December 15, 2022
CISSP Study Guide: Risk Assessment & Management
December 15, 2022
Risk is the preexisting hazard(s) that may cause damage or loss. It does not assume certainty that a hazard will develop, rather its inherent potential to occur. Risk management is applied to ascertain the presence of risk, measure the potential threat and how to manage it. In taking assertive steps to prevent or manage a known risk, the resulting damage can be contained. Risk identification is the process of determining the existing threats within an organization. An organization can be impacted by various types of risk and it is the responsibility of that organization to know what they are. Disaster-preparedness is a key aspect of this awareness whether they’re of natural origin or caused by accidents.
Disasters of natural origin refer to storms, fires, tornadoes, earthquakes or any events that occur in the environment. This also pertains to incidents that cause damage to a business and the internal environment. For example, an electrical malfunction that results in a fire, water damage from clogged sewage pipes or power outages.
Another form of risk is equipment failure from encountering an internet virus or hackers who target the system. Situations like these can be catastrophic to a business if internal data is compromised or lost, and disruption of service which impedes or in severe cases, shuts-down the organization’s day to day processes.
Internal risks are threats that exist within the organization’s personnel from detrimental actions or behavior of an employee. Internal data that’s considered highly-sensitive is a prime target for theft. An employee can steal then replicate that data for monetary gain, or, illegally download software or programs. These incidents create legal liability issues for the business such as lawsuits and loss of profit.
Risk management is the process of establishing what threats pose a risk to an organization, identifying the vulnerabilities in determining that threat level, and decisions about how the risk should be addressed. In many cases this entails establishing a risk management team to initiate the process in discovering threats and vulnerabilities, defining the organization’s assets, and developing a response-plan to manage risks. Risk management is composed of three key concepts:
- Threat, either natural or man-made that could cause damage to an organization.
- Vulnerability, the existing weaknesses from flawed policies or loopholes that could be taken advantage of by a malicious entity.
- Controls, which are methods to improve defense against known threats, prevent disaster, and correct system weaknesses to reduce vulnerabilities.
Assessing Asset Value
Pinpointing the assets that are essential to an organization and making certain those assets are preserved is another critical component of Risk Management. Identifying threats without a clear understanding of assets leaves an imbalanced approach in dealing with potential threats.
Identifying an organization’s assets aids in the development of countermeasures in the face of a threat so those assets are fully protected. If an organization has limited finances it’s crucial to assess the value of its assets through a quantitative assessment (the company’s financials) or qualitative assessment, its value to the overall strategy.
How to Handle Risk
Risk can be handled in four ways. These tactics are combined to address and handle risks:
- Implementing defense mechanisms to prevent or reduce the risk, referred to as risk reduction.
- Securing insurance to transfer part or all of the potential cost of a loss to a third party, or risk transference.
- Assuming the potential cost and losses if the risk comes to fruition, referred to as risk acceptance.
- Ignoring a risk, which is termed a risk rejection.
Let's build your cybersecurity career together
Accelerate in your role, prepare for certifications, and develop cutting edge skills with the most in-demand training in the industry.
2,000+learning activities led by highly experienced cybersecurity professionals