Jotting some quick thoughts here after answering a user post. Thought I would place the same information here for all to see. This list is by no means complete and your thoughts are always welcome.
Some ways to measure risk include:
How valuable is the asset?
How much of a threat exists?
What is the impact if the system/service is exploited?
Is the vulnerability rated high/medium/low?
Can the risk be reduced?
How easily can it be reduced considering costs, technology, staffing & skills?
What is the probability of the vulnerability being exploited?
You are asking yourself:
What are you protecting?
What can happen to it? – How can it happen?
What does it mean to the business?
How can the risk be reduced?
How likely is it to happen given the existing conditions?
Risk assessment goal: identify & prioritize risks.
Risk management goal: manage risks to an acceptable level. This can be done by:
- Mitigate: select controls; implement; monitor
- Transfer: purchase insurance
- Accept: do nothing
- Avoid: discontinue activity
Thanks for your time. Let’s be good network citizens together & practice safe networking!