Prerequisite – Threat Modelling
A risk is nothing but intersection of assets, threats and vulnerability.
A+T+V = R
NIST SP 800-30 Risk Management Guide for Information Technology Practitioners defines risk as a function of the likelihood of a given threat-source exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.
So the main components of Risk Assessment are:
- Impact (i.e. potential loss)
- Likelihood of occurrence (i.e. the probability that an event – threat successful exploit of a vulnerability – will occur)
Threats is anything that can exploit a vulnerability accidentally or intentionally and destroy or damage an asset. Asset can be anything people, property or information. Asset is what we are trying to protect and a threat is what we are trying to protect against. Vulnerability means gap or weakness in our protection efforts.
Threat Source is a method to exploit a vulnerability or a situation either intentionally or unintentionally. For example a Malicious Software to which a virus or worm attaches to spread itself in the system and to others computer via email containing either virus as a attachment or as a link. If this email is shared by sender without knowing the malicious purpose of attachment or link then, this will be unintentional threat source otherwise it will be an intentional threat source.
The complete process of handling Risk can be divided into following stages:
- Context Establishment
- Risk Assessment
- Risk Identification
- Risk Estimation
- Risk Evaluation
- Risk Management/ Mitigation
- Risk Assumption
- Risk Avoidance
- Risk Limitation
- Risk Planning
- Research and Acknowledgement
- Risk Transferance
- Risk Communication
- Risk Monitoring and Review
- IT Evaluation and Assesment
1. Context Establishment –
In this step information about the organization and basic criteria, purpose, scope and boundaries of risk management activities are obtained. In addition to this data, it is important to gather details about the organization in charge of risk management activities.
Organization’s mission, values, structure, strategy, locations and cultural environment are studied to have a deep understanding of it’s scope and boundaries.
The constraints (budgetary, cultural, political, technical) of the organization are to be collected and documented as guide for next steps.
The main role inside organization in charge of risk management activities can be seen as:
- Senior Management
- Chief information officer (CIO)
- System and Information owners
- the business and functional managers
- the Information System Security Officer (ISSO) or Chief information security officer (CISO)
- IT Security Practitioners
- Security Awareness Trainers
If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to email@example.com. See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please write comments if you find anything incorrect, or you want to share more information about the topic discussed above.
- Viruses – From Newbie to pro
- Risk Management for Information Security | Set-2
- Routing Interface Protocol (RIP) V1 & V2
- Computer Network | Open shortest path first (OSPF) – Set 2
- TCP Server-Client implementation in C
- Computer Network | Birthday attack
- TCP and UDP server using select
- Types of Security attacks | Active and Passive attacks
- Computer Network | IPv4 classless Subnet equation
- Computer Network | Types of switches