9/26/19

Source: NIST 800-30r1 page 12

Risk: the probability (likelihood) that a given threat source will exercise a particular vulnerability and the resulting impact that could occur

Threat: an event or situation that if it occurred, would prevent the organization from operating in its normal manner

Vulnerability: a weakness

Likelihood: the chance something might occur

Impact: the cost of a threat (quantitative/qualitative)

Countermeasure: mechanism applied to minimize risk

Residual Risk: remaining risk(s) after all countermeasures/controls have been applied

ERM (Enterprise Risk Management): the comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization

Qualitative: use description and words to measure the likelihood and impact of a risk. For example, impact ratings can be severe/high, moderate/medium , or low; and likelihood ratings can be likely, unlikely, or rare. Qualitative is generally scenerio-based

Quantitative: based completely on numerical values. The goal of quantitative is to calculate the probable loss for every risk

Semi-Quantitative: attempts to find a middle ground between the previous two risk types to create a hybrid method

=========

Policy: Direction of Senior Management (Strategic)

Standard: Formalized

Procedure: Step by Step (Tactical)

Guideline: Best Practice Recommendations