1
00:00:00,420 --> 00:00:06,900
In the last couple of lectures, we saw about the impact, the threat and the vulnerability, and we

2
00:00:06,900 --> 00:00:10,780
also saw a formula that has the outcome of risk.

3
00:00:11,520 --> 00:00:13,710
So now what exactly is risk?

4
00:00:13,740 --> 00:00:16,380
What is information security risk?

5
00:00:17,100 --> 00:00:24,720
Information security risk is associated with the potential that threats will exploit the vulnerabilities

6
00:00:24,750 --> 00:00:32,190
of an information asset or a group of information assets and thereby can cause harm to an organization.

7
00:00:33,070 --> 00:00:40,660
Now, risk is often expressed in terms of the combination of consequences of an event and the likelihood

8
00:00:40,870 --> 00:00:41,880
of their occurrence.

9
00:00:42,490 --> 00:00:46,270
So another important formula here you need to remember is.

10
00:00:48,190 --> 00:00:55,750
So the formula that I want to actually tell you about is that likelihood that is this term.

11
00:00:57,060 --> 00:01:05,640
Multiplied by the consequence that is likelihood, multiplied by consequence gives what we are looking

12
00:01:05,640 --> 00:01:07,500
right now is risk.

13
00:01:08,010 --> 00:01:18,150
So just remember this term l see are l in to see is equal to so likelihood that is occurrence of an

14
00:01:18,150 --> 00:01:24,960
event, how much it can often occur, how often they even can cause damage into the consequence of that

15
00:01:24,960 --> 00:01:30,830
event, which means the impact of that event is equal to the risk an organization will face.

16
00:01:31,800 --> 00:01:36,970
Now uncertainty of information security objectives is very important.

17
00:01:37,890 --> 00:01:41,520
So here is a friend of you in risk severity matrix.

18
00:01:41,880 --> 00:01:45,540
This is the likelihood of the event and this is the consequence.

19
00:01:45,880 --> 00:01:53,010
So if the event is very rare and if the consequence is not enough, it is very insignificant and the

20
00:01:53,010 --> 00:01:54,240
risk is very low.

21
00:01:55,230 --> 00:02:04,290
For example, a low risk example can be my of the vesicular culprit of this would be struck by a meteor.

22
00:02:04,710 --> 00:02:14,460
Now, that likelihood is extremely rare and the risk of the consequence is low because after that I

23
00:02:14,460 --> 00:02:15,810
cannot recover the things.

24
00:02:16,290 --> 00:02:17,850
So the risk is also very low.

25
00:02:18,240 --> 00:02:26,550
Now, if an event is likely to happen, I mean, if it all happened almost daily here and impact is

26
00:02:26,550 --> 00:02:32,130
also moderate, then the risk matrix sees that the risk is high enough.

27
00:02:33,000 --> 00:02:36,560
For example, DOS attack for a corporate office is a very regular.

28
00:02:37,020 --> 00:02:42,920
There are very high risks of having data attacks, but firewalls are placed in order to, you know,

29
00:02:42,930 --> 00:02:43,410
prevent.

30
00:02:43,500 --> 00:02:50,010
So in corporate world, you will always have to deal with the risk severity, mattress matrix and auditors

31
00:02:50,010 --> 00:02:56,490
also have to look after this crisis in order to assume and determine the risk for an organization.

32
00:02:58,440 --> 00:03:06,900
Now, risk the overall risk of overall process of risk identification, risk analysis and risk evaluation

33
00:03:07,290 --> 00:03:11,080
is nothing but risk risk assessment.

34
00:03:11,850 --> 00:03:14,070
Now, what is a residual risk now?

35
00:03:14,070 --> 00:03:21,330
One to eliminate the entire risk of an organization that is some risk that remains after the risk treatment

36
00:03:21,330 --> 00:03:24,060
process and you have to accept that risk.

37
00:03:24,360 --> 00:03:31,200
And that is the residual risk, which means some information, some risk remains throughout the organization.

38
00:03:33,330 --> 00:03:40,980
So the residual risk is the risk remaining after the risk treatment, nor does risk analysis, not the

39
00:03:40,980 --> 00:03:47,710
risk analysis, is the process to comprehend the nature of risk and determine the level of risk.

40
00:03:48,660 --> 00:03:50,040
What is risk assessment?

41
00:03:50,610 --> 00:03:58,380
Risk assessment is the overall procedure of risk identification, risk analysis and risk evaluation.

42
00:03:59,940 --> 00:04:02,060
And what is risk acceptance now?

43
00:04:02,160 --> 00:04:02,510
One.

44
00:04:02,580 --> 00:04:08,620
As I said, the residual risk that remains after the risk treatment process needs to be accepted.

45
00:04:08,970 --> 00:04:16,120
So even though you cannot completely eliminate a threat or risk, some risks needs to be accepted.

46
00:04:16,440 --> 00:04:21,450
So the decision informed to take a particular risk is that is acceptance.

47
00:04:22,180 --> 00:04:24,160
What is the risk evaluation?

48
00:04:24,210 --> 00:04:25,340
This is important.

49
00:04:25,830 --> 00:04:34,510
So risk evaluation is a process of the results process of comparing the results of risk analysis with

50
00:04:34,530 --> 00:04:41,520
the risk criteria to determine whether the risk is magnitude or whether it is tolerable, whether it

51
00:04:41,520 --> 00:04:43,590
can be mitigated or not.

52
00:04:44,070 --> 00:04:51,150
So this is the complete isomers information security, risk management assessment process that in first

53
00:04:51,150 --> 00:04:57,330
you have to identify the risk, then you have to evaluate the risk, then you have to treat the risk.

54
00:04:57,380 --> 00:05:03,810
Now there are these four options of treating risk treatment process, risk response, which we will

55
00:05:03,810 --> 00:05:06,860
be seeing in upcoming sections of risk management.

56
00:05:07,350 --> 00:05:11,340
So identify the vulnerabilities, threats, acid.

57
00:05:11,760 --> 00:05:19,170
Then you evaluate those risk, whether they have any impact on the policies or whether they have impact

58
00:05:19,170 --> 00:05:24,660
on the management standard, then treat the risk that you can avoid the risk, you can mitigate the

59
00:05:24,660 --> 00:05:30,840
risk, you can share the risk with different applications and standards, or you can simply accept the

60
00:05:30,840 --> 00:05:31,140
risk.

61
00:05:31,500 --> 00:05:35,520
So this is the complete information security risk assessment process.

62
00:05:35,520 --> 00:05:38,220
And right now you don't need to remember this.

63
00:05:38,230 --> 00:05:45,000
We are going to see each and every thing in the next section worth of information security, risk management

64
00:05:45,390 --> 00:05:46,290
in that section.

65
00:05:46,290 --> 00:05:50,310
You'll understand this about the risk management for this lecture.

66
00:05:50,640 --> 00:05:56,910
Just make sure that we have learned the definition of information security risk and make sure that you

67
00:05:56,910 --> 00:06:04,050
remember this formula, which I had told you L.C, that is likelihood into the consequence.

68
00:06:04,050 --> 00:06:06,720
That is the impact resulting to the risk.

69
00:06:07,240 --> 00:06:09,300
I will see you in the next lecture.