Understanding Risk Report

In a constantly changing threat landscape, risk will always be present. Many organizations employ a variety of devices and technologies to identify potential threats, but fall short in identifying the potential risks. Risk is the potential that a threat will exploit a vulnerability to cause harm to an organization. Risk management involves determining those risks with the greatest impact and greatest probability of occurring, and handling those first. If an organization does not properly manage risk, they may incur substantial losses because they focus their mitigation efforts in the wrong areas. This can lead to significant costs, regulatory fines, and loss of reputation. By implementing an effective risk management program, organizations can obtain a complete and accurate picture of risks within a network, effectively manage and protect critical assets, realize reduced costs, and maintain or even improve their overall reputation. 

The Understanding Risk report can assist an organization in understanding and managing their risk by identifying vulnerabilities on the network, and presenting details to assist the organization in understanding the risks the vulnerabilities might present. This information will then enable the organization to focus mitigation efforts in the correct areas.

The severity of a particular risk may vary based on the environment. One aspect of risk management is deciding which risks the organization should downgrade to a lower severity, or upgrade to a higher severity. In some cases, the organization may even decide to accept a particular risk. Tenable's Tenable.sc Continuous View (CV) provides a way for an organization to mark a vulnerability as an 'accepted risk', or to 'recast' a vulnerability to a different severity. This report also assists the organization in understanding and managing the risks that have been identified as accepted and recasted.

For related Tenable.sc dashboards, see the Understanding Risk dashboard, the Understanding Accepted Risk dashboard, and the Understanding Recast Risk dashboard.

The report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The report can be easily located in the Tenable.sc Feed under the category Threat Detection & Vulnerability Assessments. The report requirements are:

• Tenable.sc 4.8.2
• Nessus 8.5.1
• NNM 5.9.1
• LCE 6.0.0

Tenable.sc Continuous View (CV) provides the organization with the most comprehensive and integrated view into risk analysis available. With native ability to detect more vulnerabilities than the competition, Tenable.sc CV has the ability to analyze risk across many systems and assist the organization in properly mitigating and managing risk.

The following chapters are included in the report:

Executive Summary - This chapter includes presents a series of charts that provide a summary view of Overall, Accepted, and Recasted Risks. 

Overall Risk - The Overall Risk Chapter presents a series of components that present detailed information about the vulnerabilities found to exist within a network. This information can assist the organization in understanding and reviewing the risk associated with corresponding vulnerabilities. The information provided within this chapter will assist organizations by improving risk detection, prevention, and response practices.

Accepted Risk - The Accepted Risk Chapter presents a series of components that present detailed information about the vulnerabilities found to exist within a network that have been marked as accepted risks. Risk acceptance is applied when the identified risk is within an organization’s risk tolerance. In addition, risk acceptance may be necessary when the cost of mitigation is greater than the expected loss of its relative exploited vulnerability. The information provided within this chapter can assist an analyst in re-analyzing accepted vulnerabilities, and evaluate whether mitigation efforts need to be modified.

Recast Risk - This chapter presents a series of components that present detailed information about the vulnerabilities found to exist within a network that have been recast to a different severity. The severity of a particular risk may vary based on the environment. An important aspect of risk management is deciding which risks the organization should downgrade to a lower severity, or upgrade to a higher severity. The information provided within this chapter can assist an analyst in re-evaluating existing recasted vulnerabilities, and determine whether the vulnerabilities can be eliminated or accepted.