Risk (Lecture 4) Flashcards
Define Security
Security is aimed at preventing loss or disclosure of data while maintaining authorised access
Define Risk
The possibility or likelihood that something could happen to damage, destroy or disclose data and other resources without authorisation.
The more likely the occurrence of the threat, the greater the risk
Can be quantified as Risk = Threat x vulnerability
Why is understanding risk management important?
Essential to establish an sufficient security stance, governance and legal proof of due care and diligence
Who is responsible for risk management in an organisation?
Responsibility of senior management and organisations governing board
Usually define the scope, purpose and parameters for a risk analysis
Day-to-day tasks generally delegated throughout the organisation to team with specialist knowledge or skill
Senior management must review results and authorise all decisions relating to risk
Due Care legal requirement (Data Protection, Transaction Processing)
What does the term ‘Risk Appetite’ mean?
Risk appetite refers to how far away from ‘zero risk’ an organisation is willing to be and what amount of risk is acceptable
Whats is the primary goal of risk management?
To reduce risk to an acceptable level
Acceptable levels vary between organisations and even departments within
What can change acceptable levels of risk?
Value of assets
Budgets
Organisational Objectives and deliverables (Service Level Agreement)
As well as computer based risks, what other risks are there?
Natural disaster (fire, flood)
Terrorism/Activism
Accidental Damage
What is Risk Analysis?
Process by which risk can be measured and quantified to assist in risk management.
Includes examining an environment for risk
Evaluates each threat for Likelihood of Occurrence and potential impact/consequence
What does risk analysis focus on
Cost Vs Benefit
Likelihood of success
Implementation requirements
Define a Breach
Occurrence of a security mechanism being bypassed or thwarted by a threat actor or attacker
Define Penetration/Intrusion
Refers to a condition in which a threat actor has gained access to an organisations infrastructure or resources by breaching security mechanisms
What is asset valuation
A monetary value assigned to an asset indicating its value to the organisation including costs relating to Tangible Costs (maintenance, repair, replacement, staffing)
and Intangible Costs (public confidence, industry support, organisational impact)
What is a realised threat?
A threat or event that has taken place
What does Exposure mean?
The potential future loss assigned to a threat or vulnerability.
Exposure to a ‘realised threat’ is called Experienced Exposure