Transcript

Hey, let's back up to risk because I skimmed through it in my live conversation with Dr. Auger there.

So in the course, he enumerates what it is and why we do it. So it's about identifying, assessing, and prioritizing risks. It's about understanding threats and vulnerabilities. Why do we do it? Well, it's to be a compass. It's to help make decisions and navigate. We're trying to reliably achieve objectives and adding to what's in the GRC Jumpstart course, I've got these definitions of risk, threat, and vulnerability.

What do they really mean? A good reference for that is the NIST Special Publication 830, the Guide for Conducting Risk Assessments, where it says we have different threat sources. So is there a criminal that wants to steal an asset that we have? Is there an earthquake risk that could take out the power? What's our insider threat situation? What could go wrong? What's the threat event?

There's three ways to get a cybersecurity compromise. Our credentials are stolen, and so now we have unauthorized access from legitimate credentials, but they were stolen. An unauthorized actor is using corporate credentials. There's a vulnerability in software that's exploited, or there's an insider threat. And so if one of those things could go wrong, and the impact of it could be ransomware, a leak of customer data exfiltration, reputational damage, downtime, different issues can happen, but we need someone or some threat source to exploit the vulnerability for that event to happen, and then we need to know how adverse is that impact from very low to very high in a scale that is provided in NIST SP 800-30.

And then in understanding how the math works, risk is a function of threats and vulnerabilities. So if you have a vulnerability that there is no lock on your house's front door, it's not a problem if you never have a threat actor try to open that door. But there's a moderate probability that one will, especially if they don't see a lock, and that's your risk. It's that you don't have a lock on your door and that someone might want to steal assets in your house.

So if you can move out into the country with no neighbors and not in a metropolitan area, your threat goes down because there's fewer threat actors and less probability that someone's going to walk by and see that you don't have a lock. So threat goes down, risk goes down. If vulnerability goes up, you take the door off of your house, but you move out to the country, maybe those things are awash and risk stays the same.

And then what would be an example of a threat going up and vulnerability going down? Yeah, okay. So we add a deadbolt and a security camera, but we put a target on our back somehow. Maybe there's a priceless piece of art. I don't know. I'm not an art collector, but something really expensive in a window of your house that is very visible to the public and you've got a top-notch security camera, but what's that going to do really in terms of you're probably inviting more threat actors to -- then another example, if the threat goes up and the vulnerability goes down, how it's awash and the risk is kind of the same.

So if we add a deadbolt and add more locks to the door, vulnerability is going down. But the threat can go up if there's something in your house that someone wants to get. And so you've got to do that balancing act of understanding your threat landscape and managing risk to a tolerable level within your risk tolerance.