Risk analysis is a tool to implement risk management. Before we go onto see the definition of risk analysis, recall that a vulnerability is “weakness” in the system and the “risk” is the threat agent exploiting the vulnerability.
Some examples of the three concepts working together are when a vulnerability like an unpatched application is exploited by a threat agent like a malicious user to create risk. This risk can only be reduced by applying the patch to the application.
Risk analysis is done by the following steps:
a. understanding the vulnerabilities within the organization
b. assessing the value of the assets in the organization
c. calculating the value of safeguards that have to be implemented
d. Is the value of safeguard greater than the value of asset? If so, look for cheaper safeguards but equally effective safeguards.
While risk can only be reduced/mitigated or transferred, it cannot be entirely avoided. It is always good to remember that there is no such thing as 100% security!
Jayanthi Manikandan has an undergraduate degree in Computer Science from India and a Master’s degree in Information systems with a specialization in Information security from Detroit, MI, USA.
She has been passionate about Information security and has several years of experience writing on various technical topics. Additionally, she loves to pen a few personal thoughts here as well! 🙂