So this chapter, which is gonna deal with risk? We have three main objectives that we want to cover. As you can see, we're gonna talk about the risk associated with business decisions and the ideas. Every decision you make has some degree of risk associated with it, and we all have a tolerance for risk.
Some of us may be very risk averse. We may be very conservative. We may want to play it safe and not put a lot out there to chance.
And so we would consider ourselves to be risk averse. Some organizations are very risk aggressive because a lot of times the higher the risk, the higher the pay off. So if we're willing to tolerate a high degree of risk, we would consider ourselves to be very risk aggressive. But the bottom and often the bottom line is that
were rarely all one or all the other.
A lot of times it depends on what's at stake. So the bottom line is we always have to address risk, figure out what our tolerances are and make our decisions moving forward, so we'll talk about how risk effects are business decisions.
Now we'll look at risk analysis and figure out what controls to put in place. Really, Even before that, we're gonna define some of these risk terms and talk about what? Risk assessment versus risk analysis versus risk mitigation and how we walk through the steps to define risk into address risk and then last
perform research on technologies and tools for an enterprise environment,
threats to the business and security requirements for contracts. All of this means I have to educate myself. I have to understand what the risks are associating with third party contracts. I have to know where threats to my organization are gonna come from. I have to know what the security requirements for my particular industry
with those security requirements are.
All this can be summed up by saying, I'm gonna do my due diligence and do care.
Now I'm gonna give you definitions, and I don't want you to take these definitions back to law school with you. But ah, quick sort of cheapie definition for due diligence is we're gonna do the research. We're gonna research. We're gonna find out what the risks are associated with our business decisions.
We're gonna look and find out what industry standards require us to do.
We're gonna make sure we made our legal requirements, were going to make sure that we're acting responsibly and cautiously because our company assets have been entrusted to us. So knowing the threats, knowing the vulnerabilities and understanding them, that's due diligence, the research. But if I don't act upon my knowledge, that's pretty much worthless.
So due diligence should be followed with due care
and do care is the action. So I've learned with the threats vulnerabilities, the potential for harm is now I'm going to write policy, and I'm gonna enforce policy that, um
e that enforces the security decisions or the security related decisions that we've made. So do care and due diligence are often gonna come together, and then as part of this, also, we're gonna talk about Well, how do I do? Do diligence. Where do I go to learn out, learn what the current threats are
and what vulnerabilities are available with my systems. And of course,
there are lots of different sources out there where you can educate yourself on security threats in relation to I t. Some obviously gonna be more reliable than others, so we'll talk about those,
All right. Now, as we move forward, let's talk about the idea of some definitions here. What is an asset threat? Vulnerability, Risk what air controls. And we just want to make sure that we're all using these words correctly because a lot of times people will use thes words, some of them interchangeably,
and that's absolutely not correct. So let's start by going through in defining each of these elements.
The first element to define is, of course, an asset and an asset is anything that our company values what's important to us as employees, as business owners, What do we value now? Assets can be very black and white. I have a laptop. The laptop is worth $500.
However, we have to think about the value of an asset coming from more than just hardware calls. Because if I do have ah, laptop that's valued at $500 for the hardware. That's probably not where the true value of that laptop comes from. For instance, what's the value of the gather on that laptop?
How long did it take me to create that information? Because my time's valuable
does that laptop contain information that would be valuable to my competitors. That adds value.
is their health care information perhaps on that laptop? That might mean I'm susceptible to a fine, maybe a hip, a violation that where I would be fined $10,000 of that data gets compromised. That certainly adds to the value of the resource. So the big idea here, with value with assets.
And when we think of their value to the organization,
we have to make sure that we're being very inclusive in our considerations. We can't just say the hardware's worth $500. Therefore, it's worth $500
the first step of risk management, which will talk about a few minutes. We'll always be to evaluate your assets. You always have to start with figuring out what's important to you and how valuable it is. So remember that value is an all encompassing term that addresses all the things that give worth
Gotta consider things like lost to my company's reputation. You know, if I'm a security firm and we have a critical server, get hacked. That's a big loss to reputation. If I'm a security firm, that's got to go into the value as well. So again, value is a very comprehensive term. It's about more than just
what is the data? How long did it take to create the data?
It can include the value to competitors, intellectual property value. It can include fines if that data is compromised. So be very conclusive. When you think about assets and what they're worth.
now what is gonna harm my assets? I have data. That's fine. What's the potential threat? And that's what a threat is. It's anything that can propose harm to an asset. And threats aren't always malicious. You know, a user accidentally deleting a file
that's a huge threat, and that can cause a very large amount of damage.
So Threat has a very short of malicious comment ation to it, and often that's true. But remember, we've got to think about threats that aren't the result of malicious activity, but her threats nonetheless. You could have a tornado, and that presents a huge threat to your company. Resource is okay.
So threats, anything that can harm an asset,
anything that has the potential to harm the asset
and vulnerability, what weakness would allow the threat to materialize.
So, vulnerabilities. Is there an inherent flaw? Is there a point of being unprotected? Is there, uh, you know, a lack of protection, a lack of security on the asset that would allow that threat to materialize. So a weakness, another name for vulnerability
Now risk. Sometimes people use risks and threats interchangeably. That's not corrected. All the risk is usually expressed as a percentage. The likelihood that a threat will exploit an asset or a vote will exploit the vulnerability and compromise an asset.
