability?
Connecting a system to the Internet can represent a vulnerability
* It exposes a system to a DDoS (Distributed Denial of Service) attack
* But connecting a system to customers via the Internet isn’t likely to be considered a weakness from a business perspective
IS RISK GOOD OR BAD?
- IT security professionals tend to think of risk as bad. It is the chance a threat will exploit vulnerabilities or the
“chance that something bad will happen” - Risk management professionals treat risks as potentially positive
the process of identifying, analyzing and responding to risk factors
throughout the life of a project and in the best interests of its objectives
Risk Management
implies control of possible future events
Proper risk management
Is risk management proactive or reactive?
proactive
Project team reacts to risks when
they occur
Reactive Risk Management
plan for additional resources in anticipation of fire
fighting
Reactive Risk Management, Mitigation
resources are found and applied when the risk strikes
Reactive Risk Management, Fix on Failure
failure does not respond to applied resources and project is in jeopardy
Reactive Risk Management, Crisis Management
Formal risk analysis is performed
Proactive Risk Management
Organization corrects the root
causes of the risk
Proactive Risk Management
What are the 7 steps to risk management?
- Identification
- Analysis
- Probability and Impact
- Risk Treatment
- Residual Risk
- Risk Control
- Monitor and Review
Giving all stakeholders an opportunity to identify risks
Identification
This can increase acceptance of a program or project as everyone is given a chance to document all the things that might go wrong
Identification
The diverse perspectives of stakeholders helps to develop a comprehensive list of risks
Identification
It is also possible to use databases of issues with that occurred with similar business processes, programs or projects in your industry
Identification
Knowledge sources such as lessons-learned and the risk registers of historical projects can also be used
Identification
Developing context information for each risk such as moment of risk
Analysis
Assessing the probability and impact of each risk
Probability and Impact
These can be single estimates such as high, medium and low
Probability and Impact
Alternatively, they can be a probability distribution that model multiple costs and associated probabilities for each risk
Probability and Impact
Planning a treatment for each risk such as acceptance, mitigation,
transfer, sharing or avoidance
Risk Treatment
Risks that are both low impact and low probability typically aren’t treated
Risk Treatment
Assess residual risk including secondary risks that result from risk mitigation, transfer or sharing
Residual Risk
Implement identified controls for risk mitigation, sharing, avoidance and transfer
Risk Control
Continuously identify new risks as things progress, monitor implementation of controls and communicate risk to stakeholders
Monitor and Review
used when the team wants to ensure that the risk opportunity is realized and any uncertainty is removed
Risk Exploitation
used to increase the probability or impact of a positive risk occurring. The strategy requires identifying and maximizing the key drivers
Risk enhancement
involves allocating some or all of the ownership of the risk and opportunity to a 3rdparty who has the best chance of meeting the objective.
Sharing a positive risk
means you intend to take advantage of the opportunity if it becomes available, but not actively pursuing it
Accepting a positive risk
a strategy where the project team
takes action to remove the threat of the risk or protect from the impact
Risk Avoidance
involves shifting or transferring the risk threat and impact to a 3rdparty. This does not eliminate the risk, rather transfers the responsibility and ownership.
Risk Transference
the strategy whereby the project team takes action to reduce the probability of the risk occurring. This does not remove the risk or the potential impact, but rather reduces the likelihood of it becoming real
Risk Mitigation
means the team acknowledges the risk and its potential impact, but decides not to take any preemptive action to prevent it. It is dealt with only if it occurs.
Risk Acceptance
A project management activity that involves identifying, assessing,
measuring, documenting, communicating, avoiding, mitigating,
transferring, accepting, controlling and managing risk
Project Risk Management
The process of identifying risks is intuitive for experienced project
managers
Project Risk Managment
