Risk analysis is a tool to implement risk management. Before we go onto see the definition of risk analysis, recall that a vulnerability is “weakness” in the system and the “risk” is the threat agent exploiting the vulnerability.
Some examples of the three concepts working together are when a vulnerability like an unpatched application is exploited by a threat agent like a malicious user to create risk. This risk can only be reduced by applying the patch to the application.
Risk analysis is done by the following steps:
a. understanding the vulnerabilities within the organization
b. assessing the value of the assets in the organization
c. calculating the value of safeguards that have to be implemented
d. Is the value of safeguard greater than the value of asset? If so, look for cheaper safeguards but equally effective safeguards.
While risk can only be reduced/mitigated or transferred, it cannot be entirely avoided. It is always good to remember that there is no such thing as 100% security!