Welcome to section two of the CSSLP domain one entitled Risk Management. So our next area of discussion will concern the process, decision logic, and factors of risk analysis. In this section, we will explore the issues and considerations that must be taken into consideration when evaluating the risks associated with a project, a system, or a business.

With regard to the recognition of risk as a business problem rather than a technological one but with its context in the information system area and specifically to the design, build, and operation of the applications used in that business context, it becomes increasingly clear that starting out to produce systems that are secure by design, to be secure in operation is the best approach by far.

Done well, the risk analysis activity can reveal areas of exposure, the potential consequences of decisions concerning risk treatment options, and can provide the rationalization of an effective composite risk treatment strategy. And employing this from the very earliest phases of conception and requirements development will produce higher quality and more secure tools for the business to use. So this module concerns the application of risk management practices to reduce or eliminate the occurrence of these outcomes through the practice of risk management and the actions that can result from it.

The general focus of risk management then is to identify the potential threat-asset-vulnerability combination, that, if compromised, damages the organization's ability to deliver its product or service. The object then of risk management in the software development process is to identify places and ways where software can cause unexpected results, be modified to cripple the user's ability to perform or to invade the software to prevent its correct operation. These outcomes can be the result of different factors, such as process failures, testing failures, intentional sabotage, among others.

Here, you see the risk management problem space. It is a four-dimensional space in which to apply risk-mitigating practices and countermeasures. We have asset value, and in the calculation in a risk management problem, we have to compute it based on the tangible and intangible factors. Things about it directly, such as accounting factors, and things that are more intangible, such as value contributions and other perceptions. Intangible though they may be, they still contribute real value and real importance to it in the minds of the business and the managers of it.

Next, we have threats and their impacts. In this, we compute the type of threat that it is and its impact, of course, and the order of magnitude, anywhere from small to insignificant, to something bordering on major to catastrophic. We have to consider vulnerabilities, which are basically divided into two types of vulnerabilities. Ones that are direct that produce a weakness in the particular context that we're examining in this problem.

Then, we have predisposing conditions, which may themselves not be risks as such but may give rise to vulnerabilities that can then be exploited or, in the case of a natural hazard, something that simply happens due to a natural event, such as an earthquake or a tornado. And of course, we have to consider time.

Time, as we know, changes the character and the value of nearly any asset, or business, or other thing of value that we're going to consider in a problem of this type. And if we are projecting this over a period of time, say a year to three years in a time horizon, we have to consider time as it affects these things because, as it does, it may change our consideration of the asset and our strategic approach to mitigation treatment.