Risk Evaluation

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 52 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:02
Lesson 4.8 Risk evaluation.
00:10
In this video, we will cover how to evaluate risks.
00:18
Now if you remember back to the previous lesson where we use the A wasp risk framework as a reference point,
00:25
this is what you will use to guide your risk level determination or something that looks very similar. If you have an enterprise risk management process in place. Radios organization
00:35
This would probably look very familiar, or you would have something very similar to this.
00:41
Please feel free to leverage off your existing enterprise risk management framework
00:46
for a risk evaluation matrix.
00:54
So the overall risk evaluation formula is risk is made up of the likelihood multiplied by the impact
01:02
your organization needs to have risk Acceptance criteria
01:07
to find
01:08
risk acceptance criteria
01:11
pertains to the risk tolerance of your organization.
01:14
And when we get to the risk treatment process determines what treatment method should be adopted for a specific risk.
01:25
Your organization's risk, tolerance, level and context must be understood.
01:30
Some organizations arm or open to taking on more risk, while other organizations are a lot more risk averse,
01:38
so they would need to invest a lot more time, energy and money into treating risks.
01:46
Once we have determined the levels of likelihood and impact,
01:49
we are able to evaluate the risks and come up with risk ratings.
01:53
Risk ratings helped to prioritize risks.
01:57
These risk levels need to be compared to your organization's defined risk acceptance criteria,
02:04
where risks are not outright accepted,
02:07
meaning where a risk does not fall within your acceptable risk
02:12
acceptance levels
02:14
a risk treatment must be before.
02:17
Please note that risk acceptance is a method of risk treatment,
02:23
but we'll get into the different types of risk treatments
02:25
in the coming up lessons.
02:28
The context in which the risk could occur must also be taken into consideration.
02:34
For example, a high level risk
02:37
e a critical risk
02:39
on a low level or low valued information asset
02:44
might not be as important to immediately address
02:47
as a medium risk
02:50
on a high priority or high valued asset.
02:54
So going back
02:57
when a risk is not accepted,
03:00
your your organization would have levels defined where it can accept all risks are rating two or lower, for example,
03:07
or based on specific context or an exceptions.
03:12
Sometimes a risk might exceed the level of risk steps and criteria,
03:16
but later, it is discovered that the treatment cost and if it far outweighs the consequences off the risk materializing.
03:25
That risk would then also be accepted
03:29
when abnormally accepted risks
03:32
are
03:34
done, and management has taken a decision to accept the risk outside of the normal risk acceptance parameters.
03:39
This must be formally documented and noted
03:43
as the decisions infected. As to why the risk was accepted
03:47
must be formally noted and approved by the authorized stakeholders.
03:54
It must be evident that the appropriate decision makers within the organization
04:00
were made aware of the risk the treatment factors and why accepting the risk was the best option.
04:08
As mentioned before, where a risk is not accepted, the risk must be treated.
04:13
Risk treatment options will be covered in more detail in the next section.
04:26
To summarize,
04:27
in this lesson recovered the basics of scoring a risk based on the simple formula of likelihood. Times impact
04:34
risks are prioritized based on their school and your organization's acceptance and risk tolerance criteria
Up Next