Читать книгу The Official (ISC)2 CISSP CBK Reference - Leslie Fife, Aaron Kraus - Страница 120

In security, a risk is the potential for negative impact on the organization, its goals or objectives, or its assets (including people, systems, and data) due to a threat exploiting a vulnerability. You should note that there are dozens of definitions for each of these terms (i.e., risk, threat, and vulnerability) across different industries. We'll discuss these terms further, but it's important to understand that risk lies at the intersection of the three components shown in Figure 1.5.

NOTE There are two classifications of risk that you should be familiar with: inherent risk and residual risk. Simply put, inherent risk is the risk present before any controls are applied, while residual risk is the level of risk that remains after controls are in place. The concept of security controls is discussed later in this chapter.

FIGURE 1.5 Relationship between threats, vulnerabilities, assets, and risks