All right, so we're finally at risk management. One of the things you've heard me say throughout the lecture is when we're determining how much security is necessary. What our goal is is to provide just enough security. And remember, just enough security does not mean we're trying to see with the very minimum we can get away with this.
we figure out the value of what we're protecting. We take a good and thorough look at the threats and the vulnerabilities, and then we do a cost benefit analysis to determine how much we spend. Remember, The whole purpose of security is to support the business.
So if we're adding more security than is beneficial to the business,
we're doing it. This service, you know, so many times you run up against security screen versus security screen versus security screen, and if we're protecting high value data, that's worth it.
But if I'm selling frozen frozen yogurt at the shopping center, we may not necessarily have to go through all those security hoops. So the bottom line is risk management drives how much security that we implement. So the first thing we're gonna talk about in this sections. We're gonna look at some basic
definitions in terms because we have to be able to talk about risk
intelligently. As a matter of fact, risk management is security management, and security management is risk management. That's all we're doing is we're looking at threats and vulnerabilities, a value of asset potential for loss and then determining a good mitigation strategy. So we'll talk about all that with the definition. Then we'll talk about different
types of risk. Not all risk is created.
We'll talk about governance and compliance, because when we do talk about governance, we need to know based on the specific industry that were operating within
what are the security guidelines and industry standards we have to follow.
Then we'll look at some models of risk management, and then we'll talk about some options in dealing with risk.
So as we move forward just talking about some risk definitions, the first one's really we talk about and honestly, this isn't on the side. But the first thing I would define would be asset
and what is an asset? An asset is something we value something we want to protect, and we have to make sure that we're aware that not all assets are tangible.
You know, if I have a computer that I bought last year for 400 bucks, if I would ask you what it's worth today, you might tell me
300 to 50 you know, significantly less.
And that's on Lee if you're valuing the hardware because I agree the hardware will go down in value. But what about the data that's on that computer? That's where the real value comes from because the data may have value to me. It may have taken me many hours to create and produce that
it might have value to my customers.
It might have value to my competitors.
You know what if I have proprietary training information that's on Lee Good that separates my business away from other companies. Intellectual property? What about if I have health care information and I'm subject to a $10,000 fine from HIPPA? Should that information be disclosed?
Well, all of a sudden, that $300 laptop is worth a whole lot more, so it's important that we always start with identifying what we're protecting and what its value
from there we look at the threats and the vulnerabilities. So when we talk about the threats, anything that's gonna harm the yes
of vulnerability is the weakness within the asset.
So when we talk about the potential or the likelihood that a threat will exploit the vulnerability, that's the risk.
So there's an 80% chance that that a virus would attack our client base systems. If we don't do anything about viruses, that would be the risk, the likelihood that the threat would materialize.
Now, when we talk about the exploit itself, that's the instance of compromise. We talk about controls. Controls are where, ah, we puts some sort of risk mitigation strategy in place. And we could be proactive with our controls, whose design is to stop
the attack. We could be react
things that will help us if the attack was successful to a degree. So when we talk about sanitizing our data doing input validation, that's a proactive control, and we generally refer to those a safeguards when we talk about reactive, like how exceptions air handled or,
um, you know, even things like intrusion detection systems, audit longs.
Those air reacted, but the bottom line is they're both types of controls, and we need both proactive and react,
um, types of risk. There is total risk, and again, total risk isn't on the slide. But I'm gonna add it on their total risk is the amount of risk before we implement a safeguard.
So, for instance, if I don't implement input validation with my Web pages,
what is the potential for laws? If I do nothing about it, I know that there is code injection is a threat, but I decide not to address that threat. What's my potential for loss? And that's my total risk.
So obviously, in that case, my total risk is gonna be too high. So what do I do? I implement some mitigation strategies.
Those mitigation strategies, ideally, will bring the risk down into a level that's tolerable by senior management.
but we rarely talk about truly eliminating a risk. What we look at doing is bringing that level of risk down to a level that's acceptable by management, and that's not zero. Usually, usually management will allow some degree of risk because it's so expensive to talk about eliminating risk,
so the risk that's left over is referred to as a residual risk.
And we always want that residual risk to be within a level that's tolerable by senior management.
Okay, Also, when we implement one risk response, frequently, we open up another potential for risk. Like, for instance, if we apply Ah, an operating system patch. While that OS patch may fix one security related issue, but it may calls another mechanism, not toe work.
So that's a secondary risk when we fix one problem just to cause another.
All right, other things that we think about in relation to risk a fallback plan. What if our first risk mitigation strategy doesn't work or if it doesn't work well enough? Well, then we need a fallback plan. That's a planned response.
If none of that works, we wind up using a work around in a workaround is not planned or work around usually involves duct tape and chewing gum. And we're just trying to think on our feet and patch this system together.
so these are some definitions I'd like you to have with risk. This is what we're gonna be using as we move forward.