Risk assessment is a complex, yet necessary, process. Generally
speaking, risk assessment follows this formula: risk = asset value *
threat * vulnerability. As a security manager, in order to perform an
adequate risk assessment, you will need to determine the business focus,
which will in turn give you the value of the IT assets, what the
possible threats are for those assets, and how vulnerable the assets
might be to attack.
Given the previous scenario of a medium-sized retail company with
2000 users, you might determine that assets, such as customer
information or business strategy documents, have a high value to the
business. What would be the most likely threats to those assets? What
would be the most likely vulnerabilities that might expose those assets
to attack? Determine a minimum of three likely threats and three likely
vulnerabilities, and then provide an overview of the probable risk.