In this article, I will use layman’s terms and descriptions to help you understand the various fundamental concepts of Risk Management in Information Security.

To illustrate those concepts, I like to use a popular diagram1 from Common Criteria, shown below:

In the center of this diagram you’ll find the term vulnerabilities. Vulnerabilities are any weaknesses of a system. A system always contains vulnerabilities. You cannot build a 100% perfect system with no vulnerabilities, even if you have unlimited power, money, and time to build such a system. All systems contain imperfect components, and the integration of imperfect components produces an imperfect system that always possesses certain vulnerabilities.

Threats are elements from various sources that can exploit vulnerabilities and that increase risk. Risk is the probability that the system’s asset will be damaged/abused by the threats that exploit the vulnerabilities. Assets can be tangible (such as hardware/software) or intangible (such as good will and customers’ confidence).

Threats can be initiated by threat agents. A common threat agent for IT systems is people. They can accidentally or intentionally exploit vulnerabilities of a system to impact an IT system.

In order to manage risk, we deploy countermeasures (controls) to a system to reduce the vulnerabilities. The decision to deploy certain countermeasures to reduce the vulnerabilities and hence reduce risk lies solely on the information owner, who bears all consequences arising from the risk.

In a formal risk management exercise, an organization should undergo an intense brainstorming session to discover all possible threats that can exploit the vulnerabilities of a system. The difficult part of this step is not determining whether a certain threat will cause risk to a system, but the effort required to locate all possible threats to a system. Anything overlooked could lead to possible serious exposure to risks that have not been identified.

It is of the utmost importance for the owner (the “Owners” in the diagram) of an organization to identify all possible threats to its information system to the very best of his/her effort and knowledge, in order to fulfill fiduciary duties to customers and other stakeholders. Without knowing what the risks are, it’s impossible to implement suitable countermeasures to contain and mitigate those risks.


1Picture from Common Criteria p.14

Tags: Vulnerability, Countermeasure, Security Controls, Risk mitigation, Information Security Management, Information Risk Management