Risk analysis means understanding the current state of risk and making an informed decision as to which elements require further investigation. Ideally, an organization would desire to have zero risk, but which requires an unlimited amount of time and money. In fact, organizations should prioritize strategies for mitigating risk to an acceptable level. A pragmatic approach is to decide which risks need to be reduced and how they can be reduced based on the business context and the impact of the risks on the organization. Organizations must analyze threats and vulnerabilities based on their organizational context to mitigate risk.
Risk Determination
Risk determination assesses threats and vulnerabilities to consider the likelihood that known threat sources can exploit identified vulnerabilities, causing one or more adverse events and consequences if the risk is not mitigated.
Based on the Simple formula, Risk = Threat x Vulnerability
For risk reduction, we must decrease threat and/or vulnerability.
Particularly we have these elements:
- Threat (sources, motivations, capabilities)
- Vulnerability (successful exploitation)
- Control (reduce impact or likelihood)
Threats include understanding their sources, motivations, and capabilities. It would be best if you also understood the specific vulnerabilities and the potential for successful exploitation. Assuming successful exploitation, the CIA\’s impact should be understood. Also, controls that may limit impact or reduce likelihood should be evaluated. After determining risks, enterprises should define the acceptable level of risk, and security professionals tend to reduce risk levels to an acceptable level. This approach is called risk mitigation.
