The probability of a risk is not the only metric in determining what risks to mitigate.

The probability of a risk is not the only metric in determining what risks to mitigate. The cost and time associated with the risk, and the overall impact to the organization are some of the factors that must be considered as well.

Think about the following four types of vulnerabilities:

• Behavioral and attitudinal vulnerabilities
• Misinterpretations
• Coding problems
• Physical vulnerabilities

Consider the IS of a large hospital and provide a specific example of each of the four types of vulnerabilities. Estimate the likelihood and cost of each risk (as low, medium, or high) and explain your reasoning. If an organization were to try to focus on the vulnerability that would be the least expensive to address while providing the most reward, which would it be? Why?