Chapter 4

Risk Management


Security is unattainable. What security programs are trying to achieve is risk management. In other words, they are trying to cost effectively control the potential loss. Risk is a combination of value, threat, vulnerability, and countermeasures. Traditionally, a security program strives to implement countermeasures that primarily mitigate the vulnerabilities that, if exploited, will create a loss of value.

This chapter categorizes the factors that contribute to, and mitigate, risk. The goal is not to get rid of all risk, as that is not practical, but to optimize the risk, given the potential loss and available resources.


Countermeasures; Malicious; Malignant; Risk; Threat; Vulnerability; Value
Security is ...

Get Advanced Persistent Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.