There is no denying that risks are part of everyday life, putting on your pants in the morning is risky; especially if you are half asleep and your brain isn’t functioning yet. Ever ask your wife what’s for dinner or where she wants to eat and what she’s craving, this is a huge risk that can have good or bad consequences. All laughs aside, risk are serious issues and we face small risks and large risks every day. Risk are inherited and may be mitigated if one truly understands the risk and knows how to the take appropriate action. Last week, my wing commander had his quarterly commanders call and we covered the 101 days of summer-fun fun. In the brief, we were reminded of simple things. For example, going deep sea fishing. One must identify the hazard (the ocean/fishing hooks), assess the hazard (weather conditions; high tide), make decisions (best time to go out) /develop controls, implement controls, and supervise/evaluate. Last July, an Airman deployed down range and we had a talk with Jesus about how the Air Force can improve its choices.
Long story short, an Airman died because he jumped down a manhole in hopes to recover the manhole cover. He did it a dozen of other times, but this one specific occurrence took his life. During the investigation, some people in the nearby vicinity, claimed that smelled an unnormal order. It ended up being gas. Never take an unnecessary risk with little to no cost/life benefit. I took a huge risk with a stock: HSGX. The stock is trading at $.1938 a share and I purchased 500 shares. This comes out to be around $96; I could lose it all or it could go up to $10.00 a share. Lose win or win big! Focusing on Risk Assessment, we all know what this concept is and how entails identifying risks and threats, its occurrence, and the Qualitative or Quantitative assessments. However, we may fail to remember that’s it’s an ongoing process that needs audited.
Identification is the key; how can a problem be improved or mitigated, if it is not identified and prioritized? In terms of Information Security Systems, this directly applies with cybersecurity and is an ongoing process to improve the protection of information, IS, and the management of IS; with CIANAA (Confidentiality, Integrity, Availability, Non-repudiation, Authentication, Authorization) being the highest priority. I am pretty sure I have read at least 12 800- guidelines from NIST. The core framework, within NIST 800-52 v2 is vital. Not all risks can be managed or analyzed so assets must be prioritized based on the mission; the environmental threats and implementations of the various controls and countermeasures are based on a cost/benefit ratio. Look into NIST 800-37 Risk Management Process/framework on SDLC. It is highly technical and geared toward IS, but it defiantly can be applied to this discussion and critical infrastructure.