Risk Definitions

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Now let's look at our next section.
00:00
This is an introduction to
00:00
information security and risk management.
00:00
Let's get some of these terms out of
00:00
the way and some of the basics and
00:00
let's make sure that we go into the material
00:00
with a common understanding.
00:00
The first thing we need to start off with is
00:00
defining some terms revolving around risk.
00:00
You're going to hear a lot about assets,
00:00
vulnerabilities, and threats.
00:00
An asset is something that we value,
00:00
something that's worth protecting
00:00
to us as an organization.
00:00
It can be tangible or intangible.
00:00
My hardware, these are tangible assets,
00:00
all the different types of hardware that
00:00
I have, my systems,
00:00
my power supplies, UPS,
00:00
all those different devices, certainly an asset.
00:00
But an asset can be intangible as well,
00:00
like a company's reputation
00:00
, company's customer confidence.
00:00
You certainly can't touch that or feel it,
00:00
but it's such a critical element of
00:00
an organization's success that we
00:00
have to consider it, of course.
00:00
Also our data, our employees,
00:00
they're all sorts of
00:00
different types of assets that we have to protect.
00:00
If it's worth protecting,
00:00
then we need to address it with risk management.
00:00
We'll get there. We have our assets.
00:00
Next thing, vulnerabilities.
00:00
Vulnerabilities are our weaknesses.
00:00
Where are we weak in how
00:00
we've designed maybe an application?
00:00
For instance, do I have a web-based application
00:00
that takes input from users without
00:00
validating that the input is
00:00
following the rules of basic database entry?
00:00
We'll talk about input validation later.
00:00
Or is it a way that I've implemented?
00:00
Have I duct-taped some things together to
00:00
make them work in a particular environment?
00:00
I think you all know what I'm
00:00
talking about when I say that.
00:00
Sometimes we take a mechanism
00:00
and implement it in a way that's not
00:00
necessarily the officially approved best practices
00:00
and that opens us up to risk.
00:00
How the asset is
00:00
operated or any internal protection that's lacking,
00:00
whatever our weaknesses are,
00:00
our weaknesses are called vulnerabilities.
00:00
Then our threats are
00:00
those elements that pose harm to the asset.
00:00
It could be a denial of service attack,
00:00
a loss of power,
00:00
could be a natural disaster.
00:00
Threats come in all different directions
00:00
and often threats
00:00
have threat agents that actually carry out,
00:00
so maybe a denial of service attack is the threat.
00:00
Then if you jump down a couple of bullet points,
00:00
a threat agent would be the attacker
00:00
that carries out the denial of service attack.
00:00
Now, probability is the likelihood that that risk will
00:00
occur and the impact is
00:00
the severity of the damage if the risk occurs.
00:00
When a threat compromises
00:00
a vulnerability and harms the asset,
00:00
we call that an exploit.
00:00
All these pieces come together.
00:00
I do want to point out the
00:00
first three bullet points; asset,
00:00
vulnerability, and threat,
00:00
those elements come together to create a risk.
00:00
If you don't have an asset, you have no risk.
00:00
If there's no vulnerability, no risk.
00:00
If there's no threat, no risk.
00:00
It's where those three collide,
00:00
if you will, or align,
00:00
that's where your risk exists.
00:00
Now, a lot of times when we talk about risk,
00:00
we're looking to get a value for the risk.
00:00
When we're talking about the risk value,
00:00
that's the probability and impact of a risk.
00:00
How likely is it to happen and
00:00
how severe will it be if it does happen?
00:00
Not all risks are created equally and of course,
00:00
we don't have unlimited funds to mitigate all risks,
00:00
so we have to prioritize.
00:00
When we look to prioritize our risks and
00:00
ideally get a dollar value of our potential for loss,
00:00
then we do that through examining probability and impact.
00:00
Now a few other risk definitions.
00:00
Inherent risk.
00:00
There is an inherent risk with everything you do.
