在回答这个问题前,我们先来看几个信息安全领域的术语定义。
风险(Risk):某一特定的威胁利用某资产或某一群资产的弱点致使该资产受到损失或损坏的潜在可能性。(The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss of/or damage to the assets.)一般是通过威胁发生的可能性和它造成的结果进行组合来衡量的。(It usually is measured by a combination of impact and probability of occurrence.) 【参考ISO/IEC TR 13335-1和BS 7799-2:2002】
风险处置(Risk Treatment):选择和实施修正风险的控制的过程。(Process selection and implementation of controls to modify risk.)【参考BS 7799-2:2002】
控制措施(Safeguard):降低风险的实践、过程或机制。(A practice, procedure or mechanism that reduces risk.)【参考BS 7799-2:2002】