Risk Analysis and Mitigation

Risk analysis and mitigation is an important component of computer security in which you analyze risks to determine if there are any threats or vulnerabilities that could affect the integrity or security of networks or data.

Risks might include unpatched vulnerabilities, human behaviors, or emerging threats.

Once a threat is identified, the next step is to develop mitigations to thwart or minimize the impact of the threat. Corrective actions include modifying or hardening security elements, changing security procedures, or limiting system access.

Testing and verification provides the opportunity to assess system security and affirm that system security is performing acceptably. An example is penetration (pen) testing, which is used to validate the system’s security, identify weaknesses that could put the system at risk, and recommend mitigations to address the vulnerabilities.

Pen testing can:

  • provide an assessment of the defenses in use
  • assess the response capabilities of the personnel in the organization charged with protecting and defending the network
  • evaluate the organization’s crisis response and any associated plans
  • provide justification for the allocation of additional resources (people and/ortechnologies) for network security
  • result in recommendations to address any vulnerabilities identified

Another example is regression testing, which looks at software performance after changes to the software to verify that it performs as intended before the change. Regression tests are commonly performed after patches or configuration changes are implemented.

Acceptance testing is performed to determine if software is performing consistently with requirements and is performed prior to operational use.