Call Now

Get The App


Risk Management & Related Terms

RISK MANAGEMENT: Risk Management is the process of assessing risk, taking steps to reduce risk to an acceptable level and maintaining that level of risk.

Risk management involves identifying, measuring, and minimizing uncertain events affecting resources.

Asset: Asset can be defined as something of value to the organization; e.g., information, software systems, employees.

Irrespective of the nature of the assets themselves, they all have one or more of the following characteristics:

  • They are recognized to be of value to the organization.
  • They are not easily replaceable without cost, skill, time, resources or a combination.
  • They form a part of the organization’s corporate identity, without which, the organization may be threatened.

It is the purpose of Information Security Personnel to identify the threats against the risks and the associated potential damage to, and the safeguarding of Information Assets.

Vulnerability is the weakness in the system safeguards that exposes the system to threats. It maybe weakness in an information system, cryptographic system (security systems), or other components.

For example:


  • Leaving your front door unlocked makes your house vulnerable to unwanted visitors.
  • Short passwords (less than 6 characters) make your automated information system vulnerable to password cracking or guessing routines.


Threat is an action, event or condition where there is a compromise in the system to harm the organization. Threat is any circumstance or event with the potential to cause harm to


an assets in the form of destruction, disclosure, adverse modification of data and denial of services


Exposure (impact) is the extent of loss an organization may incur when a risk materializes.


Likelihood: Likelihood of the threat occurring is the estimation of the probability that the threat will succeed in achieving an undesirable event.

Attack: An attack is an attempt to gain unauthorized access to the system.


Basically, it is a set of actions designed to compromise CIA (Confidentiality, Integrity or Availability), or any other desired feature of an information system.

Counter Measure: An action, device, procedure, technique or other measure that reduces the vulnerability is referred as Counter Measure.

For example, well known threat ‘spoofing the user identity’, has two countermeasures:


  • Strong authentication protocols to validate users; and


  • Passwords should not be stored in configuration files instead some secure mechanism should be used.

Similarly, for other vulnerabilities, different countermeasures may be used.


Risk Analysis is defined as the process of identifying security risks and determining their magnitude and impact on an organization.

Risk Assessment includes the following:


  • Identification of threats and vulnerabilities in the system;


  • Potential impact or magnitude of harm that a loss of CIA, would have on enterprise operations or enterprise assets.



When risks are identified and analyzed, it is not always appropriate to implement controls to counter them.

Some risks may be minor, and it may not be cost effective to implement expensive control processes for them.


Risk management strategy is explained and illustrated below:


Terminate/Eliminate the risk: It means avoiding an activity that involves risk. E.g. not using Internet / public network to avoid security risks.

Treat/mitigate the risk: It means reducing the probability & severity of the loss. E.g. Use of antivirus.

Transfer/Share the risk: It means transfer of risk to another party e.g. insurance coverage.


Tolerate/Accept the risk: It means formally acknowledging that the risk exists and monitoring it. In some cases it may not be possible to take immediate action to avoid/mitigate the risk. These risks are called residual risks.

Turn back: Where the probability or impact of the risk is very low, then management may decide to ignore the risk.

Explore All Chapters