Narrator: As we mentioned before, an asset is something that we need to protect. It can be
information, or it can be an actual physical piece of equipment, such as a rack in the server
room or a computer or tablet or even a phone. A vulnerability is a weakness in the system. It
can be due to lack of knowledge, or possibly outdated software. For example, perhaps we don't
have a current operating system, or our awareness training is lacking. A threat is something or
someone that could cause harm once they learn that we have a weakness. For example, if we
have a back door open, either logically, in our website, or even physically in the back office,
someone can exploit that weakness and take advantage of that gap in our defenses to access
information.
The likelihood or the probability of that happening depends on the overall environment. In an
environment that's extremely secure, such as a data center or a bank, the likelihood that
someone can come in and rob the bank is very low. Whether they are seeking access through a
web browser, or physically into the actual bank, their likelihood of success is not high because
security is very strong.
In other situations, where we have fewer levels of security, the likelihood that the environment
can be compromised is much higher. In our daily accounts, we often only have one username
and a password and that is the extent of our defenses. Anyone who obtains that username and
password can gain access; therefore, the likelihood that this environment can be compromised
is very high.
As a first step in the risk management process, organizations need to figure out how much risk
they are willing to take. This is called a risk appetite or risk tolerance. For a very trivial example,
if you are a big fan of football or a particular TV program, you will have a low tolerance for
having a power outage during a big game or your favorite program. You also need to have
power when you are trying to access important documents or sites for your business, so your
risk appetite depends on how important that asset is. If your data is extremely sensitive, you
will naturally be extremely averse to having any risk of a breach. To mitigate the risk, one
option is to hire another company with the expertise to help you maintain the security of your
environment. This will help reduce the risk. You would also consider implementing some
security controls, which we will explore shortly.
If we don't have the competence or the means to protect sensitive information, sometimes we
need to avoid the risk. This means removing ourselves from a situation that can result in
problems and refraining from initiating risky activities until we achieve a certain level of
comfort with our security. We can also share or transfer the risk by obtaining cybersecurity
insurance, so the insurance company assumes the risk. While it is nearly impossible to remove
all risk, once we have done enough to reduce or transfer the risk, and we are comfortable with
the situation, then we can accept the level of risk that remains.