CHAPTER Formulating a Risk 5 INFORMATION IN THIS CHAPTER · Breaking Down a Risk · Who or What Is the Threat? INTRODUCTION Believe it or not, accurately describing the risk can be one of the hardest parts of any risk assessment. How many times have you had a so-called risk presented such as "the file transfer between the client and application doesn't use encryp- tion" or "that vendor doesn't have an independent audit function?" Are these really risks? Is it really as easy as stating the lack of a control and calling it a