What's the likelihood?
So, for instance, I have valuable data. That's my asset.
The vulnerability is that I use weak passwords to protect mind Adam.
The threat is that an attacker could compromise that password and gain access to my data.
The risk? Well, if I don't do anything, I'd say there's a 75% chance that I'm gonna lose my data if I don't protect. If I don't provide some sort of mitigating strategy to shore up this vulnerability. So that's kind of how those words might be used in context. So what am I going to do? What is my mitigation? We refer to mitigating strategies as putting controls
Ah, control is there to protect an asset. Often the control closes up that vulnerability.
Now controls are either proactive or reactive. So when we talk about a proactive control, we're looking to either deter were prevent an attack.
You know, a sign that says Do not trespass that's proactive, that signs there to make you say up. I'm going to get caught. I don't want to trespass a ah log in banner on a system when you go to log into a computer and it says unauthorized access of this system is strictly prohibited. That's a proactive control. It's a deterrent
now, a deterrent. It's not as strong as a preventive. A deterrent is more of a psychological control.
It's one that maybe makes you think I don't want to commit this attack. But a preventive is designed to stop you now. It won't stop you forever, but it will stop you for a limited time,
maybe a door lock. That's a preventive control, uh, requiring a strong password to access a system that's prevented. If you don't know the password, you're not getting onto the system
firewalls in a technical environment, those air prevented
all right. And then, uh, with those proactive controls, we refer to them. It's safeguards, safeguards, air proactive.
But again, we know that there is no single measure that will prevent an attacker. So in addition to safeguards, we also have countermeasures, and countermeasures are reactive controls. They respond to an attack having been at least two degrees successful.
So when we do auditing when we have intrusion detection systems, when we have, um, mechanisms in place like burglar alarms, that after the fact somebody's already trespassing, somebody's already in the house. Somebody already has access to the data. We still need countermeasures. And of course, the solution
If you want to mitigate the risks associated with your data with your valuable assets, there is no one mechanism that will protect everything. There is no one mechanism that will stop a determined attacker. So what do we do? We layer, we have layer after layer after layer
and think about your house. Think about the things you do to protect your house,
you know, for me, I've offense. Now. The fence is only five or six feet high. A determined intruder. They can climb that fence I've had to climb it when I've locked myself out. So if I can climb it, I know a determined intruder can climb that fence. I have motion detector lighting that comes on at night. If there's motion,
uh, I have a burglar alarm at my house.
I also have a sign that says I have a burglar alarm at my house and that signs in the window and I'll guarantee you the sign in the window does more to prevent crime than the burglar alarm itself. As a matter of fact, I had a student once that worked for a company that sold alarm systems,
and, uh, he said he used to get calls all the time from people that said,
Hey, listen, I can't afford your alarm system, your burglar alarm system. But how much would you sell me one of your signs for? And he came up with what I thought was the perfect answer, he said, Well, I'll sell you one of our signs for $99 dollars a month, and we'll throw in a free burglar alarm system for that. So I thought that was a pretty good answer.
But the bottom line is Of course, they're not going to sell you that sign in your window. That does more to keep you safe in the alarm itself.
On the entire time that I've had that burglar alarm, which has been over seven years, it's never once gone off for a really attack. There's always that 3 a.m. You wake up and open the door without thinking about it, and the alarm goes off. But I've never once had the burglar alarm go off in response to an attack.
But if somebody is looking at my house and considering it as a possible target,
when they see that I'm protected by a burglar alarm, it's much easier to just keep moving. And by the way, deterrence is a really elemental principle of security. You know, when we talk about security, we think about deter, delay, detect. You know those kind of ideas. If I can deter you,
it is so much cheaper for me to deter you and think about it with the heart with a with a break in. You know, I can either deter you by having that big sign that says, Don't break into my house. I've got a burglar alarm. The cops will be here. You could jail Or would you rather have them come in, Steal your stuff, Sell it to a pawn shop.
You get it back eight months later, damaged if you get it back at all.
You know, obviously it's much cheaper and more effective to deter. We want to invest a lot of money upfront with deterrents. That's why you have log in banners when you log on to a system that says We're monitoring this computer by penalty of law. Don't access this network unless you have
the rights and privileges associated with this network. However, you're gonna work those
we would love to prevent to. To be proactive, we would love to deter. It's cheaper to deter than to detect and correct. OK, so deterrent prevention. Those ideas are up front there, pre proactive. You can't put all your eggs in one basket.
I don't care how much money you've spent on the firewall.
There will always be the possibility of that firewall being compromised and an attack coming through. So what do we do on the inside? We have reactive controls. We have intrusion detection systems. We have audit logs. We have monitoring software. And the idea behind these reactive is okay.
If proactive didn't work
now we're gonna detect an ideally correct. So when you think about safeguards, their job is to deter and prevent
countermeasures. Their job is to detect and correct and the idea of being a layer defense. We always want layering, layering, layering, just like you protect your house. You know, you lock your front door, you lock your screen door, you have your fence, you have your motion detector lighting.
You have adult, perhaps on the inside. I have a pub who's pretty much worthless as far as burglar
prevention. But he's a good little alarm. You know, if anybody's anywhere near my house, the pug is barking his head off. So
even in even in those instances where we don't have real prevention, that detection is a very big benefit.