Risk Management Concepts
Beyond basic security fundamentals, the concepts of risk management are perhaps the most important and complex part of the information security and risk management domain. The CISSP candidate must fully understand the risk management triple: Quantitative (compared with qualitative) risk assessment methodologies, risk calculations, and safeguard selection criteria and objectives.
The business of information security is all about risk management. A risk consists of a threat and a vulnerability of an asset:
Threat: Any natural or man-made circumstance or event that could have an adverse or undesirable impact, minor or major, on an organizational asset.
Vulnerability: The absence or weakness of a safeguard in an asset that makes a threat potentially more harmful or costly, more likely to occur, or likely to occur more frequently.
Asset: A resource, process, product, or system that has some value to an organization and must therefore be protected. Assets may be tangible (computers, data, software, records, and so on) or intangible (privacy, access, public image, ethics, and so on), and those assets may likewise have a tangible value (purchase price) or intangible ...