Risk Assessment and Management

Risk is a potential problem that has to be fixed now which can be avoided or mitigated.
Risk is as combination of the probability of an event and its consequence.

Risk has two attributes that must be evaluated:

• Cause – any event, action, or inaction 
• Effect – impact on achieving business objectives 

Risk has three forms which must be considered:

• Inherent Risk – The risk within an account or a process without considering the effectiveness of internal controls 
• Control Risk – The risk that internal controls will not be effective or timely 
• Detection Risk – The risk that auditing procedures are not effective 

Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat. (Wikipedia)
Alat bantu manajemen yang dalam konteks information security management digunakan untuk:

• mengidentifikasi risiko (risk) dan ancaman (threat) 
• mengklasifikasi aset: informasi, teknologi 
• menentukan tingkat kerentanan (vulnerability) sistem 

sehingga pengendalian terhadap sistem dapat diterapkan secara efektif.