ABSTRACT
The use of public web-mail systems for transmitting any confidential information is risky. Once a senior manager understands the risks, and how their behaviour can impact on the organization, they are only too keen to help with information security. In addition, many people do not revise their risk assessments in light of each incident. This lack of review hinders information technology (IT) security professional’s ability to improve and identify weaknesses in their current countermeasures. In the case of risk assessments for new information system projects, the final 'solution' is often far removed from the original design, and therefore the risks are often also very different. Splitting risks into threats and vulnerabilities allows IT security professionals to distinguish between the elements under their control, the vulnerabilities, and the factors outside their control, the threats. The goal at the level of assessment is to accurately measure each risk in financial terms.
