Читать книгу Non-financial Risk Management in the Financial Industry - Группа авторов - Страница 52

Information security risk comprises the impacts on an organisation and its stakeholders that can occur due to the threats and vulnerabilities associated with the operation and use of information systems and the environments in which those systems operate. In this sense, information security risk is the risk type that is closest to what is usually called cybersecurity risk, even though the term cybersecurity risk might also include some of the elements of the other sub-types of ICT risk.

The APRA defines IT security risk as “the risk of loss due to inadequate or failed internal processes, people and systems or from external events, resulting in a compromise of an IT asset’s confidentiality, integrity or availability,” basically using the definition of operational risk, specifically applied to IT assets.[82]

The distinguishing factor for information security risk is that this risk does not materialise without an exploitation of vulnerabilities, i.e. it only happens in the case of a successful attack.