sec345

risk stratagies:

Acceptance or tolerance

■ Avoidance

■ Assignment or transference

■ Reduction or mitigation

■ Rejecting or ignore

cost of the countermeasure greatly outweighs the possible cost of loss due to a risk.

Risk deterrence is a variation of avoidance.

Assigning risk , or transference of risk is:

Placing the cost of loss that a risk represents onto another entity or organization.

risk midication examples:

Proactive Threat hunting

Firewalls, endpoint security….

Web app firewall

Group Policies

Access Control

User Awareness

Policies/Procedures

Vulnerability Assessment/ Auditing

Total risk is the amount of risk an organization would face if no safeguards were implemented.

A conception of total risk is:

threats + vulnerabilities + asset value = total risk .

Threats are any possible events that might have an adverse impact on the confidentiality, integrity, and/or availability of our information or information systems. Vulnerabilities are weaknesses in our systems or controls that could be exploited by a threat. Risks occur at the intersection of a vulnerability and a threat that might exploit that vulnerability. A threat without a corresponding vulnerability does not pose a risk, nor does a vulnerability without a corresponding threat.

Internal risks are those risks that originate from within the organization. They include malicious insiders, mistakes made by authorized users, equipment failures, and similar risks. Multiparty risks are those that impact more than one organization. For example, a power outage to a city block is a multiparty risk because it affects all of the buildings on that block. Similarly, the compromise of an SaaS provider’s database is a multiparty risk because it compromises the information of many different customers of the SaaS provider. Legacy systems pose a unique type of risk to organizations. These outdated systems often do not receive security updates and cybersecurity professionals must take extraordinary measures to protect them against unpatchable vulnerabilities. Intellectual property (IP) theft risks occur when a company possesses trade secrets or other proprietary information which, if disclosed, could compromise the organization’s business advantage. Software compliance/licensing risks occur when an organization licenses software from a vendor and intentionally or accidentally runs afoul of usage limitations that

The inherent risk facing an organization is the original level of risk that exists before implementing any controls. Inherent risk takes its name from the fact that it is the level of risk inherent in the organization’s business. The residual risk is the risk that remains after an organization implements controls designed to mitigate, avoid, and/or transfer the inherent risk. An organization’s risk appetite is the level of risk that it is willing to accept as a cost of doing business.