Page 1034 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1034
the definition has changed.
To avoid confusion within this book, we typically use the term
attacker for malicious intruders. An attack is any attempt to
exploit the vulnerability of a system and compromise
confidentiality, integrity, and/or availability.
Risk Elements
Chapter 2, “Personnel Security and Risk Management Concepts,”
covers risk and risk management in more depth, but it’s worth
reiterating some terms in the context of access control attacks. A risk
is the possibility or likelihood that a threat will exploit a vulnerability
resulting in a loss such as harm to an asset. A threat is a potential
occurrence that can result in an undesirable outcome. This includes
potential attacks by criminals or other attackers. It also includes
natural occurrences such as floods or earthquakes, and accidental acts
by employees. A vulnerability is any type of weakness. The weakness
can be due to a flaw or limitation in hardware or software, or the
absence of a security control such as the absence of antivirus software
on a computer.
Risk management attempts to reduce or eliminate vulnerabilities, or
reduce the impact of potential threats by implementing controls or
countermeasures. It is not possible, or desirable, to eliminate risk.
Instead, an organization focuses on reducing the risks that can cause
the most harm to their organization. The key tasks that security
professionals complete early in a risk management process are as
follows:
Identifying assets
Identifying threats
Identifying vulnerabilities
Identifying Assets
Asset valuation refers to identifying the actual value of assets with the
goal of prioritizing them. Risk management focuses on assets with the
