A threat is any circumstance or event with the potential to cause a loss. A threat can also be thought of as any activity that represents a possible danger. Threats are always present and cannot be eliminated, but they can be controlled. Assets represent anything of value worth protecting.

Threats have independent probabilities of occurring that often are unaffected by an organization’s action. As an example, an attacker may be an expert in attacking web servers hosted on Apache. There is very little a company can do to stop this attacker from trying to attack. However, the company can reduce or eliminate vulnerabilities to reduce the attacker’s chances of success.

Threats can be thought of as attempts to exploit vulnerabilities that result in the loss of confidentiality, integrity, or availability of a business asset. The protection of confidentiality, integrity, and availability is a common security objective for information systems.

FIGURE 1-1 shows these three security objectives as a protective triangle. If any side of the triangle is breached or fails, security fails. In other words, risks to confidentiality, integrity, or availability represent potential loss to an organization. Because of this, a significant amount of risk management is focused on protecting these resources.

• Confidentiality—Preventing unauthorized disclosure of information. Data should be available only to authorized users. Loss of confidentiality occurs when data is accessed by someone who should not have access to it. Data is protected using access controls and encryption technologies.
• Integrity—Ensuring data or an IT system is not modified or destroyed. If data is modified or destroyed, it loses its value to the company. Hashing is often used to ensure integrity.
• Availability—Ensuring data and services are available when needed. IT systems are commonly protected using fault tolerance and redundancy techniques. Backups are used to ensure the data is retained even if an entire building is destroyed.

A vulnerability is a weakness. It could be a procedural, technical, or administrative weakness. It could be a weakness in physical, technical, or operational security. Just as all threats don’t result in a loss, all vulnerabilities don’t result in a loss. A loss to an asset occurs only when an attacker is able to exploit the vulnerability.

Vulnerabilities may exist because they’ve never been corrected. They can also exist if security is weakened either intentionally or unintentionally.

Considering a locked door used to protect a server room, a technician could intentionally unlock it to make it easier to access. If the door doesn’t shut tight on its own, it could accidentally be left open. Either way, the server room and its contents become vulnerable.

A business asset is anything that has measurable value to a company. If an asset has the potential to lose value, it is at risk. Value is defined as the worth of an asset to a business.

Assets can have both tangible and intangible values. The tangible value is the actual cost of the asset and can be expressed in monetary terms, such as $5,000. The tangible assets of a business include its inventory, furniture, and machinery. Examples of tangible IT assets are:

• Computer systems—Servers, desktop PCs, and mobile computers
• Network components—Routers, switches, firewalls, and any other components necessary to keep the network running
• Software applications—Any application that can be installed on a computer system
• Data—Includes the large-scale databases that are integral to many businesses; also includes the data used and manipulated by each employee or customer

The intangible value is value that cannot be measured by cost, such as client confidence or company reputation. Generally acceptable accounting principles (GAAP) refer to client confidence as goodwill.

For example, a company sells products via a website, and it earns $5,000 an hour in revenue. The web server hosting the website fails and is down for two hours. The cost to repair it totals $1,000. What is the tangible loss?

• Lost revenue—$5,000 times two hours equals $10,000
• Repair costs—$1,000
• Total tangible value—$11,000

The intangible value isn’t as easy to calculate but is still important. For example, a customer with an urgent need tried to make a purchase when the website was down. If the same product is available somewhere else, he or she may choose to purchase the product elsewhere. That experience may damage the organization’s reputation in the eye of that customer, and, if the customer’s experience with the other business is positive, the customer may go directly to the second company the next time he or she wants to purchase this product. The loss of this future business cannot be measured, which makes it intangible.

Intangible value includes:

• Future lost revenue—Any additional purchases customers make with another company are a loss to the company whose website was down.
• Cost of gaining the customer—Large sums of money are invested in attracting customers. A repeat customer is much easier to sell to than acquiring a new customer. If a company loses a customer, the company’s investment is lost.
• Customer influence—Customers have friends, families, and business partners. They commonly share their experience with others, especially if the experience is exceptionally positive or negative.
• Reputation—Customers share their negative experience with others, so one customer’s bad experience could potentially influence other current or potential customers to avoid future business transactions.

One of the early steps in risk management is associated with identifying the assets of a company and the assets’ associated costs. This data is used to prioritize risks for different assets. Once a risk has been prioritized, identifying risk management processes to protect the asset becomes easier.

The impact is the amount of the loss, which can be expressed in monetary terms, such as $5,000. The value of hardware and software is often easy to determine. If a laptop is stolen, the purchase or replacement value can be used to determine the value of the stolen laptop. However, some losses aren’t easy to determine. If that same laptop held data, the value of the data is hard to estimate.

Descriptive terms, instead of monetary terms, can be used to explain the impact of a loss. For example, losses can be described in relative terms, such as high, medium, or low, which helps an organization quantify the loss by describing the potential harm. The harm might be to operations, such as the inability to perform critical business functions; assets, such as hardware or facilities; individuals, such as loss of personal information, injury, or loss of life; other organizations, resulting in financial losses or damaged relationships; or the nation, affecting government operations or national security.

Published by the National Institute of Standards and Technology, the Guide for Conducting Risk Assessments (NIST SP 800-30) includes the following scale for assessing the impact of threats to the business’s assets:

• Very high—Indicates multiple severe or catastrophic adverse effects. Severe or catastrophic indicates a loss of critical business functions. This loss might result in major financial losses or serious injuries to personnel.
• High—Indicates a severe or catastrophic adverse effect. Note that high indicates one adverse effect. Very high indicates multiple adverse effects.
• Moderate—Indicates a serious adverse effect. Serious indicates critical business functions are significantly degraded. The organization might still be able to operate but not as effectively as normal. The resulting damage can be significant.
• Low—Indicates a limited adverse effect. Limited indicates critical business functions are degraded. The resulting damage is minor.
• Very low—Indicates a negligible adverse effect. Negligible indicates the impact on critical business functions is small and unnoticeable.