Evaluating Likelihood and Impact
Transcript
Once the organization has made a decision to conduct a risk assessment and you’ve taken the time to prepare for it, we want to get into the actual process of assessment itself. To conduct your risk assessment, you begin by identifying relevant threat sources. Both inside and outside of your company. Existential and physical. Where can my threats come from? Once you’ve identified the sources, we look to events that could be produced from those sources. Everything from negligence of an employee, in conducting duties, all the way up to lightning bolts striking the building. What can happen from these sources? Once we identify what could potentially happen, we begin to talk about what vulnerabilities exist within our organization that could be exploited in order for those threats to occur. Once we know vulnerability, we talk about how likely it is that an external threat resource could actually exploit the vulnerability, to get in through our gates and to cause the threat that we saw occur. For example, we talk about hackers a lot. What's the likelihood that if our firewall was improperly patched, a hacker could exploit that to get into our systems? Similarly, what’s the likelihood that we’re going to have a fire within our office. Once we determine likelihood, we drive to impact. Just because the threat has come to pass, it doesn’t necessarily mean it’s a company ending event. What's the actual harm if a hacker drives in through our firewall or our building burns down? What really happens once that threat gets realized? We determine information security risk and our appetite for that risk and our thresholds for that risk multidimensionally. Taking in a combination of the likelihood of the exploitation and the threat that occurs once that exploitation has happened.
Once the organization has made a decision to conduct a risk assessment and you’ve taken the time to prepare for it, we want to get into the actual process of assessment itself. To conduct your risk assessment, you begin by identifying relevant threat sources. Both inside and outside of your company. Existential and physical. Where can my threats come from? Once you’ve identified the sources, we look to events that could be produced from those sources. Everything from negligence of an employee, in conducting duties, all the way up to lightning bolts striking the building. What can happen from these sources? Once we identify what could potentially happen, we begin to talk about what vulnerabilities exist within our organization that could be exploited in order for those threats to occur. Once we know vulnerability, we talk about how likely it is that an external threat resource could actually exploit the vulnerability, to get in through our gates and to cause the threat that we saw occur. For example, we talk about hackers a lot. What's the likelihood that if our firewall was improperly patched, a hacker could exploit that to get into our systems? Similarly, what’s the likelihood that we’re going to have a fire within our office. Once we determine likelihood, we drive to impact. Just because the threat has come to pass, it doesn’t necessarily mean it’s a company ending event. What's the actual harm if a hacker drives in through our firewall or our building burns down? What really happens once that threat gets realized? We determine information security risk and our appetite for that risk and our thresholds for that risk multidimensionally. Taking in a combination of the likelihood of the exploitation and the threat that occurs once that exploitation has happened.