Week 2 - Vulnerability Assessment

Discuss the methods used by security managers to assess various risks and vulnerabilities.

The risk assessment process used by security managers includes four steps;

1. Identification of risk factors

2. Risk assortment

3. Identification of risk controls

4. Identification of risk impact

5. Creating a risk report

When determining the risks and vulnerabilities of any given organization, a risk profile is created it includes considering the following essential factors;

• Risk triggers/indicators. These could be the political stances of the local government, weather, or even the traffic conditions, based on the business structure.

• Intensity of risk. This signal identifies whether mitigating said risk requires moderate or drastic measures on the company’s behalf. Moderate risk means moderate measures, while immense risk means drastic measures.

• Setting up a mitigation plan. This is the most important element of risk analysis. If the mitigation plan is straightforward, the risk’s intensity is almost always considered to be low or moderate. If, however, the plan is complex, it means that the risk is intense.

• Reporting and tuning. This is the presentation and reporting of risk to the higher-ups. Once risk has been presented, the board may request changes in it, which would require some fine-tuning on the risk assessor’s part.

There are four main ways of managing risk and vulnerabilities;

1. Avoiding the risk. This includes navigating company actions in such a way that there it can completely avoid the risk with no discernable impact on its bottom line. Avoiding risk is rare, but if achieved, can help companies learn from the risk while facing no reprimand at all.

2. Reducing the risk. This includes reducing the overall impact of the risk by poising the company in such a way that the company does get impacted; just not as much as it would have if the company did nothing. The goal here is to minimize the impact on the company’s bottom line as much as possible. This is the most common type of risk mitigation tactic employed and although not as effective, it is much easier to accomplish.

3. Spreading the risk. The goal here is to spread the risk over time, resources, or even the market in such a manner that it impacts the company slowly and in a much more manageable way. This may include facing the repercussions of the risk over a period, utilizing a small number of resources each time to mitigate its impact. This is one of the most realistic measures to handling risk but requires extensive resources and planning.

4. Transferring the risk. This means “going down and taking the rest with you” or dodging the risk at someone else’s risk. Transferring risk runs the danger of having to take unethical steps to make sure all repercussions of said risk are faced by someone else on your behalf.