What is Risk?
Risk describes a potential event that may cause harm to an organization, involving the possibility of experiencing adverse outcomes such as financial loss, reputational damage, or operational disruptions. It is quantified by assessing the likelihood of the event occurring and the severity of its consequences (impact). In organizational and business contexts, effectively managing risk is essential for protecting assets, ensuring stability, and achieving strategic objectives.
Threat Sources: The Starting Point
According to the National Institute of Standards and Technology (NIST), Threat Sources are defined as the origin of adverse events that could potentially harm an organization's assets and operations. These sources can be intentional or unintentional and can come from a variety of places such as nature, individuals, or organizations.
NIST categorizes Threat Sources into two main types:
Adversarial: These are intentional actions taken by individuals, groups, or organizations with the motive of causing harm or exploiting vulnerabilities. Adversarial threats include hackers, terrorists, insider threats, and even competitors.
Non-Adversarial: These are unintentional actions or natural events that could potentially harm an organization but lack a targeted intent. Examples include natural disasters like floods or earthquakes, accidental data deletion by an employee, or system failures due to a bug.
By understanding the nature and types of Threat Sources as defined by NIST, organizations can better prepare for, and mitigate, various risks that may affect them.
From Threat Sources to Threat Events
Threat Sources impose Threat Events, which are specific actions or incidents that can potentially harm your organization. For example, a hacker (Threat Source) might attempt to break into your network (Threat Event).
Vulnerabilities: The Weak Spots
Vulnerabilities or so called predisposing conditions are the weak spots in systems and organisations where Threat Events can cause harm. These could be outdated software, weak passwords, or even a staff member who's not trained in security protocols.
Supporting Assets
Vulnerabilities often expose Supporting Assets, which are the various components of your system that aren't core to your business but are still important. These can include:
Hardware: Servers, computers
Software: Applications, databases
Network: Internet connection, firewalls
Personnel: Employees, contractors
Sites: Physical locations like offices or data centers
Primary Assets
Primary Assets are what your business absolutely needs to function. These can be your main business processes or crucial pieces of information. Supporting Assets enable these Primary Assets to function. For example, a web server hosting an online store (Supporting Asset) enables the sales process (Primary Asset) and is therefore critical in maintaining an organisations business operatons.