2. How vulnerable is the asset to a negative event (i.e. if I rear end the car in front of me, how well will the car survive the crash)?
3. How likely is it that someone would try to exploit the vulnerabilities (i.e. how good are my driving skills in fog)?
4. What controls do we have in place to protect the asset from these vulnerabilities (i.e. do I have fog lights)?
5. If the controls do not provide sufficient protection, what additional controls can we employee to reduce the risk to an acceptable level (if I still can't see well enough with the fog lights on, what else can I do to avoid an accident)?
Historically, information security officers, disaster recovery coordinators and others who needed to make operational risk decisions in the workplace found the answers to these types of questions by referring to prior experience and subjective reasoning. If you worked long enough in information security, you would get a good "feel" for the risks and exposures and your experience would guide your decisions. But try telling the CEO that you want funding for an expensive project that will improve controls and the justification for the request is based on your "gut feeling" and prior experience. No wonder many senior executives view information security as over blown and inscrutable. Until information security can develop tools to objectively identify and measure risk, we will have little credibility with management in explaining the risk options.
 |
| Source: http://get.syr.edu |
0 komentar:
Posting Komentar