Cybersecurity Skills: Day 21 of the 100-Day Learning Journey

Core Understanding of risks, threats, and vulnerabilities

Security risk

Security plans are all about how an organization defines risk. However, this definition can vary widely by organization. As you may recall, a risk is anything that can impact the confidentiality, integrity, or availability of an asset. Since organizations have particular assets that they value, they tend to differ in how they interpret and approach risk.

One way to interpret risk is to consider the potential effects that negative events can have on a business. Another way to present this idea is with this calculation:

Likelihood x Impact = Risk

For example, you risk being late when you drive a car to work. This negative event is more likely to happen if you get a flat tire along the way. And the impact could be serious, like losing your job. All these factors influence how you approach commuting to work every day. The same is true for how businesses handle security risks.

In general, we calculate risk in this field to help:

• Prevent costly and disruptive events

• Identify improvements that can be made to systems and processes

• Determine which risks can be tolerated

• Prioritize the critical assets that require attention

The business impact of a negative event will always depend on the asset and the situation. Your primary focus as a security professional will be to focus on the likelihood side of the equation by dealing with certain factors that increase the odds of a problem.

Risk factors

As you’ll discover throughout this course, there are two broad risk factors that you’ll be concerned with in the field:

• Threats

• Vulnerabilities

The risk of an asset being harmed or damaged depends greatly on whether a threat takes advantage of vulnerabilities.

Let’s apply this to the risk of being late to work. A threat would be a nail puncturing your tire, since tires are vulnerable to running over sharp objects. In terms of security planning, you would want to reduce the likelihood of this risk by driving on a clean road.

Categories of threat

Threats are circumstances or events that can negatively impact assets. There are many different types of threats. However, they are commonly categorized as two types: intentional and unintentional.

For example, an intentional threat might be a malicious hacker who gains access to sensitive information by targeting a misconfigured application. An unintentional threat might be an employee who holds the door open for an unknown person and grants them access to a restricted area. Either one can cause an event that must be responded to.

Categories of vulnerability

Vulnerabilities are weaknesses that can be exploited by threats. There’s a wide range of vulnerabilities, but they can be grouped into two categories: technical and human.

For example, a technical vulnerability can be misconfigured software that might give an unauthorized person access to important data. A human vulnerability can be a forgetful employee who loses their access card in a parking lot. Either one can lead to risk.

Conclusion

Understanding security risks, threats, and vulnerabilities is crucial for effective security planning and incident response. Security risk is defined as anything that impacts the confidentiality, integrity, or availability of an asset, and is calculated using the formula: Likelihood x Impact = Risk. Risk management involves preventing costly events, identifying system improvements, determining tolerable risks, and prioritizing critical assets. Risk factors include threats, which can be intentional or unintentional, and vulnerabilities, which can be technical or human. By addressing these factors, security professionals can reduce the likelihood of negative events and enhance overall security.