Narrator: As we mentioned before, an asset is something that we need to protect. It can be information, or it can be an actual physical piece of equipment, such as a rack in the server room or a computer or tablet or even a phone. A vulnerability is a weakness in the system. It can be due to lack of knowledge, or possibly outdated software. For example, perhaps we don't have a current operating system, or our awareness training is lacking. A threat is something or someone that could cause harm once they learn that we have a weakness. For example, if we have a back door open, either logically, in our website, or even physically in the back office, someone can exploit that weakness and take advantage of that gap in our defenses to access information. The likelihood or the probability of that happening depends on the overall environment. In an environment that's extremely secure, such as a data center or a bank, the likelihood that someone can come in and rob the bank is very low. Whether they are seeking access through a web browser, or physically into the actual bank, their likelihood of success is not high because security is very strong. In other situations, where we have fewer levels of security, the likelihood that the environment can be compromised is much higher. In our daily accounts, we often only have one username and a password and that is the extent of our defenses. Anyone who obtains that username and password can gain access; therefore, the likelihood that this environment can be compromised is very high. As a first step in the risk management process, organizations need to figure out how much risk they are willing to take. This is called a risk appetite or risk tolerance. For a very trivial example, if you are a big fan of football or a particular TV program, you will have a low tolerance for having a power outage during a big game or your favorite program. You also need to have power when you are trying to access important documents or sites for your business, so your risk appetite depends on how important that asset is. If your data is extremely sensitive, you will naturally be extremely averse to having any risk of a breach. To mitigate the risk, one option is to hire another company with the expertise to help you maintain the security of your environment. This will help reduce the risk. You would also consider implementing some security controls, which we will explore shortly. If we don't have the competence or the means to protect sensitive information, sometimes we need to avoid the risk. This means removing ourselves from a situation that can result in problems and refraining from initiating risky activities until we achieve a certain level of comfort with our security. We can also share or transfer the risk by obtaining cybersecurity insurance, so the insurance company assumes the risk. While it is nearly impossible to remove all risk, once we have done enough to reduce or transfer the risk, and we are comfortable with the situation, then we can accept the level of risk that remains.