00:00
Getting out of bed in the morning has an inherent risk,
00:00
especially if you're over 50 like me.
00:00
I got to go a little slower
00:00
some days to mitigate those risks,
00:00
but everything has inherent risk.
00:00
Our goal is going to be to mitigate.
00:00
Well, actually, we're going to evaluate
00:00
that inherent risk and see if
00:00
that amount of risk is acceptable or not.
00:00
If the amount of inherent risk
00:00
in a process or in an endeavor is too great,
00:00
then we're going to mitigate that risk.
00:00
We're going to try to lessen it or
00:00
find some other risk response.
00:00
Then after we implement our risk response,
00:00
what's leftover is residual risk.
00:00
I have inherent risk,
00:00
I implement a control or mitigating strategy,
00:00
what's leftover is residual risk.
00:00
If residual risk is still unacceptable,
00:00
then we add another control and we evaluate.
00:00
Now it's the residual risk acceptable.
00:00
We mitigate residual risk to
00:00
the degree that's acceptable by senior management.
00:00
It's within our risk tolerance level and
00:00
really you can make a good argument that that's
00:00
the whole purpose of risk management in a nutshell,
00:00
reduce residual risk to
00:00
the degree that's acceptable by senior leadership.
00:00
Now, a problem that can happen though,
00:00
is I implement one risk control.
00:00
Any time I use the term control
00:00
, think mitigating strategy.
00:00
Could be technology,
00:00
like encryption or firewalls,
00:00
could be administrative controls,
00:00
like separation of duties,
00:00
could be physical controls,
00:00
like locking a door.
00:00
But anything that I implement to mitigate a risk,
00:00
we'll generally characterize that as a control.
00:00
Now the problem is sometimes you implement
00:00
one control just to cause a second risk.
00:00
Fix one problem just to cause another.
00:00
If you think about patching systems,
00:00
if you don't test your patches before rolling them out,
00:00
the patch you apply to fix a vulnerability
00:00
may wind up causing another risk to materialize.
00:00
We have to think these risks
00:00
and our risk responses through to the end.
00:00
Now, a couple of other terms,
00:00
risk appetite, risk tolerance.
00:00
Risk appetite is senior management's approach to risk.
00:00
What is their risk philosophy?
00:00
How do they feel about risk in relation to the business?
00:00
Often we look at risk appetite as either being
00:00
risk-seeking, risk-neutral, or risk-averse.
00:00
Risk-seeking organization, usually,
00:00
a lot of times we see these startup companies
00:00
that go out there and they're just
00:00
trying a whole bunch of things.
00:00
They usually have financial backers that have
00:00
deep pockets and so
00:00
we're going to try a lot of things, see what sticks.
00:00
They tend to be risk-seeking.
00:00
Now some organizations aren't risk-seeking,
00:00
but they don't run from risks either.
00:00
They evaluate risks as they come up, that's risk-neutral.
00:00
Then organizations with high-value assets
00:00
are going to be the ones that are risk-averse.
00:00
We don't want to take on risk
00:00
because the potential for loss,
00:00
maybe the impact or probability is too high.
00:00
It's up to senior leadership and when we talk about
00:00
this, the C-suite executives,
00:00
often the board of directors,
00:00
maybe steering committees,
00:00
these are the folks that we think
00:00
about for senior leadership,
00:00
we think about in terms of risk governance.
00:00
It's really your risk governing
00:00
entities that determine the risk appetite.
00:00
Now, within your risk appetite,
00:00
we have risk tolerance.
00:00
Risk appetite is a general term
00:00
for how we as an organization feel about risk.
00:00
But we may have tolerances for different types
00:00
of risks that may be within the appetite or not.
00:00
We may have a very risk-averse organization,
00:00
except for particular new technology
00:00
they've developed that has a high possibility of return,
00:00
so they're more willing to take on risk.
00:00
Risk tolerance also tends to be quantitative in nature.
00:00
A lot of times with risk tolerance
00:00
we'll set a risk threshold that
00:00
says anything under $500,000 we can tolerate,
00:00
but that top threshold we're not willing to cross over.
