2 definining what is a threat, vulnerability versus an impact
Previous postings:
People assess risk regarding their information assets, home PC, BlackBerry or going skiing or hiking this weekend by structuring the issue. For comprehensive risk managemen, however, one has to address threats, vulnerabilities and impact on operations (or one’s PC) to arrive at a comprehensive risk assessment (see Table below and Figure). This is discussed here in more detail.
_Facts – Structring risks regarding the confidentiality of data stored on PC or Blackberry device_
category | factors | example |
threat, hazard, peril | context, actor | – skiing on a glacier versus skiing on intermediate hill- security savvy user logging onto the server by using a public hotspot- archiving procedures not being legally compliant |
vulnerability | condition and/or weakness | – may exist in a system, computer or person- malicious user may exploit weakness to gain remote access to system or execute code without user being aware it is happening |
impact | confidentiality, reliability, dependability and integrity of systems and data | – what is the possible impact this might have upon hardware, software, information, business operations– what are the possible price or costs of outcomes for the enterprise or user |
Individuals try to structure the problem by considering the likelihood of the threat, the vulnerability one might be exposed to and the impact it might all have it the case occurs where one breaks a leg, looses a file or hard disk.
Graphically, we can outline the issues as done here:
Depending upon that information, a decision will be made resulting in an action, such as patching the vulnerable software by downloading and installing the latest version of the software where the vulnerability has been eliminated.
_Effective information security risk assessment requires risk management_
risk management | threat, vulnerability, impact |
Management and/or the risk officer have to decide if a particular scenario/case warrants action.Decision about either to live with risk or fix the problem is critical to protect information assets and stay compliant. |
Please read also:
- 3 rating scale in more detail
- 4 – calculating the overall score
- CyTRAP Labs risk barometer – overview