Because all countermeasures have flaws, obtaining a vulnerability level of ZERO is impossible. As a result, vulnerability can never be zero, and risk can never be completely eradicated. However, through proper assessment of vulnerabilities and implementation of suitable mitigation strategies, risk can be significantly reduced.
There are two types of risks: intrinsic and extrinsic. Intrinsic risks are inherent to any system, such as heat damage from using electrical components in a car's engine compartment. Extrinsic risks arise from outside forces that may cause or trigger an incident, such as vandalism or fire. Security risks are a form of extrinsic risk because they can lead to intentional or unintentional exposure of systems to attack vectors.
Security risks can be physical, such as when an intruder enters your facility with malicious intent; electronic, such as when an unauthorised user accesses information by hacking into a computer network; or human, such as when an employee provides confidential information to someone who leaks it to a third party. The underlying problem in each case is that no system is completely secure, which means that there will always be a risk associated with any decision to deploy or use technology.
The main aim of security is to reduce the risk to an acceptable level by implementing adequate security measures.
Inherent risk is the present risk level given the existing system of controls, as opposed to the hypothetical concept of no controls. Inherent risk exists because these controls are not 100 percent effective.
Controls can be divided into two categories: preventive and reactive. Preventive controls include practices such as job training and education, while reactive controls include procedures such as safety meetings and inspections. Although preventive and reactive controls cannot eliminate risk entirely, they do provide a basis for reducing it. For example, training employees how to perform tasks effectively reduces risk by making them less likely to make mistakes.
The goal of management is to reduce the overall risk of the organization by implementing preventive and reactive controls. At any time, an organization may be faced with higher-than-normal levels of risk that go beyond what normal controls can handle. When this occurs, managers must decide what risks are worth taking in order to improve business operations. Organizations that choose to accept high levels of risk will probably succeed at building strong businesses; those who don't face failure.
Risk comes in many forms.
Risk in cybersecurity refers to the possibility of losing, damaging, or destroying assets or data. A threat is a potentially harmful occurrence, such as the exploitation of a vulnerability.
Confidentiality, integrity, and availability are the core principles (tenets) of information security. Every component of an information security program (as well as every security control implemented by an organization) should be designed to achieve one or more of these objectives. They are known as the CIA Triad when they work together.
Threat: Anything that can gain access to, harm, or destroy an asset by purposefully or unintentionally exploiting a vulnerability. A vulnerability is a flaw or shortcoming in our security measures. Risk: the possibility of an asset being lost, damaged, or destroyed as a result of a threat exploiting a vulnerability. Vulnerability assessment is used to identify these vulnerabilities.
Risk avoidance is the practice of refraining from engaging in any action that may be hazardous. A risk-aversion approach seeks to reduce vulnerabilities that may represent a hazard. Policy and procedure, training and education, and technology adoption may all help to minimize and mitigate risks. Risk aversion can also result in leaving certain activities entirely out of consideration because they are considered too dangerous to conduct.
Risks cannot be eliminated, but they can be managed. Managers should assess risks and take appropriate actions to manage them. This might include: identifying ways to reduce hazards; implementing preventive measures; taking remedial action after a incident has occurred.
Risk aversion is one of the three core components of risk management (the others being risk identification and response).
In finance, risk aversion is the preference for less risk or less risky assets and investments over more risky ones. In economics, it is the tendency of individuals or organizations to avoid risks when there are alternatives available that present themselves as having greater expected return with lower risk. Risk averseness is also the name given to the psychological factor which causes people to prefer safer options in situations where there are no restrictions on their choice of action. The term is used in finance to describe the behavior of investors who tend to withdraw their funds from high-risk stocks and move them into low-risk bonds, cash, or savings accounts instead.
A fail-safe approach defines the level of security that separates it such that it is secure even if the system fails. - The fail-safe solution prevents an attacker from exploiting the system by breaking in and crashing out.
A threat is the possibility of something awful happening. A risk exists when a danger is paired with a vulnerability. For example, if a rainy forecast is a risk to your hair and a lack of an umbrella is a weakness, the two together constitute a risk. Threats are what put risks in motion; they can be natural or human-induced. Some common threats include violence, accidents, disasters, crime, and illness.
Threats can be divided up into three general categories: external, internal, and logical/scientific.
External threats are those that come from outside sources such as violence, accidents, disasters, and crimes against people or property. External threats can be natural or man-made. Examples of natural external threats include earthquakes, tornadoes, floods, and firestorms. Man-made external threats include acts of violence, terrorism, and war. Internal threats are ones that come from within yourself such as mental illness, addiction, and anger problems. Logical/scientific threats are predictions made by scientists about global warming or health risks caused by living too long. These types of threats are based on facts and research rather than subjective feelings like anger or greed.
Internal and logical/scientific threats can also be called potential threats because they may become actual threats at some point in the future.