WEBVTT

00:00:00.990 --> 00:00:04.990
There are assets, threats, and vulnerabilities,

00:00:05.410 --> 00:00:09.420
but a risk assessment is not complete until I've looked at these two

00:00:09.420 --> 00:00:13.670
very difficult areas of risk likelihood and impact.

00:00:14.420 --> 00:00:19.610
If we went back to the diagram we had before of a threat source using a threat

00:00:19.610 --> 00:00:24.160
event to exploit a vulnerability and thereby impact an asset,

00:00:24.600 --> 00:00:29.380
we see that likelihood is used in order to try to determine how

00:00:29.380 --> 00:00:32.650
likely is it that there will be an attack.

00:00:32.780 --> 00:00:38.930
An impact is used to determine what would be the impact if there was an attack.

00:00:40.180 --> 00:00:43.300
Let's take the example of a car accident.

00:00:44.490 --> 00:00:50.000
The car accident is very much a combination of both likelihood and impact.

00:00:50.770 --> 00:00:55.270
Those can be a number of different risk factors and predisposing conditions.

00:00:55.630 --> 00:00:58.880
For example, does the car have good tires?

00:00:59.150 --> 00:01:03.370
Bad tires means that we have a predisposing condition which is

00:01:03.370 --> 00:01:05.890
going to be a higher likelihood of an accident.

00:01:06.230 --> 00:01:08.090
Are the roads icy?

00:01:08.710 --> 00:01:09.270
Yeah.

00:01:09.280 --> 00:01:14.770
Or is the driver just a brand‑new driver or are they distracted or tired?

00:01:15.470 --> 00:01:19.850
All of these can affect the likelihood of there being an accident,

00:01:20.510 --> 00:01:24.260
but of course, we also have to consider are there other vehicles on the road?

00:01:24.700 --> 00:01:30.470
A person can have a risk in an accident that was by no means their fault,

00:01:30.690 --> 00:01:32.810
somebody else came into their lane.

00:01:33.080 --> 00:01:35.620
And so these are things that are, as we know,

00:01:35.620 --> 00:01:38.370
very often beyond our control as well.

00:01:39.490 --> 00:01:43.810
When we look at the car accident, we see there is a wide variety of impact.

00:01:44.540 --> 00:01:48.260
There can be an impact if a car goes into the ditch,

00:01:48.900 --> 00:01:52.820
but it's probably far more serious if the car hits a tree,

00:01:53.330 --> 00:01:56.560
and even more serious again if the car hits another vehicle.

00:01:57.580 --> 00:01:58.950
Going into the ditch,

00:01:58.960 --> 00:02:02.710
yeah maybe it's just a bit of mud and then needs to be pulled out,

00:02:03.050 --> 00:02:05.540
going into a tree, we've got damage, and so on,

00:02:05.540 --> 00:02:09.070
but when he hit another vehicle, it could be a catastrophic event.

00:02:09.590 --> 00:02:12.930
So the same event, an accident,

00:02:13.010 --> 00:02:16.590
could have a wide variety of different consequence or

00:02:16.590 --> 00:02:19.220
impact depending on the situation.

00:02:20.310 --> 00:02:27.530
So with all of this, hopefully now we can identify what the risks are.

00:02:28.010 --> 00:02:33.040
We come up with a list of incident scenarios, we look at the

00:02:33.040 --> 00:02:37.360
consequence if those were to happen and how that would impact the

00:02:37.360 --> 00:02:40.800
assets and business processes of the organization.

00:02:42.160 --> 00:02:43.630
So the key points review.

00:02:44.520 --> 00:02:49.200
Risk assessment is essential because it's the foundation of the

00:02:49.200 --> 00:02:53.700
decisions we make for a good IT security program.

00:02:53.700 --> 00:02:58.200
As we'll look at, it helps us justify the controls we use,

00:02:58.560 --> 00:03:01.790
it informs management about our level of risk,

00:03:01.960 --> 00:03:06.880
and it demonstrates and gives us a way to measure whether or

00:03:06.880 --> 00:03:09.470
not we are compliant with good practices,

00:03:09.610 --> 00:03:11.170
laws, or standards.

00:03:11.680 --> 00:03:15.500
The results of the risk assessment are the foundation

00:03:15.500 --> 00:03:18.110
of risk treatment or risk response.