RISK ANALYSIS AND RISK ASSESSMENT (Video) – Vocabulary Flashcards

Vocabulary flashcards covering key terms and concepts from the lecture notes on risk analysis and cybersecurity risk assessment.

Risk analysis

The process of identifying and evaluating risks (threats and vulnerabilities), their impact and likelihood to make informed management decisions.

Risk

The potential for loss or harm from the combination of a threat exploiting a vulnerability, often shown as a risk level.

Threat

A potential source of harm to an asset (e.g., hackers, natural disasters, human error).

Vulnerability

A weakness that can be exploited by a threat to cause harm to an asset.

Asset

Anything valuable to an organization (physical, digital, people, reputation).

Impact

The consequence if a risk materializes (financial loss, downtime, legal issues, reputation damage).

Likelihood

The probability that a risk event will occur (e.g., Rare, Unlikely, Possible, Likely, Almost Certain).

Risk Matrix

A tool that combines likelihood and impact to determine a risk level and prioritize actions.

Risk management

Proactive control and evaluation of risks, including planning and implementing controls.

Risk communication

Exchange of information about risks among stakeholders to inform decisions.

Risk assessment

The safety/hazard-identification component of risk work, often focusing on hazards and safety.

Business Impact Analysis (BIA)

Study of the effects of disruptions to critical processes to guide recovery planning.

Failure Mode and Effects Analysis (FMEA)

A method to identify possible failures in processes and reduce their impact.

Needs assessment

Structured process to identify gaps and what a business needs to improve.

Root cause analysis

Identify underlying causes of a problem to prevent recurrence.

5 Whys

A root-cause technique that asks why five times to reach the root cause.

8D

Eight Disciplines problem-solving method used in quality management.

DMAIC

Define, Measure, Analyze, Improve, Control; Six Sigma framework for process improvement.

Qualitative risk analysis

Assessment of likelihood and impact using subjective scales (low/medium/high).

Quantitative risk analysis

Uses numerical models to assign monetary values to risks and compute expected costs.

Security controls

Measures to reduce risk, including technical and non-technical controls; preventive or detective.

Preventive controls

Controls designed to prevent incidents from occurring.

Detective controls

Controls that detect incidents as they occur or after they happen.

Monitor and review

Ongoing tracking of risks, updating risk registers, and reassessing risks.

Identify assets

Catalog information assets (data, hardware, software, people) and classify their value/sensitivity.

Identify threats

List threats (human, natural, technical) that could harm assets.

Identify vulnerabilities

Identify weaknesses that threats can exploit.

Assess impact

Determine the financial, legal, operational, and reputational consequences of a risk.

Assess likelihood

Estimate how likely a risk event is to occur.

Risk level

Overall severity of a risk, usually High, Medium, or Low, from likelihood and impact.

Treat the risk

Decide on actions to manage risk: accept, avoid, transfer, or mitigate.

Cybersecurity risk assessment

Risk assessment focused on IT systems and data, guided by threat intelligence.

Threat intelligence

Information about threats and threat actors used to inform risk decisions.