(1) A measure of the likelihood and the consequence of events or acts that could cause a system compromise, including the unauthorized disclosure, destruction, removal, modification, or interruption of system assets. (2) The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, or other organizations resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring. (3) It is the chance or likelihood of an undesirable outcome. In general, the greater the likelihood of a threat occurring, the greater the risk. A risk determination requires a sign-off letter from functional users. (4) A risk is a combination of the likelihood that a threat will occur, the likelihood that a threat occurrence will result in an adverse impact, and the severity of the resulting adverse impact. (5) It is the probability that a particular security threat will exploit a system’s vulnerability. Reducing either the vulnerability or the threat reduces the risk. Risk = Threat + Vulnerability.
In RAdAC, access privileges are granted based on a combination of a user’s identity, mission need, and the level of security risk that exists between the system being accessed and a user. RAdAC uses security metrics, such as the strength of the authentication method, the level of assurance of the session connection between the system and a user, and the physical location of a user, to make its risk determination.
The process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards (controls) that mitigate this impact. It is a part of risk management and synonymous with risk assessment.
The process of identifying risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, or other organizations by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis, incorporates threat and vulnerability analyses, and considers mitigations provided by planned or in-place security controls.
The difference between the minimum clearance/authorization of system users and the maximum sensitivity (e.g., classification and categories of data processed by a system).
The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, or other organizations resulting from the operation of an information system. It includes (1) establishing the context for risk-related activities, (2) assessing risk, (3) responding to risk once determined, and (4) monitoring risk over time. The process considers effectiveness, efficiency, and constraints due to laws, directives, policies, or regulations. This is a management and preventive control.
Risk mitigation involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls and countermeasures recommended from the risk assessment process.
Maintaining ongoing awareness of an organization’s risk environment, risk management program, and associated activities to support risk decisions.
Risk profiling is conducted on each data center or computer system to identify threats and to develop controls and polices in order to manage risks.
The features of reducing one or more of the factors of risk (e.g., value at risk, vulnerability to attack, threat of attack, and protection from risk).
Accepting, avoiding, mitigating, sharing, or transferring risk to organizational operations and assets, individuals, or other organizations.
The level of risk an entity is willing to assume in order to achieve a potential desired result.
A public-key algorithm used for key establishment and the generation and verification of digital signatures, encrypt messages, and provide key management for the data encryption standard (DES) and other secret key algorithms.
Requires a user to possess a token in addition to a password or PIN (i.e., two-factor authentication). This type of authentication is applied when accessing an internal computer systems and e-mails. Robust authentication can also create one-time passwords.