Intro to Risk Management

00:00

Hey, guys. Welcome to domain three in the s S c p exam. Crab. Siri,

00:06

I'm your host, Peter Simple.

00:08

This is first lesson in the third. Do me

00:13

So in this lesson, since we have no objectives to review, let's talk about Will Graham talk about in this lesson

00:20

in this lesson, we will look at the risk management process, which is the whole process of identifying, managing and reducing risk and the negative impact off that risk to an organization.

00:35

Let's get started.

00:37

In order to talk about the risk management process, we need to go over a few concepts and faux cap words associated with it.

00:46

The first is risking stuff. What is risk?

00:49

Well, risk is a function of the likelihood of a given threat source exercising a potential vulnerability and the resulting impact of that adverse event on the organization.

01:00

So, in a nutshell, risk is

01:03

what is the possibility that something bad is going to happen,

01:07

and how bad is it going to be?

01:11

Likelihood.

01:11

The probability that a potential vulnerability, maybe exercise within the construct of the associated threat environment

01:21

again water the chances that a potential potential vulnerability might be exploited.

01:29

Threat source either intent and method targeted at the intentional exploitation of a vulnerability or a situation or method that may accidentally trigger of vulnerability.

01:41

Where's this coming from?

01:42

How bad will be

01:45

that kind of thing?

01:46

The red,

01:47

the potential for a threat source to exercise a specific vulnerability.

01:52

So what is the possibility the bad guys will exploit a specific part of the system that is not entirely sink

02:00

vulnerability? Ah, flaw or weakness in a system security procedures, designed implementation or internal controls

02:09

that could be exercised and result in a security breach or a violation of the system security policy

02:17

Impact

02:19

the magnitude of harm that could be caused by a threats. Exercise off a vulnerability

02:25

asset, anything of value that his own body organization?

02:30

All right, So now that we got the basic terminology at the way,

02:34

let's get down to business

02:36

risk assessment. There are four main steps in a risk assessment.

02:40

They are prepared for the assessment,

02:44

conduct the assessment,

02:46

communicate the results and maintained the assessment.

02:51

This photo here shows how the four steps off risk assessment are interlocked together.

02:57

As you can see, he start with Step one,

03:00

perform everything in step two,

03:02

and then you go back and forth from Step two and Step three. Talk about your findings,

03:07

and then you go back and forth between Step four and Step two to make sure that your risk assessment stays current.

03:17

Let's take a look at the Four Steps of Risk Assessment in a little more detail.

03:23

That one. Prepare for the assessment,

03:27

right? Can't have an assessment

03:29

well, without knowing exactly what we are assessing. So to get ready for the risk assessment, we need to set up some boundaries. What exactly are we looking for in this step? Want to identify the purpose? Why are we even performing this risk assessment?

03:46

Identify this, Scoob.

03:49

How deep is this risk assessment going to go? A new organization. What parts of the organization will it apply to

03:57

identify any assumptions?

03:59

What are we assuming going in? Are we assuming that the risk will only plot to certain parts of the organization or the entire organization?

04:10

Identify sources of information. Do we have any information on this risk assessment? Is there any inside or outside knowledge that we should know

04:20

and identify the risk model?

04:25

So this is the assessment and analysis approach to be ploy during the assessment.

04:31

How were we going to measure our results?

04:36

That too

04:39

conduct the assessment.

04:40

So first step in step two is produced a list off risk. So this is everything that we already know could be a problem.

04:50

We want to gather any and all essential information. Anything that we might need

04:57

in terms, off

04:59

threat sources, events, valuable assets, things like that. We want to assess the impact, threw the formulas

05:06

which we will get to in a second. So we want to take a look at How bad

05:13

could the harm be to an organization

05:15

if

05:16

this rest or vulnerability is exploited

05:19

and after that, we want to determine the actual risk itself. What do we need to do? We will be watching out for

05:30

so

05:30

impact formulas.

05:32

Impact foremost are different ways of measuring the damage that could be done to an organization. So the first impact formula is known as single loss in expectancy.

