Security exists to manage risk to acceptable levels — not to eliminate it (impossible) or to chase perfection (wasteful). Everything you've learned serves this goal.
| Term | Definition |
|---|---|
| Asset | Something of value (data, system, reputation) |
| Threat | A potential cause of harm |
| Vulnerability | A weakness a threat can exploit |
| Risk | Likelihood × impact of a threat exploiting a vulnerability |
| Control | A safeguard that reduces risk |
| Exposure | Extent of potential loss |
Risk = Likelihood × Impact
A vulnerability with no threat, or a threat with no vulnerability, is low risk. Risk needs all the pieces.
1. Identify assets & their value
2. Identify threats & vulnerabilities
3. Assess risk (likelihood × impact)
4. Treat risk
5. Monitor & review (continuous)
| Option | Meaning | Example |
|---|---|---|
| Mitigate | Reduce likelihood/impact | Add MFA, patch, encrypt |
| Transfer | Shift to another party | Cyber insurance, outsourcing |
| Avoid | Don't do the risky activity | Discontinue a risky feature |
| Accept | Acknowledge and live with it | Low-impact risk, documented sign-off |
You cannot reduce risk to zero. The goal is to bring it within the organization's risk appetite at reasonable cost.
If ALE = $200k/yr and a control costs $50k/yr to cut it to $20k,
the control saves ~$130k/yr — an easy justification.
| By function | By type |
|---|---|
| Preventive (firewall) | Technical (encryption) |
| Detective (IDS, SIEM) | Administrative (policies, training) |
| Corrective (backups, IR) | Physical (locks, cameras) |
| Deterrent / Compensating |
A balanced program uses all functions and types — defense in depth applied to risk.
Your risk includes your vendors'. Assess third parties (questionnaires, SOC 2 reports, right-to-audit clauses) — a breach at a supplier (Chapter 9) can become your breach.