The likelihood that a threat will occur regardless of vulnerabilities

The potential for loss or damage when a threat exploits a vulnerability

The vulnerability of an asset to any external threat

The total number of threats identified in an organization

Software applications

Employee personal opinions

Hardware devices

Organizational data

A threat actor targeting an organization

A weakness that can be exploited by a threat

A security control implemented to reduce risk

An event causing damage to an asset

To categorize assets by value

To determine the order in which risks should be mitigated

To decide which threats to ignore

To classify vulnerabilities by severity

Firewall

Intrusion Detection System (IDS)

Regular data backups

Strong password policies

Acceptance involves transferring risk to a third party, avoidance does not

Acceptance means no action is taken to mitigate risk, avoidance means eliminating the risk source

Acceptance requires implementing corrective controls, avoidance requires preventive controls

Acceptance is used only for low risks, avoidance only for high risks

Data Protection Policy

Acceptable Use Policy

Password Policy

Incident Response Policy