05:45

Also new. This essentially

05:46

s l E. Is the combination off the asset value

05:51

times the exposure value. So

05:55

the way this is calculated, you take the value off any asset at any time, and you multiply it

06:02

against the exposure factor. Now the exposure factor is merely a percentage that determines how likely or how much does them. This

06:15

asset could be destroyed. So 0% exposure factor means that the asset cannot be destroyed. It all

06:23

or ah 100% exposure factor means that the asset could be totally destroyed.

06:30

Multiply these two numbers together and you have single loss expected

06:34

annualized lost expectancy.

06:38

Annualized lost expectancy is simply single loss expectancy times the annual rate of current.

06:45

We already know how to calculate single loss expectancy. Just multiply that times the annualized rate of occurrence,

06:53

which is a number which represents the expected number off exploitations by a specific threat of a vulnerability to an asset in a given year.

07:03

So what this means is, how many times

07:08

will this happen to this asset? How many times will

07:12

ah threat or a vulnerability be exploited against a particular asset in a given

07:20

risk assessment tables? This is a very, very easy way to determine whether you were dealing with low risk,

07:28

moderate risk

07:29

or high risk. So in the columns we have low,

07:34

medium or high,

07:36

these are the likelihood is that

07:40

a threat will actually be exploited. So whoa, we label that is 0.1 or 10% moderate and about in the middle of 50%. And then hi

07:53

high means that there is a very, very good chance that your *** could be exploited.

07:59

Now across the top, we have the impact.

08:01

So we have low impact, which is only a small amount of damage. Modern impact, which is in the middle medium moderate amount of damage. And that high in the amount of damage is could be anything from utter destruction to something close to utter destruction.

08:20

So when we combined them together, multiply these numbers out, we get off risk assessment table,

08:26

which helps us determine what kind of risk we're dealing with.

08:31

So hi anything of high rescue things like high impact and high likelihood

08:37

that this is anything with a risk score off 5200.

08:41

Moderate is 10 to 50 where there's a good chance of something happening, or if something's happening, there were the result will only be a low impact.

08:52

And then we have the green. The low risk score, which is anything wrong with 1 to 10.

09:01

High risk. Is this considered to be significant risk to the organization, Front of action should be implemented ASAP.

09:09

Corrective action should be done immediately to reduce this risk as much as possible. High risk, No good

09:16

medium risk is really just in the middle of the moderate risk to any organization.

09:20

Corrective action should be implemented, but it's not immediate. You shouldn't waste time and leave these vulnerabilities lying around, but it is not an immediate pressing matter to get these corrective actions in place.

09:35

Arrest to the organization and evaluation should be performed to determine any risk should be of any action should be taken to address this risk.

09:46

I don't

09:48

and, you know you might want to choose not to do anything with rest. If the risk is low enough to wear.

09:54

Oh, the benefits outweigh the risks.

09:58

Then you might not want to take any action at all.

10:01

Step three. After a risk assessment is done, we want to talk about the results. We want to talk about what we learned from this risk assessment, and we definitely want to share information to support any and all risk management activity.

10:16

The objective of this step is to ensure that decision makers across the organization

10:22

have all the necessary risks. Related information to make informed risk decisions.

10:31

The fourth step in the risk assessment process is maintained the risk we want to stay current with the risks

10:39

at all time at any given time. We also want to incorporate risk monitoring,

10:45

which is identifying risk on an ongoing basis, and understand any changes that might occur to this risk. We also want to continue do update the components of the risk assessments reflecting any monitoring activities carried out by the organization.

11:03

Best part move. One of the most important reasons why we want to maintain this assessment is to determine the effectiveness of risk. Responses are the risk response is good enough.

11:13

We want Thio identify risk impacting changes to any organization

11:18

and up the associating risk assessments. And also we want to verify compliance if we added any corrective controls at any point. Aren't we want to know? Are they working

11:31

in today's lecture? We discuss risk concepts were ruled over some basic terminology about risk and risk security assessments where we went over the four step process.

11:43

Four. Learning about and assessing risk in any given time.

11:48

With time,

11:50

the probability that a potential vulnerability may be exercised within the construct of the associated threat environment.

11:58

Is it a threat?

12:01

Be

12:01

likelihood.

12:03

See threats, source

12:05

de risk.

12:09

If you said be likelihood than you are correct, remember, likelihood is just a probability that says how, What did? What is the potential that this will happen?