00:00
Now, our risk profile,
00:00
what's our current exposure to risk?
00:00
We go through, we conduct a risk assessment,
00:00
we implement the risk mitigation strategies
00:00
as we see fit.
00:00
Where are we now? What's our profile?
00:00
Our risk profile can change.
00:00
We have to keep that in mind because
00:00
the threat landscape changes, new risks emerge.
00:00
Just because we have
00:00
a risk profile today that we can live with,
00:00
doesn't mean that we say,
00:00
thank goodness that's done.
00:00
I can go take a nap.
00:00
You can tell throughout the class I'm over 50.
00:00
I will often reference the joy of napping.
00:00
No, but in all seriousness,
00:00
we know that we're not done.
00:00
We continue to monitor for
00:00
risks because our profile can change at any time.
00:00
A few other terms.
00:00
Risk threshold is that quantitative limit
00:00
that I will not go beyond.
00:00
It's a dollar value generally.
00:00
We can't tolerate more.
00:00
We're not willing to risk more than
00:00
such and such amount of money for this particular risk.
00:00
Risk capacity, how much risk can we absorb as
00:00
an organization without it threatening our viability?
00:00
We're willing to lose little money here and there.
00:00
But at some point in time,
00:00
a risk can be so great that we look at and say,
00:00
hey, if this thing goes wrong,
00:00
this will sink us.
00:00
What's that amount of risk over all that we can handle
00:00
before the very life of the organization is threatened?
00:00
Now, risk utility,
00:00
don't underestimate the importance of
00:00
risk utility because that's
00:00
the reason we do it all in the first place.
00:00
We've all heard that phrase,
00:00
with lottery tickets, you can't win if you don't play.
00:00
There's got to be some reason that we're
00:00
willing to undertake risks and
00:00
usually the risk utility
00:00
is a big driver of how much risk we'll take.
00:00
What's in it for me?
00:00
What's the desired outcome from taking a risk?
00:00
>> Then the controls. What are the controls I've put in
00:00
place to manage the risks?
00:00
I definitely would like you to have
00:00
these risks on these two slides.
00:00
Make sure you take notes or
00:00
get a screenshot, pause the screen,
00:00
jot them down but our additional risk definitions
00:00
on both these slides are of particular importance.
00:00
Now let me give you an example.
00:00
Now, I like to gamble a little bit.
00:00
I'm not one of these people mortgaging
00:00
the house so that I can put it all on red.
00:00
But I like to
00:00
play a little bit of poker from time to time.
00:00
I'm not saying I'm the best poker player in
00:00
the world but I win some, I lose some.
00:00
Now, I want to make sure I don't gamble too much
00:00
so what are these rules I have for
00:00
myself as I don't go to local casinos?
00:00
I live here in Silver Spring, Maryland.
00:00
We've got some casinos right down the road,
00:00
but I don't go locally because then I
00:00
don't want to stop by the casino at lunch.
00:00
I try to keep that in check.
00:00
That's an administrative control that I have.
00:00
My policy is I don't gamble in town.
00:00
Controls help us mitigate the risk.
00:00
Now maybe once a year,
00:00
maybe twice, I'll make a trip
00:00
out to Atlantic City or Las Vegas.
00:00
Las Vegas is like
00:00
the greatest city on
00:00
the planet for about a day and a half,
00:00
then everything starts to get old.
00:00
But I go out to Vegas little bit or
00:00
Atlantic City and I make
00:00
a weekend of it or a couple of days.
00:00
When I do make those trips like I said,
00:00
I don't gamble on a regular basis,
00:00
but when I go to Vegas or Atlantic City, I come to play.
00:00
I'm not one of those little women
00:00
putting pennies in a slot machine going,
00:00
oh, I hope I win $0.50.
00:00
No man, I come to play.
00:00
My risk appetite is I'm risk-seeking when I go.
