Risk Identification is essential to the proper selection of security controls and safeguards. The risk is a function of the probability of a given threat agent exercising a particular vulnerability and the resulting impact of that adverse event on the organization. It entails the potential for the realization of unwanted, adverse consequences to human life, health, property or the environment.
Some related risk definitions are as follows as:
Risk reduction: Taking measure’s to alter or improve the risk position of an asset throughout the company.
Risk transference: Assigning or transferring the potential cost of a loss to another party (such as an insurance company).
Risk Acceptance: Accepting the level of loss that will occur and absorbing that loss.
Asset: An asset is a resource, process, product, computing infrastructure, and so on that, an organization wants to protect. The value of an asset is composed of all the elements related to that asset, including its creation, development, support, replacement, public credibility, considered costs, and ownership values.
Threats: The potential for a threat-source to exploit a specific vulnerability. The presence of any potential event that causes an undesirable impact on the organization is called a threat. A threat can be human-made or natural, intentional or accidental, and have a small or significant effect on a company’s security.
Vulnerability: Any weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat or threat agent. A minor threat can potentially become a more significant threat, or a more frequent threat, because of vulnerability.
Safeguard: A safeguard is a control or countermeasure employed to reduce the risk associated with a specific threat or group of threats. Controls can be operational, technical or administrative. Multiple layered controls that utilized all three control areas are the best defense against a threat.
Countermeasures: Those controls put in place as a result of an analysis of a system’s security posture. They are the same controls defined above in safeguard’s but are implemented as a countermeasure to reduce a specific identified and measured risk.
Threat agent: Any circumstance or event that could harm an information system through unauthorized access, destruction, disclosure, data modification, and denial of service.
Exposure: The exposure sub-element pertains to the openness of a source of information.
To migrate risk, the organization needs to know the threat, the consequences of the realized threat, the frequency of the occurrence of the danger and the likelihood that this threat will occur. To gather the information required to answer these questions, the organization must perform a risk assessment, including asset, threat, and vulnerability identification.
