now, risk analysis is not an easy activity or task. This is something that takes a great deal of expertise. It's something that takes a considerable amount of time. And like we always said, we always start with the value of the asset. But then we look at the threats, we look at the vulnerabilities and we try to assess the likelihood.
So when we're identifying risks, we want to gather as much specific information as possible.
Because, like I said, generally what's gonna happen here is we're gonna collect this information, and this will lead us to what we feel like is a good mitigating strategy. We've already talked about reducing, accepting, transferring risks, and the type of mitigation is gonna be driven by the information we gain in risk
analysis and specifically quantitative analysis.
So we're gonna want to gather as much information as possible. So when we're talking about particular types of risks or really particular types of threats, we want to gather information about how the threat might be performed. Is it something carried out by software? Does it require an internal user? Does it require collusion?
You know those ideas about how the threat would materialize.
Um, is it even? Ah, is it something that's not just theoretical? But could it really happen in our environment is the value of what we protect here important enough to justify someone to carry out an attack to that degree of level? Um,
how can what are some easy things that we can do to diminish the likelihood of that attack?
You know, just physically requiring someone to be, um,
on the physical premises that eliminates ah, whole lot of different types of attacks, as in if we don't allow someone to access the network wirelessly or from VPN or through remote access. But if it's something that has to be where an attacker has to be physically present on the network
Ah, And if we restrict network access to having a physical presence here,
you'll find that eliminates a lot of different types of attacks. Now again, that may not be possible with their business environment as it is today, but they're lots of little things that we can do to limit the likelihood of some of these attacks being carried out. And so we consider what can I do from a reasonable business standpoint to lessen the potential here.
We talked about the threat matrix that we look at just a little bit ago. And
how would confidentiality be evaluated? How would integrity How would availability be affected?
All right, if there's a flaw it perhaps in software that we've developed, How exploitable is it? You know, one of the things that you've you've ever done? Software development. There's a lot of error in code that's out there,
you know, I think it's something like not unusual tohave a kn error every 5 to 10 lines of programming code,
not every error is a huge security related issue. So just because there's a flaw or even a weakness doesn't necessarily mean that it's exploitable.
Um, what are the workarounds? What are the patches we can put on this problem? Um,
when we have information, we've collected the information about this vulnerability. How do we respond to it? And how much faith do we have in risk response? Often a single risk response is not gonna be sufficient. It may only resolve a portion of the risks, so maybe we need a layered risk response.
If this compromise happens, does it affect the company as a whole? or specific department.
You sort of. What's the scope of damage?
Um, we've already talked about identifying Figure out the CIA requirements for the asset
likelihood. That's risk. How likely is this event to materialize? And then what do we have already in place? And what can we add to protect this asset further?