00:00
The reason for that is the risk utility,
00:00
at least in my mind, it's very high.
00:00
I could win the big bucks.
00:00
I'm still convinced I'm going to win the big bucks.
00:00
We'll talk about bias later and how that helps us make,
00:00
or it causes us to make poor decisions.
00:00
But anyway, stay with me here.
00:00
My risk appetite is I'm risk-seeking
00:00
because the risk utility is so high.
00:00
Now, when I walk in the door,
00:00
the first thing you'll see in almost every casino,
00:00
right as you walk in the door are slot machines.
00:00
The slot machines are there because they
00:00
have the highest return for the casino.
00:00
The odds on slot machines are terrible.
00:00
Now that doesn't mean I'm not
00:00
going to play because like I said,
00:00
I'm risk-seeking, but I have
00:00
a very low tolerance for slot machines.
00:00
As a matter of fact, my risk threshold is about 25 bucks.
00:00
I'll go in, I'll drop
00:00
some quarters and dollars in the slots,
00:00
but when I'm down 25 bucks,
00:00
that's my risk threshold. I'm done.
00:00
I have a lower tolerance than
00:00
my risk appetite for slot machines
00:00
and that threshold I will not cross is about 25 bucks.
00:00
Now, my risk capacity.
00:00
When I say I go to Vegas to play,
00:00
I don't mean to play like I'm not dropping a
00:00
thousand, five thousand bucks.
00:00
I have a risk capacity
00:00
maybe about over the course of the weekend,
00:00
I'm willing to absorb about a $500 loss.
00:00
Now, anything over that
00:00
is going to start to affect my capacity.
00:00
I get bills to pay.
00:00
I get a couple of kids.
00:00
I've got two dogs.
00:00
Got to put the kids through college.
00:00
I have decided that
00:00
if I lose more than probably $500 is a little bit low,
00:00
but if I lose more than a couple of thousand dollars,
00:00
that threatens my viability
00:00
because then I may not be able to pay my bills.
00:00
I'm going to get in trouble at home if I show up
00:00
and say I lost $2,000 for the weekend,
00:00
that is my capacity level.
00:00
I can absorb a couple of grand maybe and be okay.
00:00
Doesn't mean I'm happy with it, but I'll be okay.
00:00
Anything more than that affects
00:00
how I do my business day-to-day.
00:00
One other term that's not on here I'll
00:00
mention is I diversify my risks also.
00:00
I don't put all my money on red at the roulette wheel.
00:00
I don't just play Texas Hold'em.
00:00
I play various things in the casino so
00:00
that if one thing doesn't work,
00:00
I still have another outlet.
00:00
Now, the controls I put in place like I said,
00:00
I don't gamble locally,
00:00
I leave my wallet in the car.
00:00
I take out the amount of money,
00:00
my risk threshold, we said,
00:00
I don't want to go beyond $25 in slots,
00:00
so I monitor that amount and I
00:00
leave if I'm at that level.
00:00
But also tied into my risk capacity,
00:00
I'm going to have a set amount that
00:00
I'm not willing to go beyond.
00:00
Risk threshold doesn't have to be
00:00
just for a particular risk.
00:00
It doesn't have to be for just risk in general,
00:00
you can use that threshold in certain ways.
00:00
My threshold is 25 bucks for the slot machines,
00:00
but also per night,
00:00
I don't want to spend more than 300 bucks.
00:00
I still have a capacity for greater than that,
00:00
but I don't want to go beyond 300 bucks.
00:00
If I'm losing 300 bucks,
00:00
it's time to call it a night.
00:00
That's another way to think of risk threshold.
00:00
Another control.
00:00
You know how they bring you those
00:00
free drinks when you're gambling?
00:00
I don't know if any of you go to Vegas or
00:00
Atlantic City or any casino.
00:00
But the first time I ever went out to a casino,
00:00
I'm like, oh, free drinks,
00:00
aren't they lovely here at the casino
00:00
to thank me for coming in and giving me free drinks.
