Hey, everybody. My name is Peter Sip alone, and this is the network Security course. This is going to be module three, lesson three. And in this lesson, we're gonna look at risk management.
The prerequisites for this course are modules 12 and three module one being the introduction module to being the core foundational cybersecurity principles and module three lessons one and two, where we took a look at data leakage prevention and incident response.
In this video, we're going to learn all about the process of risk management.
So what the heck is risk?
Risk could be simply defined as a function of the likelihood off a given threat, sources exercising a potential vulnerability and the resulting impact off that adverse event on the organization.
Simply put, risk management is the process of identifying the risk, assessing their impacts to the organization, determining how likely they are going to happen and who needs to be notified for when this happens and
how to prevent this by implementing controls to reduce the amount of risk and organization faces.
So a couple of rolling key terms I wanted to find really quickly, which will help with the risk management overview. So the first is likelihood. This is the probability that a potential vulnerability may be exercised. There's this is just a simple usually, you know, percent percent chance
that a particular vulnerability might happen.
Threat source is the intent and method targeted at intentional exploitation of vulnerability.
Vulnerability itself is simply a weakness in security procedures, designs, controls or implementations. We took a good look at vulnerabilities way back and module to, and we took a look at the C V East
impact, the magnitude of harm that could be caused, an asset,
anything of value that is owned by an organization. This includes things as hardware systems, people data, things like that
now risk management overview. This is how risk comes about. You start with the threat source thes the bad guys. These guys want to execute a threat on your organization.
They do this by exploiting a vulnerability,
and this exploitation of the vulnerability usually has an adverse impact on your organization. And all of these, combined with likelihood of this happening, constitute risk.
Now, obviously, the first step in the risk management process is the risk assessment we need to figure out where the risk is what the risk is, so we know how to deal with the risk and handle it properly. So we do that by obviously taking an assessment. First step is to prepare for the assessment.
This assesses threats to
information systems, system vulnerabilities, weaknesses in the likelihood that these threats will actually be exploited.
Step two is to actually conduct the assessment. This is where you identify threats, sources and events. Find any vulnerabilities that might be working in your systems. Figure out what is the probability of this actually happening and determine how bad are devastating. The impact could be
if the occurrence actually happens, and from there we can determine the risk.
After we conduct the assessment, we can communicate our results. Usually we have to communicate a results to upper management the directors sea level people. Just so they are aware of what's going on in the organization, and then, obviously we need to maintain our assessment.
This means performing a risk assessment somewhat on a frequent basis
and updating the risk factors when changes are made inside a system or organisation. Now, this is the NIST process for taking a risk assessment.
So risk assessment. A couple of things to note about this Thean pact can be measured in either quantitative or qualitative terms. I know it could be kind of difficult to put a dollar amount to impact, but there are several formulas that you can use to help you on the way.
The first is the single loss expectancy for Melo, which is simply the asset value times the exposure factor. So this is the value of the asset, whether it be human being, Ah, computer data, anything like that. Times the exposure factor. How exposed is it
on a network? How exposed is it to an organization?
How dangerous is it's usually number between one and 100.
Then you also have the annualized loss expectancy, the Ailey, and this is simply the SLE times. The annual rate of occurrence annual rate of currents is a probability of how many times you think this vulnerability or this impact would happen in a given year.
So this right here is a risk assessment matrix. This can help determine whether your risk levels are low, medium or high. As you can see here in the calm on the left,
we have to threat likelihood like what is the probability off this actually happening?
And across the top we have the impact. What air be low impact, medium impact or high impact. Now these two factors combined result in this matrix, and they have low, medium or high factors, depending on the threat, likelihood and the
amount of impact this could have on an organization.
Now for the low, low risk ones, you can determine what or not you want to accept the risk, or maybe mitigating further.
The medium ones really mean that it should be. You should look at your controls. At that point. You should look at what's going on in your organization and kind of figure out. What can we do to reduce this risk in a meaningful timeframe so you don't wanna waste if it's a medium. If you have the risk assessment comes out as a medium,
then you definitely don't want to waste any time you want to. Just
you won't do it in a reasonable time frame. Essentially now, if the risk assessment comes out, it's high. Then. This is something you want to take care of immediately. This should be a priority, and you want to reduce that risk level down to medium or even low, preferably
so. There's different ways of handling. Brisk on the four main ones are risk mitigation where you implement some sort of control or design or change in your organisation to basically eliminate the risk you have risk transference. This is where you
transfer your risk to 1/3 party.
This is usually how kind of insurance insurance works, where, if something happens, they're on the hook for and not you. You have the risk avoidance. This means completely avoiding the risk. Whether it be you have to get rid of a system, get rid of some data.
In other words, you want to shed the risk completely so you don't have to
do anything with it. Or if the risk is love enough, you can accept the risk. You can accept the risk and be like, OK, you know this might happen, but the probability of it happening and the impact aren't very high. So I think we could take a chance and just accept it for what it is.
we discussed the risk management process, how to calculate risk and how to handle risk
single loss expectancy is the expected monetary loss to an organization from a threat to an asset. How is this calculate?
Is it a the exposure factor? Times a roo
Be threat Likelihood. Times the exposure factor.
See exposure factor times the asset value, or d the asset value times the annual rate of currents.
If you said, see exposure factor times the asset value, then you would be correct. Remember, the exposure factor is how exposed an asset is to an organization to the outside world or to the Internet, and this is usually number between 100.
And obviously the asset value
is just the value of that asset, whether it be data hardware, some type of system or even a human being. I hope you guys learned a lot in this lesson, and I'll see you next time.