Risk management is fundamental to securing information, systems, and critical business processes. You can’t effectively and constantly manage what you can’t measure, and you can’t measure what you haven’t defined. Basic risk management can be much more effective with clear and concise definition. Here are a couple of the most important ones:
Control is a measure that is modifying risk.Controls can be split into strategic, tactical and operational.
Strategic controls are usually high level, such as risk avoidance, transfer, reduction and acceptance.
Tactical controls determine a course of action such as preventative, corrective and directive.
Operational controls determine the actual treatment such as technical, logical, procedural or people and physical or environmental.
Likelihood is the chance of something happening. It should be used instead of possibility as many things are possible and likelihood gives no indication wether a particular security event is actually likely to take place.
Probability is the measure of the chance of occurrence as a number between zero and one.
Resilience is the adaptive accapacity of an organisation in a complex and changing environment.
Qualitative risk assessment are subjective and generally expressed in terms such as ‘high’,‘medium’,‘low’. This method should be avoided as it renders risk assessments unreliable.
Quantitative risk assessment is generally expressed in numerical terms such as financial values or percentages of revenue. These provide a more accurate measurement of risk and are usually more time consuming to undertake.
Residual risk is the remaining after risk treatment and once all other risk treatment options have been explored. It is normal to accept or tolerate this since further treatment might be prohibitively expensive or have no effect.
Risk is the effect of uncertainty on objectives. Risk is the product of consequence or impact and likelihood or probability.
Risk acceptance or risk tolerance is the informed decision to take a particular risk.
Risk analysis is the process to comprehend the nature of risk and to determine the level of risk.
Risk appetite is the amount and type of risk that an organisation is willing to pursue or retain.
Risk avoidance is an informed decision not to be involved in, or to withdraw from an activity in order not to be exposed to a particular risk.
Risk management is a coordinate activity to direct and control and organisation with regard to risk.
Risk modification is the process of treating risk by the use of controls to reduce either the consequence/impact or the likelihood/probability.
Risk register is a record of information about identified risks.
Risk transference is a form of risk treatment involving the agreed distribution f risk with other parties. One of the risk treatment options is to transfer the risk to or to share it with a third party. This doesn’t however change the ownership of the risk, which remains with the organisation itself.
Risk treatment is the process to modify risk. Treatment may involve risk transference or sharing, risk avoidance or termination.
Stakeholder is a person or organisation that can be affected by a decision of activity.
Threat is a potential cause of an unwanted incident which may result in harm to a system or organisation. Threats are usually manufactured (whether accidental or deliberate) and are different from hazards or natural events.
Threat vectors is a method or mechanism by which an attack is launched against an information asset.
Threat actors is a person or organisation that wishes to benefit from attacking an information asset. Threat actors mounts the attacks. Threat sources ofter pressurise threat actors to attack information assets on their behalf.
Vulnerability is the intrinsic property of something resulting in susceptibility to a risk source that can lead to an event with a consequence. Vulnerabilities or weaknesses leave it open to attack from a threat or hazard.