2 definining what is a threat, vulnerability versus an impact

0 comments 11.711 views

Previous postings:

People assess risk regarding their information assets, home PC, BlackBerry or going skiing or hiking this weekend by structuring the issue. For comprehensive risk managemen, however, one has to address threats, vulnerabilities and impact on operations (or one’s PC) to arrive at a comprehensive risk assessment (see Table below and Figure). This is discussed here in more detail.

_Facts – Structring risks regarding the confidentiality of data stored on PC or Blackberry device_

category factors example
threat, hazard, peril context, actor - skiing on a glacier versus skiing on intermediate hill- security savvy user logging onto the server by using a public hotspot- archiving procedures not being legally compliant
vulnerability condition and/or weakness - may exist in a system, computer or person- malicious user may exploit weakness to gain remote access to system or execute code without user being aware it is happening
impact confidentiality, reliability, dependability and integrity of systems and data - what is the possible impact this might have upon hardware, software, information, business operations- what are the possible price or costs of outcomes for the enterprise or user

Individuals try to structure the problem by considering the likelihood of the threat, the vulnerability one might be exposed to and the impact it might all have it the case occurs where one breaks a leg, looses a file or hard disk.

Graphically, we can outline the issues as done here:

- 1 how people assess risks

Depending upon that information, a decision will be made resulting in an action, such as patching the vulnerable software by downloading and installing the latest version of the software where the vulnerability has been eliminated.

_Effective information security risk assessment requires risk management_

risk management threat,
vulnerability,
impact
Management and/or the risk officer have to decide if a particular scenario/case warrants action.Decision about either to live with risk or fix the problem is critical to protect information assets and stay compliant.

Please read also: