Chapter 3: Risk Management: Assessing Risk key terms

Enterprise Risk Management (ERM)

The evaluation and reaction to risk for the entire organization, not just the risk facing information assets.

Cybersecurity Risk Management

The application of safeguards or controls to reduce the risks to an organization’s information assets to an acceptable level.

Risk Management

The process of discovering and assessing the risks to an organization’s operations and determining how those risks can be controlled or mitigated.

Risk Treatment

The reduction of risk, including cybersecurity risk, to an acceptable level. See also risk control.

Risk Control

The reduction of risk, including cybersecurity risk, to an acceptable level. See also risk treatment.

RM Framework

The overall structure of the strategic planning and design for the entirety of the organization’s RM efforts.

RM Process

The identification, analysis, evaluation, and treatment of risk to information assets, as specified in the RM framework.

Risk Management Policy

The managerial directive designed to regulate organizational efforts related to the identification, assessment, and treatment of risk to information assets.

Residual Risk

The risk to information assets that remains even after current controls have been applied.

Risk Appetite

The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect cybersecurity and unlimited accessibility.

Risk Tolerance

The assessment of the amount of risk an organization is willing to accept for a particular information asset or set of assets, typically synthesized into the organization’s overall risk appetite. See also risk threshold.

Risk Threshold

The assessment of the amount of risk an organization is willing to accept for a particular information asset or set of assets. See also risk tolerance.

Risk Appetite Statement

A formal document developed by the organization that specifies its overall willingness to accept risk to its information assets, based on a synthesis of individual risk tolerances.

Zero Tolerance Risk Exposure

An extreme level of risk acceptance whereby the organization is unwilling to allow any successful attacks or suffer any loss to an information asset.

Risk Management Plan

A document that contains specifications for the implementation and conduct of RM efforts.

Risk Identification

The recognition, enumeration, and documentation of risks to an organization’s information assets.

Information Media

System elements such as hardware, operating systems, applications, and utilities that collect, store, process, and transmit information. See also system components.

System Components

System elements such as hardware, operating systems, applications, and utilities that collect, store, process, and transmit information. See also information media.

Data Classification Scheme

The assignment of levels of confidentiality to information assets as part of an access control methodology; the scheme is designed to restrict the number of people who can access it.

Threat Assessment

An evaluation of the threats to information assets, including a determination of their likelihood of occurrence and potential impact of an attack.

Cyber Hygiene

The individual decisions made and practices used when interacting with computing technology.

Risk Analysis

A determination of the extent to which an organization’s information assets are exposed to risk.

Likelihood

The probability of the successful exploitation of a specific asset’s vulnerability by a threat.

Impact

The potential outcome of the successful exploitation of a specific asset’s vulnerability by a threat. See also consequence.

Consequence

The potential outcome of the successful exploitation of a specific asset’s vulnerability by a threat. See also impact.

Risk Aggregation

The merging or combining of groups of assets, threats, and their associated risks into more general categories to simplify risk assessment.

Uncertainty

The state of having limited or imperfect knowledge of a situation, making it less likely that organizations can successfully anticipate future events or outcomes.

Risk Determination

The calculation of risk associated with a Threats–Vulnerabilities–Assets (TVA) triplet using a formula based on the methodology employed.

Risk Rating Factor

The quantification of risk present in a Threats–Vulnerabilities–Assets (TVA) triplet, as derived in risk determination.

Risk Rating Worksheet

An extension of the TVA spreadsheet that only includes assets and relevant vulnerabilities along with the risk determination.

Risk Evaluation

The process of comparing an information asset’s risk rating to the numerical representation of the organization’s risk appetite or risk threshold to determine if risk treatment is required.

Process Communications

The necessary information flow within and among the governance group, RM framework team, and RM process team during the implementation of RM.

Process Monitoring and Review

The data collection and feedback associated with performance measures used during the conduct of a process.