Managing Risk in Information
Systems,
2nd Edition
by Gibson
Publisher: Jones & Bartlett Learning
,PART ONE
Risk Management Business Challenges
CHAPTER 1 Risk Management Fundamentals
CHAPTER 2 Managing Risk: Threats, Vulnerabilities, and
Exploits
CHAPTER 3 Maintaining Compliance
CHAPTER 4 Developing a Risk Management Plan
, CHAPTER
1 Risk Management Fundamentals
RISK MANAGEMENT IS IMPORTANT to the success of every
company—a company that takes no risks doesn’t thrive. On the other hand,
a company that ignores risk can fail when a single threat is exploited.
Nowadays, information technology (IT) systems contribute to the success of
most companies. If you don’t properly manage IT risks, they can also
contribute to your company’s failure.
Effective risk management starts by understanding threats and
vulnerabilities. You build on this knowledge by identifying ways to mitigate
the risks. Risks can be mitigated by reducing vulnerabilities or reducing the
impact of the risk. You can then create different plans to mitigate risks in
different areas of the company. A company typically has several risk
mitigation plans in place.
This text can help you build a solid foundation in risk management as it
relates to information system security. It won’t make you an expert. Many
of the topics presented in a few paragraphs in this text can fill entire
chapters or even entire books. The more you learn, the closer you’ll be to
becoming the expert whom others seek out to solve their problems.
Chapter 1 Topics
This chapter covers the following topics and concepts:
• What risk is and what its relationship to threat, vulnerability, and loss is
• What the major components of risk to an IT infrastructure are
• What risk management is and how it is important to the organization
• What some risk identification techniques are
• What some risk management techniques are
Chapter 1 Goals
When you complete this chapter, you will be able to:
• Define risk
• Identify the major components of risk
• Describe the relationship among threats, vulnerabilities, and impact
• Define risk management
• Describe risk management’s relationship with profitability and
survivability
, • Explain the relationship between the cost of loss and the cost of risk
management
• Describe how risk is perceived by different roles within an organization
• Identify threats
• List the different categories of threats
• Describe techniques to identify vulnerabilities
• Identify and define risk management techniques
• Describe the purpose of a cost-benefit analysis (CBA)
• Define residual risk
What Is Risk?
Risk is the likelihood that a loss will occur. Losses occur when
a threat exposes a vulnerability. Organizations of all sizes face risks.
Some risks are so severe they cause a business to fail. Other risks are minor
and can be accepted without another thought. Companies use risk
management techniques to identify and differentiate severe risks from
minor risks. When this is done properly, administrators and managers can
intelligently decide what to do about any type of risk. The end result is a
decision to avoid, share or transfer, mitigate, or accept a risk.
NOTE
The Official (ISC)2 Guide to the SSCP CBK provides a more technical definition of
risk. Risk is “a function of the likelihood of a given threat source’s exercising a
potential vulnerability, and the resulting impact of that adverse event on the
organization.” If you’re not familiar with the alphabet soup, the (ISC)2 System
Security Certified Practitioner (SSCP) certification includes seven domains that are
derived from a common body of knowledge (CBK).
The common themes of these definitions are threat, vulnerability, and loss.
Even though the common body of knowledge (CBK)—see note—doesn’t
specifically mention loss, it implies it. Here’s a short definition of each of
these terms:
• Threat—A threat is any activity that represents a possible danger.
• Vulnerability—A vulnerability is a weakness.
• Loss—A loss results in a compromise to business functions or assets.
NOTE
Threats and vulnerabilities are explored in much more depth later in this chapter.
Risks to a business can result in a loss that negatively affects the business. A
business commonly tries to limit its exposure to risks. The overall goal is to
Systems,
2nd Edition
by Gibson
Publisher: Jones & Bartlett Learning
,PART ONE
Risk Management Business Challenges
CHAPTER 1 Risk Management Fundamentals
CHAPTER 2 Managing Risk: Threats, Vulnerabilities, and
Exploits
CHAPTER 3 Maintaining Compliance
CHAPTER 4 Developing a Risk Management Plan
, CHAPTER
1 Risk Management Fundamentals
RISK MANAGEMENT IS IMPORTANT to the success of every
company—a company that takes no risks doesn’t thrive. On the other hand,
a company that ignores risk can fail when a single threat is exploited.
Nowadays, information technology (IT) systems contribute to the success of
most companies. If you don’t properly manage IT risks, they can also
contribute to your company’s failure.
Effective risk management starts by understanding threats and
vulnerabilities. You build on this knowledge by identifying ways to mitigate
the risks. Risks can be mitigated by reducing vulnerabilities or reducing the
impact of the risk. You can then create different plans to mitigate risks in
different areas of the company. A company typically has several risk
mitigation plans in place.
This text can help you build a solid foundation in risk management as it
relates to information system security. It won’t make you an expert. Many
of the topics presented in a few paragraphs in this text can fill entire
chapters or even entire books. The more you learn, the closer you’ll be to
becoming the expert whom others seek out to solve their problems.
Chapter 1 Topics
This chapter covers the following topics and concepts:
• What risk is and what its relationship to threat, vulnerability, and loss is
• What the major components of risk to an IT infrastructure are
• What risk management is and how it is important to the organization
• What some risk identification techniques are
• What some risk management techniques are
Chapter 1 Goals
When you complete this chapter, you will be able to:
• Define risk
• Identify the major components of risk
• Describe the relationship among threats, vulnerabilities, and impact
• Define risk management
• Describe risk management’s relationship with profitability and
survivability
, • Explain the relationship between the cost of loss and the cost of risk
management
• Describe how risk is perceived by different roles within an organization
• Identify threats
• List the different categories of threats
• Describe techniques to identify vulnerabilities
• Identify and define risk management techniques
• Describe the purpose of a cost-benefit analysis (CBA)
• Define residual risk
What Is Risk?
Risk is the likelihood that a loss will occur. Losses occur when
a threat exposes a vulnerability. Organizations of all sizes face risks.
Some risks are so severe they cause a business to fail. Other risks are minor
and can be accepted without another thought. Companies use risk
management techniques to identify and differentiate severe risks from
minor risks. When this is done properly, administrators and managers can
intelligently decide what to do about any type of risk. The end result is a
decision to avoid, share or transfer, mitigate, or accept a risk.
NOTE
The Official (ISC)2 Guide to the SSCP CBK provides a more technical definition of
risk. Risk is “a function of the likelihood of a given threat source’s exercising a
potential vulnerability, and the resulting impact of that adverse event on the
organization.” If you’re not familiar with the alphabet soup, the (ISC)2 System
Security Certified Practitioner (SSCP) certification includes seven domains that are
derived from a common body of knowledge (CBK).
The common themes of these definitions are threat, vulnerability, and loss.
Even though the common body of knowledge (CBK)—see note—doesn’t
specifically mention loss, it implies it. Here’s a short definition of each of
these terms:
• Threat—A threat is any activity that represents a possible danger.
• Vulnerability—A vulnerability is a weakness.
• Loss—A loss results in a compromise to business functions or assets.
NOTE
Threats and vulnerabilities are explored in much more depth later in this chapter.
Risks to a business can result in a loss that negatively affects the business. A
business commonly tries to limit its exposure to risks. The overall goal is to
