CS406: Information Security

Risk Management

Risk management is the process of identifying, assessing, and prioritizing organizational risk. Risk management also includes the creation of organizational processes to address loss exposures, monitor risk control and mitigate the impact of potential risk to the organization. Natural disasters, human error, accidents, legal liabilities, and deliberate attacks from an adversary all pose some degree of risk. This lesson will introduce the concepts and processes associated with risk management.

Risk management and risk assessment are major components of Information Security Management (ISM). The ISO 27000 framework defines risk management as a process that includes four activities:

1. risk assessment


2. risk acceptance


3. risk treatment


4. risk communications

Risk management includes all of the related activities that an organization carries out in order to assess, evaluate and respond to organizational risk. Risk assessment is the process of analyzing risk. This can be performed using a quantitative or qualitative approach. One measures the actual financial impact, the other measures impact on the organization's operations and reputation.

Figure 1 – Components of risk management

Risk analysis uses information to identify possible sources of risk and identify threats or events that could have a harmful impact. Risk analysis also includes the implementation of controls that estimates the risk. A risk evaluation compares the estimated risk with a set of risk criteria. This is done in order to determine how significant the risk really is and helps to prioritize the risks. Risk response is the approach taken to mitigate the threat and reduce the risk impact.

The video, Managing IT Risk: Trends in Global Information Security (12:55), discusses the most important challenges for IT professionals to mitigate the threats that organizations now face in a dynamic technology environment.