[MUSIC] Welcome to our risk management concepts module on risk assignment and risk acceptance. Risk identification is where we determine risks that could affect our organization, and document the characteristics of those risks. The total risk, is the risk that exists before a control is put in place. The residual risk, is the risk that occurs after we implement safeguards or countermeasures. And the accepted risk, is the risk that the company chooses to accept, if they do not wish to implement a countermeasure, and they're basically choosing to live with the risk of a threat. We can use formulas to calculate risks when doing a quantitative analysis. For example, if we take the threat, times the vulnerability, times the asset value, that will give us our total risk. And if we take the total risk times, our controls gap, that will give us our residual risk. On this slide we will look at the total risk versus the residual risk. On the left side of this screen, we have our initial or inherent risk before we placed any controls in place. You can see that the severity moves up from top to bottom, and the likelihood of the threat occurring moves up from right to left. So we have a threat that is in the high severity and high likelihood, a threat that is in the moderate likelihood and the moderate severity, and we have a threat in the low severity but high likelihood. These exposure areas are information integrity loss, availability loss, disclosure, ethics violations or violation of regulations put in place based on our industry, network impact where our systems are taken offline, or even a financial impact where someone steals our money or one of our assets. On the right we have our residual risk after we implement the controls, you can see that we've moved most of our risks into the low likelihood and low severity. Although there is one risk that we've pointed out at the bottom that says this is accepted. We've chose not to place any controls on this particular risk, and just accept the risk as it stands before implementing any controls. In order to manage our risk appropriately, we must take steps to reduce the risk. One of the most common actions we will take is to mitigate the risk to our organization. First, we have to be aware of the risk, once we've completed our risk analysis, our management staff should be well aware of our team's findings. We should then offer a control to mitigate each of the risks. We must know the limits of these controls, although a control can mitigate a risk, it may not be able to completely abolish the risk, it is nearly impossible to totally eliminate a risk. We should establish an acceptable amount of risk that we are willing to accept, based on our management's risk tolerance, since there is always going to be some residual risk even after implementing a control. We should have contingency plans in case a control does not work properly, and an incident occurs, there should be an action plan in place that employees can take to minimize the amount of damage that occurs. And we should have cyber incident response plans and disaster recovery plans. In the event of an incident, we're able to recover quickly, as well as respond to that incident, and take steps to investigate the root cause and those individuals that may be responsible. We have several appropriate responses to risk. First, we can mitigate the risk by reducing the risk or controlling it, such as by implementing cost effective countermeasures. We can decide to accept a risk as long as we've performed a careful consideration, and we've determined that what we could lose, and what the cost of a control would be. We can choose to live with the risk without implementing any countermeasures. We can decide to transfer the risk by purchasing insurance, or signing a service level agreement or SLA, with a third party company to provide us with a service. Or we can avoid a risk by changing the activity that causes the risk. For example, if we have an increased risk of fire because employees are smoking outside our building, we can implement a smoke free campus policy, and totally ban cigarettes from being brought onto the property, to avoid that particular risk. It is never acceptable to simply ignore a risk. It may be appropriate to decide to accept a risk after you've carefully considered the alternatives, but it is never acceptable to simply ignore a risk. This is most likely something that you will see on the CISSP exam. You may be asked to provide appropriate responses to risk. It is appropriate to mitigate a risk, accept it, transfer it, or avoid it, but it is never acceptable to ignore a risk. This concludes our risk management concepts module. Thank you for watching.
