Must cost less than possible Impact Risk Analysis Likelihood Impact Risk = X High High High Reputation Financial Life Productivity Likelihood Reduced after Controls implemented Impact Reduced after Risk Transfer Medium Risk Reduced after Risk Transfer and/or Controls implemented Medium Low Reputation Financial Life Productivity Low That Can be Reducing causing Threats Human, Natural Technical, Physical Environmental, Operational Information Transferred Mitigated Accepted by Executive and compromise to with classified for External - Insurance - Contracted Out Must cost less than possible Impact Value & Importance Will exploit Confidentiality Low Medium High and/or To attack Integrity Low Medium High Attack Surface Targets People Places Processes Systems and/or Controls Vulnerabilities Low Medium High Availability - Administrative - Technical - Physical Must cost less than possible Impact Attack Surface Vulnerabilities Reduced after Controls implemented Reducing Reducing ©Hugh Burley – Thompson Rivers University - 2008