CSCI E-43 How to Assess and Communicate Risk in Information Security
In simple terms, risk is the likelihood of something bad taking place, and the resulting business impact if it does occur. We often talk about the bad things that could happen—the threats, vulnerabilities, and exploits, and the technologies that are used to defend against them—but these are not risks. Business decision makers need their subject-matter experts in information security to advise them not about the technical details, but about how likely it is that something bad will occur, about the business impact if it does occur, and about how an investment in given security controls quantifiably reduces that risk. This course covers how to assess security risks, properly defined, how to use these risk assessments to make recommendations for what to do about them, and how to communicate these risks effectively to business decision makers.