Modern networks and computerized data systems are highly complex. Individuals responsible for auditing these systems must ask, “What do I audit?” Although it might be nice to audit everything, doing so is not possible. Companies have limited funds and a finite amount of resources to be used in auditing security controls. One way to determine what to audit is to use risk analysis. Risk cannot be discussed in a void. When discussing risk, vulnerability and threat must also be reviewed:
. Risk is the potential for harm.
. Vulnerability is weakness in a system or process.
. Threat can be seen as frequency.