00:00
That my friends is a trap.
00:00
All of a sudden those free drinks start going down
00:00
smoothly and the more likely I am to say,
00:00
oh, let's play another hand, let's do another.
00:00
I get a little bit more
00:00
risk aggressive if I have a couple of those free drinks.
00:00
Another control is my administrative policy,
00:00
don't be taking those free drinks.
00:00
Nothing in life is free.
00:00
>> We have these various controls that are in
00:00
place to mitigate our risk
00:00
but hopefully as silly as that is,
00:00
that helps you understand the difference between
00:00
the terms as far as risks go.
00:00
So keep that in mind,
00:00
think about Kelly out there gambling when you come
00:00
across these questions on
00:00
the exam and I hope that helps you.
00:00
Just a few more ideas here.
00:00
Your different types of risk.
00:00
If you ever hear the phrase,
00:00
too big to fail,
00:00
that's a systemic risk.
00:00
What that means is you look at one industry and
00:00
numerous other industries or institutions
00:00
are dependent upon that one industry's success.
00:00
If you look back here in the States,
00:00
we have done bailouts.
00:00
We've built out the airline industry,
00:00
the automobile industry which basically
00:00
means the government comes in and throw
00:00
some money at the problems and
00:00
gets these industries back up on their feet.
00:00
But the idea is and we have a lot of disputes about that.
00:00
Some people feel like
00:00
the bailout is justified
00:00
and some folks feel like it's not,
00:00
but the very idea behind it is,
00:00
if we were to let
00:00
the automobile industry here in the US fail,
00:00
like for instance, Detroit.
00:00
We have a lot of automobile manufacturers in Detroit,
00:00
but they pay for real estate.
00:00
They support industries like
00:00
auto parts and manufacturers,
00:00
they support the car sales industry
00:00
and everything that spins.
00:00
The real estate they take up there,
00:00
restaurants and apartments built
00:00
to be close to the factories and so on,
00:00
so the idea is,
00:00
it would be one thing to say car company A fails but,
00:00
when you talk about the industry as a whole,
00:00
that has that ripple effect that would be so large.
00:00
We always hear that phrase,
00:00
the banking industry is too big to fail.
00:00
Well, that says we have a lot of
00:00
dependency built upon that particular industry.
00:00
Contagious risks.
00:00
When we talk about contagious risks,
00:00
sometimes one risk event can spread very quickly,
00:00
can impact a lot of organizations.
00:00
If you look at COVID,
00:00
no pun intended, it's a contagious risk.
00:00
It's not a risk that particularly
00:00
just impacted one organization,
00:00
the risks associated with COVID spread throughout,
00:00
the risks to the economy,
00:00
the risk to specific industries,
00:00
so it's a risk that often moves across various fields.
00:00
Another way to think about it might be,
00:00
we had a very large denial of
00:00
service attack that was aimed at Amazon and Twitter
00:00
and Google back in 2016
00:00
and there was significant outage time across some of
00:00
these Internet giants and it
00:00
turned out that none of those Internet giants
00:00
were offline but the attackers targeted the DNS servers.
00:00
Dyn was the company,
00:00
D-Y-N was the company that hosted
00:00
name resolution for Amazon and Twitter and Google,
00:00
so when you take down Dyn,
00:00
nobody can get name resolution
00:00
to any of these major companies.
00:00
Ultimately what that meant was if
00:00
you knew the IP address to Amazon,
00:00
you are home-free, you could connect in.
00:00
Very few people know that though.
00:00
We go to amazon.com and
00:00
DNS resolves that to an IP address.
00:00
When the DNS servers were taken down,
00:00
the impact was massive because
00:00
so many organizations used
00:00
that same company as their DNS servers.
00:00
Another term here is an obscure risk.
00:00
These are the risks that are off our radar.
00:00
This is a risk that hasn't happened yet or it's
00:00
so unlikely that we're not even thinking about it.
