this next section, we're gonna talk about risk definitions, and I find that lots of different organizations have terms that they used interchangeably or perhaps differently than I Sacha would use them. So we definitely want to make sure that we're in alignment with ice, aka
this first, lied should be pretty straightforward assets, something we value
vulnerabilities are weaknesses, threats or those things that could pose harm to the assets.
Now the value of a risk is based on its probability. An impact. How likely is it toe happen? And if so, what's the severity?
Then we have the threat agent, which is actually what carries out the threat,
our exploits or when the asset does get compromised.
And then risk is the combination of the probability of the event and its consequences. Probability and impact. A. These air gonna be for our course at first events,
and ultimately there will be some sort of damage to the assets. Remember, risks are unknown entities. Once a risk has materialized, it then becomes an incident.
All right, some more definitions, inherent risk that is just that same amount of risk that is just native to an action.
There's a certain amount of risk with everything. There is an inherent risk with getting out of bed in the morning,
sadly, more so when you get to be 48 years old, little more of a risk.
But ultimately what we're looking at here is inherent risk. Just is. It could also be called total risk.
So what our job is to do is to mitigate that risk until it's acceptable.
But rarely do we talk about totally eliminating risks so we mitigate, mitigate, mitigate to the point where what's left over is an acceptable range, and that what's leftover piece is called residual risk.
So the whole purpose of risk management is bring residual risk down to the point where,
uh or mitigate risk to the point where residual risk what's left over is accepted.
Now, sometimes you fix one problem just calls another,
and that's a secondary risk. That second risk that appears you might patch a system, close up the security vulnerability, but then all of a sudden, the system just continuously reboots, so that's a secondary risk.
Now, some terms a lot of folks get Mr Metz, uh, mixed up
is risk appetite versus tolerance, so governance determines risk appetite. That's for the organization. Are we risk seeking or we risk neutral? Are we risk averse?
So how do we generally feel about risk? Is an organization? What's our risk strategy? Are big picture.
Now when we talk about risk tolerance, there may be a variation. We may be a very risk seeking organization, like Think about like Tesla right on Elon Musk. Very risk seeking, doing a lot of things that could be very risky.
Any time you're trying to land a car on the moon, you're probably willing to take some risks, right?
So they're very risk seeking organization because nothing ventured. Nothing gained.
with matters involving human life, they may be very risk averse. They may, will it. They may have almost no tolerance for risks involving human life, especially because the bad press they've gotten from their self driving vehicles. So that tolerance says we're going to differ from our company philosophy in certain ways.
Risk profile. That's our exposure to risk, so our current risk profile could change if we take on a new organization. If we hire new staff, if we shift our lines of business, that could change our risk profile
Risk profiles change over time anyway. Business change the threats. Business has changed, the threat landscape changes. So our risk profile is where we in our exposure to risk
risk threshold. What is that quantified limit? So what is that number that we will not exceed? You go to Vegas. You might take 100 bucks in with you to gamble.
Well, 100 bucks is your limit. You do not want to exceed that. That's your risk. Thresh
Now risk capacity. How much can we as an organization absorb without threatening our viability? And I think sometimes were surprised to see how much how much an organization can absorb. You know, United has had several big hits to their customer service.
Uh, in reputation.
Target had huge compromise with 100 million credit cards stolen. Yahoo e Bay, Home Depot on a non non non Bank of America. All of these other organizations and yet they keep on ticking, so they have a very large risk capacity.
And then the last one on this slide risk utility
you don't take a risk unless there's something to gain
that something to gain is your risk utility. What's the payoff for undertaking a risk.
and then the answer to risk. This isn't on the slide, but ultimately, the way we respond to risks is we put controls in place and controls are those systems processes, service's devices, mechanisms that lesson risk. Okay,
we could have proactive.
That would be safe guard. We could have a reactive control. That's a countermeasure.
And a lot of times people use those terms interchangeable, and that's okay, but they really are different,
all right, so
additional risk definitions make sure you know your risk definitions, per I sack
a lot of times being able to answer the correct question will be driven by. Do you really get the definitions
and then along the lines of definitions, just to cover the types of risks? So you want to know systemic risk. And if you've ever heard that term too big to fail, that's a systemic risk. It was used about the automobile industry when we had some of the financial issues of the
mid to thousands
2010 and so one. So ultimately, when you look at that, if the automobile industry fails, it's not just the automobile industry that fails right. It's all the organizations that rely on, you know, auto parts companies.
But it's also restaurants in the areas that are open because they serve to folks working at the automobile manufacturers.
It is, you know, the stores in the area that failed because so many people are employed by that industry. If it failed, those folks would have more. No money would be to spend.
Okay, so that's a systemic risk. You here with the banking industry, the automobile industry,
contagious risk. So sometimes within a short time frame, a certain type of risk effects multiple. This, as business partners doesn't have to be partners. But it could be, you know, people in the same industry or organizations in the same industry.
So if you remember the denial of service attack back on back in October of 2016
there was a denial of service attack directed at the dine D. N s servers, and they provided Deion s service for Amazon and Twitter and Google. Well, that's a lot of servers that air using dying for D. N s. So when dine waas Dostie essentially. Then it took out
Amazon and Twitter and Google. Those servers were up and running,
but nobody could get name resolution. So it's the type of risk that affects many different organizations in the same you know, in a short time period
and then obscure risks these air the risks that haven't happened yet. These are the things that we just don't know, and they're sometimes called black Swan Risks because, as we know, there are no Black Swan's. All swans are white
hopes there's a black swan, huh? Turns out swans could be black as well. So it's named for that idea that often we just base
our risk assessments
on what we know when our knowledge could be limited.
So when we have these unknown events, sometimes they're called unknown unknowns. We don't know if it's gonna happen or not.
We don't even know enough to have it on their radar.
So with those, what we want to do is just make sure our assets are visible
right there. Many different things We wouldn't think about his normal risk assessment that could happen.
So we keep our assets visible, we monitor we look for indications that some sort of compromise is happening,
and we need to make sure that we're monitoring the right sort of resource is because we have to have that knowledge that you know, when
something has been compromised or something is operating outside of its threshold of tolerance, we have to be able to recognize it. So with those obscure risks, if you don't know it, you don't know it. But you can at least make sure your assets are highly visible and that we have metrics in place that we can detect
if something is not functioning as it should.