O'Reilly logo

CISSP For Dummies, 4th Edition by Peter Gregory, Lawrence Miller

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Risk Management Concepts

Beyond basic security fundamentals, the concepts of risk management are perhaps the most important and complex part of the information security and risk management domain. The CISSP candidate must fully understand the risk management triple: Quantitative (compared with qualitative) risk assessment methodologies, risk calculations, and safeguard selection criteria and objectives.

The business of information security is all about risk management. A risk consists of a threat and a vulnerability of an asset:

check.png Threat: Any natural or man-made circumstance or event that could have an adverse or undesirable impact, minor or major, on an organizational asset.

check.png Vulnerability: The absence or weakness of a safeguard in an asset that makes a threat potentially more harmful or costly, more likely to occur, or likely to occur more frequently.

check.png Asset: A resource, process, product, or system that has some value to an organization and must therefore be protected. Assets may be tangible (computers, data, software, records, and so on) or intangible (privacy, access, public image, ethics, and so on), and those assets may likewise have a tangible value (purchase price) or intangible ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required