Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 54

Risk is what your organization has to lose. Depending on your industry, risk can be a probability or a value.

To better understand how risk is defined, consider the visual relationship shown in the structure of the following formula, which I call the risk formula.

As shown in the formula, Risk is the value you have to lose times the probability that loss will occur — which makes intuitive sense. For example, if your organization has a value of $100 million and the probability of loss is 75 percent, your risk is $75 million.

Value is essentially what you have to lose. The probability that you will lose that value is a function of your Threats combined with the Vulnerabilities that allow the Threats to exploit you. If you have no threat, you have no risk. If you have no vulnerabilities, you have no risk. The reality is that you always have threats and vulnerabilities, so unless you have no value, which is inconceivable, you have risk.

When you consider the formula, the only thing offsetting your risk are Countermeasures. Your countermeasures mitigate threats. You won’t mitigate value, because you don’t want your security program decreasing the value of your organization.

For a more thorough discussion of risk, see my book You Can Stop Stupid (Wiley, 2021), which covers the subject in detail.