00:00
You can look back and again,
00:00
you'll probably hear me reference COVID a
00:00
little bit because COVID
00:00
is what everybody is thinking about and everybody
00:00
talking about in terms of risk management,
00:00
business continuity, disaster recovery.
00:00
If you'd gone back to 2018 or 2019,
00:00
nobody was talking about a global pandemic that would
00:00
bring countries to a screeching halt
00:00
in a lot of ways as
00:00
far as the way we normally do business.
00:00
That was an obscure risk.
00:00
Even as people started to
00:00
hear about the threat emerging,
00:00
because it was a black swan and because
00:00
so many people had such little experience,
00:00
nobody here or very few people here have
00:00
experience with anything like
00:00
what's happened in relation to COVID.
00:00
That's an obscure risk,
00:00
and because of the fact that we'd never seen it,
00:00
we didn't believe it would happen.
00:00
That's a specific type of bias.
00:00
Because I haven't seen it, it's not going to happen.
00:00
As a matter of fact, this things were starting to
00:00
appear that the virus
00:00
is more serious than we had thought.
00:00
My sister-in-law went out and she stocked up,
00:00
it was like she was ready for the zombie apocalypse man.
00:00
She went out to Costco and stocked up on
00:00
Clorox wipes and tin goods and I was chuckling at her,
00:00
and this was back in March.
00:00
I was like, "What are you thinking about now?"
00:00
That was my bias because I had
00:00
not lived through a global pandemic,
00:00
it was off my radar for even possibilities.
00:00
Our biases cause us to make mistakes,
00:00
and unless we're willing to look at
00:00
the bias and to challenge that bias,
00:00
we'll find ourselves unprepared
00:00
for a risk if it materializes.
00:00
Because you know once COVID exploded here in the US,
00:00
you know I was there at my
00:00
sister-in-law knocking on the door saying,
00:00
"Hey, can we have
00:00
some canned food and some Clorox wipes?"
00:00
Again, bias leaves us unprepared.
00:00
Find people that will challenge
00:00
your bias and be willing to listen,
00:00
particularly for black swan events.
00:00
Now, for these events,
00:00
visibility and recognition are both important.
00:00
Visibility means I'm watching.
00:00
I'm aware of the limited nature of my knowledge,
00:00
I'm aware of the fact that I might be wrong,
00:00
I'm aware of the fact things can
00:00
happen I know nothing about.
00:00
With risk management, the last phase of
00:00
the risk management life cycle which we'll talk about in
00:00
a bit is monitoring for risk.
00:00
Observing the organization.
00:00
Know what normal performance is so
00:00
that when abnormal hits,
00:00
you'll be able to recognize it and say, "Wait,
00:00
this is beyond what we normally see."
00:00
Know your baseline performance.
00:00
Recognition. Monitor the right things.
00:00
Because if I'm monitoring the right things and
00:00
I understand what normal performance is,
00:00
then I can usually
00:00
detect even if I don't know exactly what's happening,
00:00
but I can detect those significant events.
00:00
So monitor the right things,
00:00
have a team that can analyze your data,
00:00
analyze the data on a regular basis.
00:00
That's the best way to deal with black swans.
00:00
By the way, the reason we call these types of risks
00:00
black swan risks is because there are no black swans.
00:00
For centuries, we've known swans are white,
00:00
there are no black swans.
00:00
What the heck is that?
00:00
That looks a lot like a swan but it's black.
00:00
Just like I said earlier,
00:00
we have black swans out there.
00:00
Swans aren't only white,
00:00
swans are black, just like I said a second ago.
00:00
The idea really was that we just made the assumption
00:00
based on the fact that
00:00
white swans were all that we'd seen in the past,
00:00
that swans must be white,
00:00
and then lo and behold,
00:00
something happens to change our perception.
00:00
We have to be willing.
00:00
I can sit here and say that must be a chicken.
00:00
I can sit here and pretend that
00:00
this challenge to the status quo didn't happen,
00:00
but again, these are biases.
00:00
I have to be willing to accept and address.
Up Next