all right, so let's begin with risk identification. And again, the big points I wanna focus here is you on Lee have a risk where there's an asset that has a vulnerability but also a threat that could pose harm to that asset,
right? So we start this risk management process. That's of course, the first place to start in the first place to start with risk identification with your assets.
What am I protecting and one or they work. If there is no threat, you don't have a risk. If there is no vulnerability, you don't have a risk, right? So you have to have all three. If your asset doesn't have any value, you don't never risk, you know, left my grocery list on the table. When I went for lunch,
somebody could have read it. There's a threat.
It wasn't protected. That's the vulnerability.
But that's that didn't have any value to me, so there was no risk associate, right? So we look at threat, vulnerability and an asset of value. I will tell you this sum resource is simply say, a risk is threat times vulnerability so you could see that on the exam threat times vulnerability.
The reality of it is, is it's really asset times, threat times vulnerability. And you may see either of those. Okay, and you know,
my waist right. That doesn't necessarily mean how it will be presented on the test, though. Okay, they wouldn't make you choose between the two.
And if they did asset times threat times. Vulnerability would be correct. But they probably say, which is the correct calculation for risk and a lot of crazy stuff. And then threat comes vulnerability. That's what you want. Cheese.
All right, Anne. In risk identification, you'll see. One of the things that we do is we begin to create and depopulate a document called The Risk Register.
Now, this is just a risk register I've pulled off of somewhere along the line on the Internet. And ultimately,
your risk register will be unique for your company, your project, your organization or department, whatever. But what you can see here is this is a place to consolidate information about
risks. And when I start with risk identification, you're gonna see these 1st 4 columns. What is the asset?
Is there anything already in place to protect it? What existing controls air there and after those existing controls, What's the vulnerability that still left?
What threatens to exploit that vulnerability? Okay, that's risk identification. Those 1st 4 columns were just getting the ideas down. What do we need to think about
then, when we look at this next column where we start talking about likelihood, an impact that's gonna move us into risk analysis, which comes up next?