Risk
- 1 minRisk
Risk is the potential of gaining or losing something of value.
Risk(R) could be measured as
risk(R) = likelihood(L) × impact(I)
where,
I = Technical Impact * Business Impact
L = Threat agent factors * Vulnerability factors
R can be function of four factors:
A = Value of the assets
T = the likelihood of the threat
V = the nature of vulnerability i.e. the likelihood that can be exploited (proportional to the potential benefit for the attacker and inversely proportional to the cost of exploitation)
I = the likely impact, the extent of the harm
Risk Management
We manage risk in one of the following ways-
- Risk transference
- Risk avoidance
- Risk reduction
- Risk acceptance
- Risk mitigation
After the risk has been managed the we do risk assessment on residual risk
Risk assessment
- qualitative risk assessment
- quantitative risk assessment
- Single Loss Expectancy(SLE) * Annualized rate of occurrence(ARO) = Annualized Loss Expectancy (ALE)
MTBF , MTTF , MTTR, DR
[1] OWASP Risk Rating Methodology
[2] Risk rating template example
[3] MITRE Risk impact assessment and priotization