The whole goal of IT security is protecting our stuff from bad things. So we do that through what we call risk management. Now, to paraphrase Wikipedia a little bit, risk management is the identification, assessment and prioritization of risk. I hate it when definitions include in the definition, the term you're trying to define. So what we're going to do in this episode is really talk about what is risk. Now, when we talk about risk, we're talking about the potential to harm organizations, people, IT equipment, whatever it might be, and that's very much true.
But as a security person, we use a lot of terminology that you need to be incredibly comfortable with when we're talking about both risk and risk management. So let's get some of these terms down. The first one I'd like to start with is assets. Assets are any part of our infrastructure that we are worried about getting harmed. Now if you're a computer nerd like me, you'd go up. That makes sense.
Sure, our computers and our routers, those would be assets. And you're absolutely correct. However, as a security person, you need to think a little bit deeper. For example, people can be assets. What if you've got a person who's got this one person who only knows how to do this one job, nobody else knows how to do it? What if that person were to disappear tomorrow that could cause harm.
Equally, we could run into things like for example, our physical plant. What if you have a server room door that is unlocked and anybody can go into it? In that case, we'd want to do something to protect that door so that people can't just go walking in and out of our server room. In fact, assets can even include things like intangibles like the reputation of our company. So assets cover a lot of things. Now, the next one I want to cover is vulnerabilities.
A vulnerability is a weakness to an asset that leaves it open to bad things happening to it. A couple of great examples of vulnerability would be, oh, how about if you have a Soho router, but you never change the default username and password so anybody can get to it. Or what if you have a server room, and this server room is unlocked and anybody can get in it. Those are two examples of vulnerabilities. And there's something we have to watch out for. The next thing I want to talk about are threats.
Now a threat is the bad action itself. A threat is a negative event that exploits a vulnerability. So some great examples now keeping with what we were talking about before, so if somebody actually goes in and accesses your Soho router, because they know what the default username and password is, that would be one great example of that. Somebody actually walking into the server room because there is no lock and they go out and they steal a server that is a threat, or that one super critical person suddenly quits like at five o'clock on a Friday and we don't have anybody for Monday morning. These are examples of threats. Now you got to be careful here when you're talking about threats, because you have a threat, which is an action.
But then the entity or the person who is actually doing the threat is what we call a threat agent. So a threat agent is often a human being that's doing something. But for example, a threat agent could also be a hurricane that then blows down your offices or something like that. So always be sure to be able to separate the idea of a threat from a threat agent. Now, since we have a pretty base idea on all of these main pieces, I want to move into the next two which are important, and the first one is called likelihood. likelihood defines the level of certainty that something bad is going to happen.
Now, when we talk about likelihood in the security world, we tend to think about it in an annualized basis. So if we're going to talk about some particular threat, then we're going to say In the course of a year, what is the likelihood of that happening? So we often use it as a percentage. Now, there's two different ways to measure likelihood when we're talking about risk. First is quantitative. Now, let's say I've got a Cisco router, and this Cisco router has a power supply in it.
Now there is a risk that that power supply might die in the course of a year. But luckily for us, Cisco has decades of historical data that we can refer to and look at it in terms of a percentage chance of happening in any given year, what is the chance that I'm going to lose a power supply? So that's very, very handy. However, there is another way to look at likelihood. And that is what we call qualitative. Now, qualitative is a little bit funny because it's going to measure things that are hard to put a number against, like, for example, customer loyalty.
So if something naughty happened to us, how do we measure customer loyalty in that one given year so since we don't have a tight number like that, we tend to use things like low, medium high, or we'll use our own little numbering system saying, one is not much of a chance. And then 10 is there's a big, big concern for it. So remember, we got quantitative and qualitative. All right, the last one I want to talk about. And this is actually a very interesting one, and that is impact. Impact is the actual harm caused by a threat.
So in order to have impact, you actually have a threat that is actually hit you in some way. Now, when we talk about impact, we can look at it in a lot of different ways. First of all, we can look at it quantitatively. So for example, let's say, Oh, I don't know, some bad guy came in and knocked my router down. And now I don't have a router. So nobody in the office could get on the internet.
And it's a problem. So we can measure that. For example, we could measure it by cost, how much is it going to cost to get somebody in here to get this router back up and running. So that's one way another way to do it would be labor, how much labor Am I losing? How many man hours Am I losing as a result of this being down? Another one would be time?
How long is it going to take for somebody to get this router back up so we can get back to work. And as you can imagine, these quantitative values are very much intertwined. The other way to look at impact, though, is qualitatively if our router goes down, what's that going to do to our customer loyalty? How's our reputation on the street going to look if my company suddenly disappears for a day and a half, while I'm trying to get my routers working? So these all come together to create what we call impact? So how do we put all these terms together to define risk?
Well, the important two terms that I want to start with here are threats and vulnerabilities. If an asset doesn't have a vulnerability, or if there is no threat, you don't have any risk at all. So there's absolutely nothing that could possibly go wrong. So in the security world, we'd like to use a little formula that looks something like this. They'll say threats, times, vulnerabilities. Equals risk.
Now, I don't like that multiplication sign there because it implies that this is some kind of math. It's not. It's just kind of quasi equation. So what you'll see a lot of people do is they'll simply say, threats applied to it, this little arrow sign vulnerabilities equals a risk. Now, now that we know that we have a risk, then we have where likelihood an impact come into play. Now remember, if you don't have a risk, you have no likelihood and you have no impact.
Think about that for a minute. So we use likelihood, an impact if I've got a lot of risk, how do I determine what I want to deal with first, so I'm going to be dealing with risks that have high likelihoods and high impacts way before I'm going to be dealing with risks that have low likelihoods and low impacts. I'm going to spend a lot more time and resources figuring out how to stop people from hacking my routers than I am a giant marshmallow band coming in and invading my ear. infrastructure. So it's really important to use these terms to help us understand how we're going to deal with that risk. Now, if you take any type of infrastructure, if you think about it, even for a minute, it's going to have zillions of risks.
I mean, you've just been introduced this term. And if you think about this for a little bit, look around your house, look around your office, you could probably come up with, like 100 or 200 risks just off the top of your head. So imagine a security professional coming into an infrastructure. Wouldn't it be nice if you had a list of every possible threat and vulnerability that's happening in your structure? Yeah, well, tough. It doesn't exist, but I can get you pretty close.
The National Institute of Standards and technologies has a really big document called the sp 800 dash 30. This document thousands of pages long is chock full of all kinds of threats and vulnerabilities that the typical security person might be exposed to and everybody in the security world uses these dogs. As a starting place to be able to provide good risk management for their infrastructures. Now, the one thing I need to warn you about in this episode is that we've covered a lot of terms. And I doubt you're going to run into any questions or someone's going to ask you, which one of these is a threat. It's not going to work that way.
But you're going to see a lot of questions where they're going to use the term asset vulnerability, threat, likelihood impact. And if you don't understand these basic terms, you're never going to get to the big question on any particular issue on the exam.