Risk Identification is identifying threat vulnerabilities and estimating the likelihood of those threats being exploited and/or a potential vulnerability in the system that can harm an asset. Threats can be categorized as external or internal, natural or man-made, and/or intentional or accidental. Threats can cause a loss of confidentiality, integrity, and availability to a business and its technology system. Vulnerabilities are weakness in the system and can be identified through sources such as audits, system logs, trouble reports, etc. When assessing impact and likelihood of risk, threats are matched with existing vulnerabilities. Risk will equal threat x vulnerability. When assets are identified the total risk will equal threat x vulnerability x asset value. Some weaknesses to the typical IT infrastructure can be things like social engineering attempts, unpatched computers, lack of antivirus software, weak passwords, improper permissions, public-facing servers, infected remote users spreading viruses and a host and others. Key elements or risk management are identifying the assets and the values of those assets, identifying the risk response, selecting control methods, and implementing and testing those controls. Risks can be avoided, shared, mitigated, or accepted, based on the likeliness that they will occur, the impact of what would happen if they were to occur, and the cost of implementing the proper control.