This chapter gives an overview of risk management, business continuity, and security education using a high-level illustration. Understanding and applying risk management concepts, threat modeling, and establishing business continuity requirements are some of the main topics covered in this chapter. A brief overview of integrating security risk considerations into information systems' acquisition, strategy, and practice are covered. Establishing and managing information security education, training, and awareness programs and recommendation of best practices are provided towards the end of the chapter.

Overview of risk management, business continuity, and security education

Asset protection forms the baseline for security. Unintended disclosure, unauthorized modification, or destruction of an asset can affect security.

Observe the following illustration:

Fig 1

• Risk is to assets from threat sources.
• The asset requires protection from attacks.
• Protection is based on the value of the assets. The value can be based on monetary value, anticipated loss due to customer dissatisfaction, damage to corporate image, or all of the above.
• Risk management is to identify, assess, control, and mitigate risks.
• Risk management consists of monitoring, reviewing, communicating, and improving mechanisms.
• Risks that compromise the availability of assets and resources are treated through Business Continuity Plans (BCP).
• Security education is an integral part of risk management.

These concepts are covered in detail in the rest of this chapter.