Risk 101: What Is Risk? - I.crn
RISK 101: WHAT IS RISK?Fundamental Information for SuccessfulDigital Risk Management
CONTENTSManaging Digital Risk Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3What Isn’t Risk? Myths and Misconceptions . . . . . . . . . . . . . . . . . . . . . 4The Definition(s) of Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Key Concepts in Defining Risk: Likelihood and Impact . . . . . . . . . . . . . . . . 6Understanding Likelihood and Impact . . . . . . . . . . . . . . . . . . . . . . . . . . 7Risk Management Challenges and Considerations . . . . . . . . . . . . . . . . . . 9Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11RISK 101: WHAT IS RISK? 2
MANAGING DIGITAL RISK TOGETHERSuccess Starts with a Common UnderstandingIn the era of digital transformation, every organizationfaces both digital opportunity and digital risk.Managing that risk successfully takes an all-handseffort, with risk management and security teamsworking truly in tandem. But if you ask mosttechnology, business or security leaders for adefinition of risk, you are likely to get any number ofdifferent answers. There’s clearly a gap between theserver room and the boardroom when it comes towhat the word “risk” actually means.That gap in meaning reflects a concern of manyparticipants in the 2018 RSA Cybersecurity andBusiness Risk Study, 69 percent of whom agreethat business risk and IT security personnel tend touse different tools and language, and that this canmake communication between them challenging.As managing digital risk becomes a more criticalchallenge for organizations undergoing digitaltransformation, it is important for all involved tohave a common understanding of the meaning ofrisk. This document is intended to help foster thatunderstanding.69%of business risk and ITsecurity personnel surveyedagree business risk and ITsecurity personnel tend to usedifferent tools and language,making communicationschallenging.Source: Enterprise Strategy Group, The RSA Cybersecurityand Business Risk Study, April 2018RISK 101: WHAT IS RISK? 3
WHAT ISN’T RISK? MYTHS AND MISCONCEPTIONSMany terms are often and easily misunderstood as risk, which is reasonable considering the relationship of some of those concepts to risk. Followingare a few examples of terms that are often confused with risk. This applies both to risk in the general sense and in the specific context of digital risk.THREATVULNERABILITYASSETThreats are people, processes or programsthat pose a potential for damage, lossor risk. The term “threat” is often usedinterchangeably, as are specific threats.Vulnerability is the quality or state of beingexposed to the possibility of being attackedor harmed. Vulnerabilities of all types allowthreats to negatively affect organizations invarious ways, including flaws found in softwaredevelopment and other business processes.An asset can be a computer or other devicethat is subject to threats and vulnerabilities,and ultimately can carry some risk. Theseterms are often conflated incorrectly, such asin situations where assets may be regarded asfundamentally different.xIncorrect: “My firm’sbiggest risk is ransomware.”3Alternative: “The threat ofransomware is raising myfirm’s cyber incident risk.”Incorrect: “Cloudapplications are ourcompany’s highest risk.”Incorrect: “The fact wedon’t have a redundantsystem is a major risk.”3Alternative: “Our risk ofbusiness disruption will increasewithout a redundant system.”xx3Alternative: “A compromiseof a cloud application werely on puts us at risk ofdata theft.”It is easy to see how such a complex concept can be reduced to a few of its more prominent factors and elements. However,the complexity of risk is exactly the reason it is critical to have a common understanding of the concept, including what it isn’t.RISK 101: WHAT IS RISK? 4
THE DEFINITION(S) OF RISKThe term “risk” can be traced to the ancientGreeks, who used something similar to mean“cliff,” and who eventually established that wordas a synonym for “a danger to be avoided.”Today, many different languages have words thatcarry this concept of “danger” and “avoidance.”The origins of the term are especiallyrelevant when defining risk in the context ofcybersecurity and risk management. Variousindustry risk frameworks have developedtheir own definitions of risk that are asnuanced as the standards themselves:WHAT IS DIGITAL RISK?ISO 31000:“Risk is the effectof uncertainty onobjectives.”U.S. National Institute ofStandards and TechnologyCybersecurity Framework (NISTCSF): “A measure of the extent towhich an entity is threatened by apotential circumstance or event, andtypically a function of: (i) the adverseimpacts that would arise if the circumstanceor event occurs; and (ii) the likelihood ofoccurrence.”Factor Analysis ofInformation Risk(FAIR): “Risk is theprobable frequencyand probable magnitudeof future loss.”Digital risk refers to riskthat stems from digitaltransformation, digitalbusiness processes andthe adoption of relatedtechnologies.Control Objectives forInformation and RelatedTechnologies (COBIT 5): “Risk isgenerally defined as the combinationof the probability of an event and itsconsequence.”RISK 101: WHAT IS RISK? 5
