Time
2 hours 35 minutes
Difficulty
Advanced
CEU/CPE
3

Video Transcription

00:00
all right, so welcome to less than 4.3. We're going to talk about risk analysis and your risk profile when it comes to vulnerability management.
00:10
So in this video, you're gonna learn what risk identification means to a risk assessment and kind of how that all plays into vulnerability management from a risk analysis standpoint and then determining your risk profile and what it means your organization.
00:25
So risk management, I think. Invulnerability management, your vulnerability. Management's another component of risk management,
00:31
so I think it's really important to kind of tie this into vulnerability management discussion.
00:37
It's a risk identification,
00:40
so this is really part of vulnerability management. We need to know what are tangible and intangible sources. So what's what are we actually looking at? Uh, is it realistic? Is it not realistic? Uh, threats vs opportunities. So every a real threat, something that's
00:58
actively targeting us, something that's looking to,
01:00
you know, go after organization or business on. Then more versus, like opportunities. Someone may be sitting at home and just scanning network, seeing if they anything's vulnerable. That's more of like an opportunity like, Oh, you just see if there's anything vulnerable out here
01:14
um,
01:15
we're talking about identifications. Like what limitations do we have on on our knowledge? What are we missing? What gaps air there on how reliable is this information that we're getting?
01:26
You know, maybe I don't have all the information. I have some, but is the information I have reliable? What? Can I actually use it?
01:34
Um, changes in external or internal practices. So again, talking about regulations or maybe updating our security policy, things that might really affect our risk.
01:44
Emerging risks and threats again. Threat. Intel, Bringing that into our vulnerability management practice. That's ah, really big component. Understanding What's out there who is targeting us and why? And what are they known for? You know? Are they known for now? Where are they known for? Um, you know, Trojans or
02:02
ransomware? What? What do we need to understand about our threats
02:07
and then trying to address any biases, assumptions, believes anything that might be involved in risk management. We want to make sure we're not biased. We're not assuming anything that we really have good, reliable knowledge when we're looking at identifying what risk we might have in our organization.
02:25
So risk analysis, it's a risk management technique. You can use lots of different methods when we're talking about risk analysis. You know, I I include the Jenga graphic because it really is like playing a game gent guts, like. All right, I need Can I pull this piece out? Is it going to affect my gonna knock the whole tower down? So it's really
02:44
understanding, um,
02:46
kind of what's going on in your organization to making sure that you're putting the pieces where they're supposed to go so you can do a quantitative or qualitative risk analysis depends on kind of what you're looking for. There's a lot of great, um,
03:01
analysis tools out there that can help you. I included some below, like the Delphi technique that a decision tree. I think those are great and, of course, a probability and consequence matrix. So those are all great tools that you can use to kind of conduct your risk analysis, and then that will then help you in your vulnerability management practices.
03:22
So when we're talking about risk analysis now, we need to look at what's our evaluation and what is their risk profile look like? Um, you know, So I include the graphic here of the paths. Because which path do we go down? What is her profile Look like? Where should we go? Um,
03:38
so we're looking at risk analysis results against our risk criteria. So we've done our analysis. We've gotta results. So what's our actual criteria for risk? What are we actually concerned about? Do we need additional controls? We need more security controls in our environment.
03:54
Um, again, let's take that holistic view of the organization because that's the way we're going to really look at our risk profile,
04:00
Um, and really determining our boundaries for our system.
04:04
This is another really important point because, uh, let's say take that scenario where we have umbrella organisation with lots of organizations underneath. Uh, my as a system owner, my boundaries for my system. I'm not gonna worry about you know what organization be is doing? I need to focus on what I've got here.
04:24
But then if the holistic level
04:26
I do need Teoh, look at every all the risk across all of the organization
04:31
on it's really important for stakeholders to make those risk based decisions. I think without really on having a good understanding of your risk profile, you can't make those you know really important decisions for your business.
04:44
So executive leadership,
04:46
others. There are lots of large organisations with great security teams. Big security teams, Big I T teams that have been hit with out of reach is
04:56
so I think it's really important for Executive leadership. Tau understands that
05:00
it is a problem. Data breaches cyberattacks. They happen all the time to any, any size, any type of business. So it's important, you know, to really understand what your risk profile is.
05:12
Quality risk assessments take time. Allow time to do this because you want to have that accurate, that reliable view of what the risk is to your system
05:23
again. A 200 reports. I'm really gonna be helpful,
05:26
you know, Ask for one of my most critical assets. What are the biggest risks? What's exploitable, all those things. Those will really help you pinpoint on and help to push your teams to address the most important risks.
05:40
Ah, and then understanding probability of attack and threats. You know, I think from an executive standpoint, um, it is really important to understand one who's out there, too, who wants what you have or who is trying to get what you have. But then what's the probability that this is actually gonna happen to me? So where do I want to spend? My resource is
06:00
So in today's video, we talked about what risk identification is what it means to a risk assessment. Ah, and then talking about risk analysis in risk assessment, how that builds a risk evaluation in profile. And then again, how executive leadership can really help in the risk assessment process
06:19
and help to move it forward
06:21
here. My references. Thank you, and I will see on the next lesson.

Up Next

Executive Vulnerability Management

This course covers vulnerability management from an Executive Leadership level, and to help Executive Leadership understand the challenges of implementing a vulnerability management program, including implications if it is not set up properly.

Instructed By

Instructor Profile Image
Nikki Robinson
Cyber Engineer
Instructor