Risk Ecosystem: The Interaction of Risks, Threats, Vulnerabilities, Controls & Procedures
Risk, threat and vulnerability management practices are meant to achieve a minimum level of protection - this equates to a reduction in the total risk due to the protections offered by implemented controls. These risk ecosystem components have unique meanings that need to be understood to reasonably protect people, processes, technology and data.
Understanding the context of how these components integrate can lead to more meaningful and practical risk management practices, so we made this diagram to help explain those interactions
Contextual Definitions
Threat
noun A person or thing likely to cause damage or danger.
verb To indicate impending damage or danger.
Risk
noun A situation where someone or something valued is exposed to danger, harm or loss.
verb To expose someone or something valued to danger, harm or loss.
Vulnerability
A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
Control
The safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information.
Compensating Control
The security controls employed in lieu of the recommended control(s) that provide equivalent or comparable protection for an information system or organization.
Procedure
A set of instructions used to describe a process or procedure that performs an explicit operation or explicit reaction to a given event. The design and implementation of a procedure must be reasonable and appropriate to address the control.
Reasonable
Appropriate or fair level of care. This forms the basis of the legal concepts of "due diligence" and "due care" that pertain to negligence.
Mitigate
To make less severe or painful or to cause to become less harsh or hostile.
About ComplianceForge
ComplianceForge is a leading provider of editable cybersecurity and privacy documentation templates. Our solutions are professionally-written and editable, so that you can tailor the documentation for your specific needs. We offer solutions for NIST Cybersecurity Framework, ISO 27001/2, NIST SP 800-171, Cybersecurity Maturity Model Certification (CMMC), NIST SP 800-53, NIST SP 800-161 and the Secure Controls Framework, in addition to many other program-level documents that you may need to be both compliant and secure.?