[SOUND] At its heart, information security is all about managing risk. What is risk? Well, risk is the probability of a loss. It's the chance of something adverse happening to our interests. [SOUND] Risk management is understanding how bad the loss from an adverse event can be, and how we can get the risk down to a level we can absorb. [SOUND] A loss is an event that can negatively affect our information assets, such as [SOUND] unauthorized/unwanted access, [SOUND] destruction, [SOUND] modification, [SOUND] theft or [SOUND] denial of access. Risk management involves a preparation and planning phase followed by a risk identification phase, a risk assessment phase, a risk appetite determination phase, and then a risk control phase. [SOUND] Risk identification is where we seek to determine if risk exists from known vulnerabilities as well as threats that we can identify that may attempt to exploit those vulnerabilities or find new ways to cause us loss. [SOUND] Risk assessment is the determination of the extent to which our assets are at risk. In determining our risk appetite, we determine and document how much risk we can tolerate? [SOUND] Risk control is where we plan additional appropriate controls to reduce excessive risk to that defined acceptable level. [SOUND] Risk management also means that we continue to monitor our risk environment until we need to begin the process again. Risk identification is the first phase of the process, the first step in risk identification involves identifying, classifying, and prioritizing our assets. Information assets are found across the organization not just in data basis or on service. Information exists in filling cabinets, on personal computers and numerous other locations. Once identified, assets must be evaluated and place in the classes or categories to determine who cannot access to it. Many approaches to classifying data exist. One common approach is signs asset as one of public, official use only, or confidential. After classification, assets must be assess for a value it has to the organization. Using this information, we'll be able to determine each assets needed level of protection. When assessing the value of an information asset, there are a number of questions we could use. [MUSIC] Placing an exact dollar value on most assets is very difficult. However, we can place relative values to help us prioritize them. One method uses a weighted factor table to assess and compare the worth of our assets. This is done by first listing the criteria we care about and then assessing each asset using those criteria. This allows the creation of a weighted score. Which helps us to compare the value of dissimilar assets within our organization. The second step in risk identification is to identify and prioritize the threats to our information assets. We can identify threats by looking for studies and surveys published in trade and academic journals. Like the one shown here. This study published by the communications of the ACM, identified 12 categories of threats to information security. Other such lists have been published as well. Just as we assessed our assets, we must assess the threats facing them. The questions shown here could be used as criteria in a weighted table to prioritize threats. [MUSIC] [SOUND]