KEY CONCEPTS IN DEFINING RISK:LIKELIHOOD AND IMPACTWhile the preceding examples of how to define risk offer a number of perspectives fromdifferent sources, two core concepts remain intact across them all:LIKELIHOODthe probability of an outcomeIMPACTthe effects of an outcomeRisk is thelikelihoodand impactof unknownoutcomes.Essentially, if you aren’t thinking in terms of likelihood (probability) and impact (effects), you likely aren’tthinking in terms of risk.RISK 101: WHAT IS RISK? 6
UNDERSTANDING LIKELIHOODAND IMPACTThe two core concepts within risk—likelihood and impact —are themselvesoften misunderstood. A clearer view of these concepts is critical to a trueunderstanding of risk.Likelihood is the probability of an outcome.“Possibility” is often misunderstood to be probability in this definition.What’s the matical)chance of somethinghappeningThe feasibility ofsomething happeningProbability assumes possibility, and seeks to better predict the outcome.While possibility of unknown developments is important to know whenassessing probability, the two are not interchangeable.Because of its uncertainty, likelihood is often expressed in probability orfrequency within a defined period. In its more rigorous forms, likelihoodcan incorporate elements of certainty (e.g., confidence) and more complexmathematical models (where statistically significant data is available) toaccount for this uncertainty.Likelihood is oftenexpressed in probabilityor frequency withina defined period.RISK 101: WHAT IS RISK? 7
Impact is the practical effect of an outcome.Impact is a wide-reaching concept, and can be applied in various ways in calculating risk. Given the widescope of digital technology and risk management dependencies, organizations must consider various factorsto accurately assess potential impact. Among other facets, impact can be considered on a spectrum ofimmediate (i.e., productivity losses due to downtime) and long-term (e.g., litigation) losses.In business settings, impact is ideally realized as monetary loss, but only some existing models have beenable to provide a means for organizations to reasonably measure financial impact of risk. This is the centraltheme within the FAIR Institute’s FAIR framework, which explicitly seeks to provide financial impact as partof its philosophy.Impact is a widereaching concept,and can be appliedin various waysin calculatingoverall risk.RISK 101: WHAT IS RISK? 8
RISK MANAGEMENT CHALLENGESAND CONSIDERATIONSNot all risks or strategies are created alike. Despite advances over the past 50 yearsin understanding and measuring risk, there remain real challenges and areas forimprovement. Following are a few important considerations in risk management:ValueIndustryAn understanding of risk requires an appreciation of business criticality,which is the relative importance of a business function, product, serviceor asset to the organization. Risk must be evaluated in the context of whatis most important or critical to achieving the strategic objectives of anorganization and treated accordingly. The calculations for the likelihoodand impact of a threat or vulnerability to a business process (and tothe technology that supports it) depend on its importance to businessobjectives. For example, customer data stored in the cloud may be thelifeblood of a retail organization, while information about recreationalopportunities for employees is of considerably lower importance.An organization’s risk-management capabilities may be to some extentdictated by the industry in which it operates. Many industries excel atidentifying, assessing and managing specific types or sources of risk, andsimultaneously struggle with others. For example, banks, credit unions andothers in the financial industry, because of the nature of their business,are likely to be highly attuned to data privacy risk and to have appropriatemeasures in place to manage the risk. But organizations in other sectors mayface greater challenges in recognizing and managing those areas of risk.RISK 101: WHAT IS RISK? 9
QuantificationFrameworksMeasuring the financial exposure related to risk is critical to all businessesand especially for digital businesses. Within organizations looking to betterunderstand their risk, both risk-management and security teams will benefitfrom practical metrics for quantifying risk. Such metrics make it possibleto see risk in terms of calculable impact on areas such as the cost oflosses to online fraud or cyber threat, fluctuations in share price and otherfinancial measures of business value. Where a “heat map” visualizationmay have once been adequate to communicate and consider risk, today’srisk-management strategies are best enabled by a quantification of risk, interms the business can understand and act upon.Frameworks for assessing and managing risk, including digital risk, can beextremely useful in establishing a baseline for an organization’s ability tomanage risk—and mapping a path to risk-management maturity. Standardsorganizations like ISO, COBIT, NIST and FAIR offer a range of approachesthat inform their own and other organizations’ benchmarks and templatesto use for this purpose. These approaches are not mutually exclusive,although many take different paths toward similar goals, and foregroundsome facets over others in the name of industry- and organization-specificcurrent and desired end states.RISK 101: WHAT IS RISK? 10
