The business of information security is all about risk management. For the CISSP exam, you need to understand and apply risk management concepts. A risk consists of a threat and a vulnerability of an asset:
- Threat: Any natural or man-made circumstance or event that could have an adverse or undesirable impact, minor or major, on an organizational asset or process.
- Vulnerability: The absence or weakness of a safeguard or control in an asset or process (or an intrinsic weakness) that makes a threat potentially more harmful or costly, more likely to occur, or likely to occur more frequently.
- Asset: A resource, process, product, or system that has some value to an organization and must therefore be protected. Assets may be tangible (computers, data, software, records, and so on) or intangible (privacy, access, public image, ethics, and so on), and those assets may likewise have a tangible value (purchase price) or intangible value (competitive advantage).
Remember: Risk = Asset Value × Threat Impact × Threat Probability.
The risk management triple consists of an asset, a threat, and vulnerability.