In this lesson, I'm going to discuss risk. So by the end of this lesson, you're going to understand and be able to discuss what risk is, be able to discuss the five areas of risk and give an example for each one of these areas that we have of risk. Let's talk about what the definition is of risk. So according to Webster's dictionary, this is one that I picked out here as there are many different definitions of risk. But if you look at Webster's dictionary and under 3A, risk is defined as the change of loss or the perils of the subject matter of an insurance contract, also, the degree of probability of such loss. Now, in other words, in security It's the probability of loss of one of the three areas of security or one of the three pillars of the CIA triad. So a loss of confidentiality, loss of integrity or loss of availability. So any one of those if we're able to identify risk, there is going to be something that is going to collapse one of those pillars. Risk is everywhere. No matter what you're doing, no matter watching this video if you're on a time schedule, if you only have one week to complete it, there's a risk if your Internet connection goes down. There's risk that you're not going to be able to understand the video or download some of the slides. There's risk in traveling, there's risk anywhere and everywhere. However, we can break risk down into five different areas. So if we look at information systems and we look at services that we offer, we can basically boil down to risk in these five categories. The what, where, when, how, and why of risk. Let's first talk about the what of risk. What we access might compromise security. So this could actually affect all three pillars of the CIA triad. So think about the way that you access the Internet or what about if you're in an organization. Well, how about the information that your employees are accessing. What they are accessing could have an affect on the overall stability of their systems or the organization's systems. Software installation is one of the areas of risk that also could be a problem. If we have too much software on our computers, they run slower. Or, if we don't have the right software, we are not able to be productive, okay? Non business use of computing devices also is a what of risk. Bringing those devices or, BYOD, bring your own device talks to this point. So if we have non-business use of computing devices, which means like your hand-held phones. If the company doesn't pay for that and an employee puts that on the network, what is that device going to do to your network? A great example of this is Torrenting software. Torrenting software is not necessarily illegal however it's what you download that could be. So think about how your employees are accessing or what they are accessing using Torrenting software. For example I use Torrenting software all the time to download Linux distributions because it is the fastest way to download those. However, I'm definitely not going to download music or movies that way because it is illegal according to the US law. We see many times when I was an information security office, we saw constantly DMCA violations which stood for Digital Millennium Copyright Act that were violating the law basically by downloading Torrented movies. Let's talk about the where of risk now. Where we connect to could pose a problem for the integrity of our systems, even the confidentiality of our systems. Think about how the, how mobile users are accessing your company's information or think about how you're watching this video right now. Are you 100% certain that your connection is going to be secure? If you're not on your company's VPN, how do you know who owns that network and is it a trustworthy network? We call these trusted verses untrusted networks. Our trusted network or something that we understand that we know who maintains those and we really trust the security that they put in place. Untrusted networks are places that we don't know who owns them, that we don't trust, we don't know the owner. Think about coffee shops or airport WiFi. Are those two places that we have no idea who operates those? What if the coffee shop doesn't have WiFi and all of a sudden you connect to a wireless network in that coffee shop? How do you know that it is the coffee shop's WiFi connection? It could be somebody trying to steal your information or eavesdropping on your conversations. Let's talk about when. When in risk really happens when there are large events. Think about the news. Every time that you read some big news article, what happens if you get emotionally involved in that news, in the story? So let's think about big events. There could be tornadoes, there could be earthquakes, there could be tsunamis. There could be some kind of disaster out there. Well, even though it's a great time for you to jump in and help, there are a lot of scams out there going on at the same time. So you need to understand that the scammers are big when this stuff happens. And If you're not paying attention or your employees aren't paying attention, they may inadvertently cause risk to the organization by clicking on something that they shouldn't to read a news article or pay for something they shouldn't be paying for. A good example of this is donating to the Red Cross. There's many sites out there that mimic what the Red Cross does during natural disasters and that money could be used by some malicious actor. The how of risk. The how of risk comes in the form of not adhering to the security best practices. So if we follow security best practices or whatever information security office tells us to do or follow really the steps of the CIA triad or the principles surrounding that, we may have additional risk. The more knowledge we have, the less risk is involved in doing something that compromises security. For example, looking at this if you're an executive management watching these videos, think about how your corporate security is applied. Just understanding and just how knowing that you should be going to your security office is a good idea before you do something. You have more knowledge than somebody that isn't watching these videos, for example. We talked about or were going to talk about ports and protocols. So an example here is using FTP instead of using SFTP. File transfer protocol or FTP is an insecure file transfer method. Whereas SFTP, or secure file transfer protocol is the secure way to do it. So having knowledge of how things work and how things interrupt, excuse me, interoperate, you're much better off from a risk prospective if you understand how something works. Lastly, the why of risk. Logical reasoning and knowledge of why we use the best practices lessens our risks in general. We don't just do what somebody else tells us to do. This goes back to anything that we've ever learned before. If we follow the crowd, for example and they do something that's harmful instead of investigating, is it harmful to us? Well, probably. Risk increases when reasoning and common sense is not applied. So clicking on that link that you know you shouldn't or opening an email that you know you shouldn't or surfing the web in a coffee shop. When logical reasoning is not applied, we have risk. So, for example, unsanctioned file sharing services for storing data, because it's easier. I use an example of using OneDrive, which we have sanctioned at the university for storing data. The reason why we do this is because we have an enterprise agreement that has certain stipulations about the security of that service and the security of our files. And we know that we can obtain that data In case anything ever happens to it. Now think about somebody who's using Dropbox for example. Dropbox to me has been an issue because we don't have that security. We don't know that that security is in place. If a user forgets their password, how are they going to recover it if they can't remember anything associated with that account? Is the data lost? What about perhaps regulated data such as government data for grants? Would you go with OneDrive that's sanctioned to be used in the US and is on US servers only or would you go with some other service which may have data that is stored overseas and that is violating grants. We need to think about all these things when we talk about risk because they could lessen the security of one of the three pillars. Some things in risk cannot change. Operating systems, for example, we cannot change the way operating systems run. We can enhance the security of them, but we cannot actually mess with the code. Commercial products, we may be able to customize commercial products here and there, but we're not able to rewrite the source code. What about users who refuse to follow best practices, like using Dropbox instead of OneDrive? Now I'm not saying Dropbox is bad, but is that sanctioned for the organization? You need to assess the risk of using whatever you are using and apply common sense. It is up to you and your organization to identify the risk in each of these areas and think about the five questions that we have. When you're doing something, where you're doing something, how, why, and when.
