WEBVTT

00:07.430 --> 00:12.470
A threat is a potential source of danger that could exploit a vulnerability, flaw or misconfiguration

00:12.470 --> 00:18.380
within our system and causes adverse consequences within our organizations, assets, operations or

00:18.380 --> 00:19.310
objectives.

00:19.310 --> 00:25.970
Within the slide here, you can see likelihood versus impact, where likelihood is how often or what

00:25.970 --> 00:27.980
is the chance of this occurring.

00:27.980 --> 00:34.880
We could have an impact that is high, i.e. our server crashes or impact that is very low, where,

00:34.910 --> 00:39.860
you know, we get a paper cut when we're looking at likelihood versus impact, we need to take into

00:39.860 --> 00:44.390
account that I could have a very high impact with a very low likelihood.

00:44.390 --> 00:51.110
And while that is still precarious within our system, we may only rate that as a medium flaw or a medium

00:51.110 --> 00:52.730
risk within our system.

00:52.790 --> 00:59.960
Risk versus likelihood or impact versus likelihood is the model that most organizations use to understand

00:59.990 --> 01:06.270
what level of risk I'm willing to undertake based on my system or in my organization, we often do a

01:06.270 --> 01:07.380
risk analysis.

01:07.410 --> 01:11.220
A risk analysis usually encompasses different steps, as you can see here.

01:11.220 --> 01:14.820
But I really want to talk about risk analysis on an everyday basis.

01:14.850 --> 01:19.890
Believe it or not, you as a human being, you do a risk analysis every single day, whether you believe

01:19.890 --> 01:20.520
it or not.

01:20.550 --> 01:25.560
When you get out of bed first thing in the morning, you unconsciously make a risk assessment.

01:25.560 --> 01:28.890
You realize that, hey, I need to pull the blankets out from underneath me.

01:28.920 --> 01:30.570
Very low impact.

01:30.570 --> 01:36.120
If something were to go wrong, very low likelihood that something could go wrong leads to a very low

01:36.120 --> 01:36.750
risk.

01:36.750 --> 01:41.970
When I step out of bed and it's on my own master bedroom, I have a very low likelihood of stepping

01:41.970 --> 01:43.230
on something that I shouldn't.

01:43.260 --> 01:48.000
I also have a very low impact that if I were to step on something, that it could hurt me.

01:48.030 --> 01:50.220
Now let's go back into my kids bedroom.

01:50.220 --> 01:51.960
They have Legos all over the place.

01:51.960 --> 01:56.940
There are literally Barbie dolls lining the floor waiting to jump out of me and kill my feet.

01:56.970 --> 02:02.070
If I were to accidentally fall asleep in my son or daughter's bed at night because we had company come

02:02.070 --> 02:07.920
over, or something else, then the likelihood of me stepping on something is incredibly high.

02:07.950 --> 02:13.230
The impact is probably medium, although I would consider Legos to be in that critical nature.

02:13.230 --> 02:14.940
Personal abuse aside.

02:14.940 --> 02:21.840
So when we look at the risk matrix for likelihood versus impact, we can see that risk analysis taking

02:21.840 --> 02:22.470
place.

02:22.470 --> 02:25.890
We also do a risk analysis every day when we jump in our car.

02:25.920 --> 02:27.660
Do I plug in my seatbelt?

02:27.690 --> 02:31.650
Do I decide not to wear my seatbelt because I'm only going five miles away?

02:31.680 --> 02:37.350
While there is a legal requirement for me to put my seatbelt on or be ticketed, the fact is, is that

02:37.350 --> 02:42.600
I still have the option to do it or not to do it, and I can provide that mitigating circumstance against

02:42.600 --> 02:43.650
my risk analysis.

02:43.680 --> 02:45.480
When I decide to drive my car.

02:45.480 --> 02:52.830
If I drive my car to work every morning, I presumptively do a very quick risk analysis before I get

02:52.830 --> 02:53.700
behind the wheel.

02:53.730 --> 02:54.930
Have I been drinking?

02:54.930 --> 02:55.860
No I haven't.

02:55.890 --> 02:57.090
Did I put my seatbelt on?

02:57.090 --> 03:03.180
That's going to mitigate any causes that could be on the road for potential impact against my health.

03:03.180 --> 03:09.390
If I get into a car accident without my seatbelt on, chances of or likelihood of having a major accident

03:09.390 --> 03:13.590
or critical system failure within my internal organs is probably high.

03:13.620 --> 03:19.650
That would raise the impact of me having a hurtful incident if I put my seatbelt on.

03:19.680 --> 03:24.360
The likelihood of having a hurtful incident on my internal organs goes slightly down.

03:24.360 --> 03:30.060
So I've done compensating control or mitigating factor against that perceived threat.

03:30.060 --> 03:35.040
And you unconsciously do this every single day if it's been raining outside.

03:35.070 --> 03:36.450
I make a conscious effort.

03:36.450 --> 03:38.490
Do I want to be driving in this thunderstorm?

03:38.520 --> 03:42.510
Do I want to go out and go get that gallon of milk, or can it wait till tomorrow?

03:42.540 --> 03:46.680
We do risk analysis every single day and believe it or not, so do you.

03:46.710 --> 03:51.300
Whether you realize it or not, within each of our minds we have something called risk tolerance.

03:51.300 --> 03:53.070
And an organization is no different.

03:53.070 --> 03:59.130
If we take my driving the car, uh, scenario back into risk tolerance, you have to decide if it's

03:59.130 --> 04:02.820
storming outside and I don't have my seatbelt working properly.

