- Definition: Any circumstance or event that can negatively impact assets.
- Example: Social engineering attacks (e.g., phishing)
- Note: Exploits human error to gain private information, access, or valuables.
- Definition: Anything that can impact the confidentiality, integrity, or availability of an asset.
- Example: Lack of backup protocols for stored information.
- Note: Likelihood of a threat occurring; rated at different levels (low, medium, high).
-
Low-risk Asset:
- Information not harmful to organization's reputation or operations.
- Example: Public information like website content or published research data.
-
Medium-risk Asset:
- Information not available to the public; may cause some damage.
- Example: Early release of a company's quarterly earnings impacting stock value.
-
High-risk Asset:
- Information protected by regulations; severe negative impact if compromised.
- Example: Leaked assets with SPII, PII, or intellectual property.
- Definition: Weaknesses that can be exploited by a threat.
- Example:
- Outdated firewall, software, or application
- Weak passwords
- Unprotected confidential data
- Note: Both a vulnerability and threat must be present for there to be a risk.
- Entry-level analysts need to educate and empower people to be more security conscious.
- Measures include identifying phishing emails and implementing access controls.
- Encourage employees to report suspicious activity and actively monitor access to critical assets.
- Understanding threats, risks, and vulnerabilities helps in mitigating risks to business operations.