CONCLUSIONUnderstanding risk means understanding business, and the need for business tothink both practically and strategically at the same time. In business, the unknownabounds, and organizations of all sizes and stripes spend countless amounts oftime, energy and money to understand, anticipate and mitigate the level of riskthat comes with pursuing business objectives.Understanding risk starts with the simple things: a reasonable definition toprovide the bedrock of common understanding, and some points for discussion,thought and further research. A common understanding has the potential tochange how organizations approach risk, with security and risk-managementsilos giving way to a united front for managing the risk that comes with takingon digital transformation.RISK 101: WHAT IS RISK? 11
ABOUT RSARSA Business-Driven Security solutions provide organizations with a unified approach to managing digitalrisk that hinges on integrated visibility, automated insights and coordinated actions. With solutions for rapiddetection and response, user access control, consumer fraud protection and integrated risk management, RSAcustomers can thrive and continuously adapt to transformational change. For more information, visit rsa.com. 2019 Dell Inc. or its subsidiaries. All Rights Reserved. RSA and the RSA logo are trademarks of Dell Inc. or its subsidiaries in theUnited States and other countries. All other trademarks are the property of their respective owners. RSA believes the informationin this document is accurate. The information is subject to change without notice. Published in the USA, 1/19
risk-management strategies are best enabled by a quantification of risk, in terms the business can understand and act upon. Frameworks Frameworks for assessing and managing risk, including digital risk, can be extremely useful in establishing a baseline for an organization's ability to manage risk—and mapping a path to risk-management maturity.
Verkehrszeichen in Deutschland 05 101 Gefahrstelle 101-10* Flugbetrieb 101-11* Fußgängerüberweg 101-12* Viehtrieb, Tiere 101-15* Steinschlag 101-51* Schnee- oder Eisglätte 101-52* Splitt, Schotter 101-53* Ufer 101-54* Unzureichendes Lichtraumprofil 101-55* Bewegliche Brücke 102 Kreuzung oder Einmündung mit Vorfahrt von rechts 103 Kurve (rechts) 105 Doppelkurve (zunächst rechts)
FISHFINDER 340C : RAM-101-G2U RAM-B-101-G2U . RAM-101-G2U most popular. Manufacturer Model RAM Recommended Mount The Mount Depot Note . GARMIN FISHFINDER 400C . RAM-101-G2U RAM-B-101-G2U . RAM-101-G2U most popular. GARMIN FISHFINDER 80 . RAM-101-G2U RAM-B-101-G2U . RAM-101-
UOB Plaza 1 Victoria Theatre and Victoria Concert Hall Jewel @ Buangkok . Floral Spring @ Yishun Golden Carnation Hedges Park One Balmoral 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 101 101 101 101 101 101 101 101 101. BCA GREEN MARK AWARD FOR BUILDINGS Punggol Parcvista . Mr Russell Cole aruP singaPorE PtE ltd Mr Tay Leng .
101.5, 101.8, 101.9, 101.13, 101.17, 101.36, subpart D of part 101, and part 105 of this chapter shall appear either on the principal display panel or on the information panel, u
28, 1989] 232 §101–19.4800 41 CFR Ch. 101 (7–1–97 Edition) Subparts 101–19.7—101–19.47 [Reserved] Subpart 101–19.48—Exhibits . tration concerning low- and mod-erate-income housing. MEMORANDUM OF UNDERSTANDING BETWEEN THE DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT AND THE GENERAL SERVICES
The 200-101 exam is very challenging, but with our 200-101 questions and answers practice exam, you can feel confident in obtaining your success on the 200-101 exam on your FIRST TRY! Cisco 200-101 Exam Features - Detailed questions and answers for 200-101 exam - Try a demo before buying any Cisco exam - 200-101 questions and answers, updated .
412-553-AB Packaging Lapointe L Humanities 345-101-MQ Documenting Myths Si Stefano P, Mcguire M 345-101-MQ Introduction to Knowledge of Arctic Ecology 345-101-MQ Limits to Knowledge 345-101-MQ Planning Utopia Young T 345-101-MQ Quest for Knowledge Arès V 345-101-MQ Reel History McGuire M
280 101 237 101 156 152 130 85 87 17 1 1 129 101 sacramento redwood national park yosemite national park mojave desert silicon valley san francisco san jose santa cruz monterey los angeles c a l i f o r n i a 280 101 237 101 156 152 130 85 87 17 1 1 129 101 uc santa cruz campus monterey bay santa cruz watsonville uc santa cruz monterey bay .