04:02.820 --> 04:08.190
Am I willing to accept that level of risk as I go outside and drive my vehicle?

04:08.220 --> 04:11.460
Chances are yes or no, depending on how slick the roads are.

04:11.490 --> 04:12.990
What if it's a tornado?

04:13.030 --> 04:16.960
Probably not a good idea, but still, there's a risk tolerance level.

04:16.960 --> 04:19.750
There's still people that go out there and chase tornadoes.

04:19.750 --> 04:22.540
Their risk tolerance is probably higher than mine.

04:22.540 --> 04:23.980
What is my past training done?

04:24.010 --> 04:27.520
Has that eliminated the impact or likelihood of something occurring?

04:27.520 --> 04:33.490
What is the tolerance level that I'm willing to accept for my personal well-being as I'm going forward?

04:33.490 --> 04:35.410
Enterprises do the same thing.

04:35.410 --> 04:41.620
They could take a risk and decide, am I willing to accept this risk with your own IT department?

04:41.620 --> 04:46.000
Am I willing to take the risk of having telnet operational within my internal systems?

04:46.000 --> 04:49.240
It's unsecure, unencrypted, and open to the public.

04:49.240 --> 04:53.620
If I do telnet, there is a risk that something bad could occur within my systems.

04:53.620 --> 04:59.440
By leaving that port open, my risk tolerance level needs to accommodate that level of risk that I'm

04:59.440 --> 05:00.640
willing to accept.

05:00.640 --> 05:03.070
We also have what's called risk response.

05:03.070 --> 05:06.790
Within risk response, we naturally go through this order.

05:06.790 --> 05:08.590
Am I going to accept the risk?

05:08.620 --> 05:10.870
Let's take my car example once again.

05:10.870 --> 05:16.640
If I decide to go out in the rain wearing a seat belt to mitigate the risk with the training.

05:16.640 --> 05:22.520
I have to go get a gallon of milk in the middle of a thunderstorm with wet roads, and I decide to go

05:22.520 --> 05:23.330
to the store anyway.

05:23.330 --> 05:24.770
I'm accepting that risk.

05:24.770 --> 05:29.030
I'm accepting the risk that something bad could happen to me if I decide, you know what?

05:29.030 --> 05:30.020
It's not worth the risk.

05:30.020 --> 05:31.190
I'm going to go back inside.

05:31.190 --> 05:31.610
And you know what?

05:31.610 --> 05:35.210
The kids don't need milk for their cereal, or they can have something else.

05:35.210 --> 05:36.350
I'm avoiding the risk.

05:36.350 --> 05:39.230
I am not taking the car to the store.

05:39.260 --> 05:40.820
That's risk avoidance.

05:40.820 --> 05:46.100
I could also transfer the risk, not so much in our thunderstorm example, but let's say that every

05:46.130 --> 05:50.210
day I get in my vehicle, there is still a risk that an accident could occur.

05:50.210 --> 05:54.620
If that accident occurs and I don't have car insurance, then I get into the accident.

05:54.620 --> 05:56.270
I'm liable for the damages.

05:56.270 --> 05:59.480
I'm liable if something happens to my car and I hit a tree.

05:59.480 --> 06:01.010
I have to pay that fee.

06:01.010 --> 06:02.810
That is a risk that I have.

06:02.840 --> 06:07.760
I accepted, but if I have insurance, I've transferred that risk to the insurance company.

06:07.790 --> 06:12.920
Yes, there's a deductible, but the insurance companies that come in and pick up that cost, that's

06:12.920 --> 06:16.790
known as risk transference and an organization, we could do the same thing.

06:16.790 --> 06:23.080
We can take out cyber security or incident insurance, we can say, you know what, there is a likelihood

06:23.080 --> 06:25.630
that malware could take place and it could wipe my servers.

06:25.630 --> 06:30.970
I'm going to purchase risk transference or risk insurance against this happening.

06:30.970 --> 06:36.910
I've transferred the risk off of my organization onto the insurance company and paid them to do so.

06:36.940 --> 06:40.450
I can also do risk mitigation, which we believe I've already talked about.

06:40.450 --> 06:40.900
Right.

06:40.900 --> 06:42.190
We tug in our seatbelt.

06:42.190 --> 06:44.140
We're providing a mitigation of risk.

06:44.140 --> 06:46.870
I turn my headlights on because it's storming outside.

06:46.870 --> 06:52.150
I've mitigated a little bit of risk by allowing other drivers to see that, hey, I'm here, my headlights

06:52.150 --> 06:52.630
are on.

06:52.630 --> 06:54.520
Let's not get into a head on collision.

06:54.520 --> 06:56.170
This is risk mitigation.

06:56.170 --> 06:58.570
In our enterprise environment, we could do the same thing.

06:58.570 --> 07:01.690
We could go through and say, you know what, let's turn off that telnet port.

07:01.690 --> 07:02.920
We don't want to deal with that.

07:02.950 --> 07:04.600
We only want to have SSH.

07:04.630 --> 07:08.650
We do network hardening to mitigate as much of the risk as possible.

07:08.650 --> 07:11.920
We're going to put antivirus systems on our on our client computers.

07:11.920 --> 07:13.420
That's risk mitigation.

07:13.420 --> 07:14.770
Could the malware still get in.

07:14.800 --> 07:15.850
Yes it could.

07:15.880 --> 07:17.200
We're still accepting that risk.

07:17.200 --> 07:22.210
But we're mitigating it by providing some antivirus software within our client machines.