Introduction to Risk

In Secure Yourself Now I just had you do the highest impact activities possible to minimize your risk... but what is risk?

Risk is a somewhat quantifiable function of the likelihood of the vulnerability being exploited and the impact it would cause the organization if the vulnerability is exploited.

A common equation for risk is:

 Risk = ( Probability of Threat x Impact of Vulnerability )

Let's define the rest of the equation.

A threat is anything that has the potential to disrupt the normal functioning of an organization or in general cause harm to the organization. Determining the probability of a threat is a very difficult proposition.

A vulnerability is a defect in a process, system, infrastructure, or procedure that can be exploited to cause harm to the organization by an external or internal actor. Identifying vulnerabilities is straightforward, but identifying the potential impact is even more difficult than trying to determine the probability of a threat. If you can identify the impact, you have the most important part of the equation locked down.

Another, and in my opinion more useful risk equation is:

Risk = (Probability of Threat x Vulnerability) Asset Value

If you're a math person, sure, commutative property of multiplication, the two equations are equal. However, the splitting out of asset value helps us focus in on the importance of identifying impact, rather than getting focused on potential threats and vulnerabilities.

Each decision you make can be based on this equation, and big decisions are actually a combination of hundreds of these risk equations. Then, based on what your acceptable level of risk is, you make your decisions.

It is almost impossible to completely rid a system of risks without affecting its operability. There is always a constant battle to find the balance between security and functionality, and as the person who is managing risk, it is on them to determine the balance point. In a world of perfect security, availability falls to the wayside, and people who need information can't get it. Being a security professional means weighing the costs and benefits of risk.

Briefly, ignoring the hundreds of frameworks and complex policy papers, the risk management process consists of the following steps:

  • Risk Identification
  • Risk Analysis
  • Risk Mitigation
  • Risk Monitoring
  • Feedback

As it is a cycle, after the feedback stage we can determine whether the mitigation that was put in place was effective and the cycle continues.

Answer these questions in the submission box below.

  1. What is a threat?
  2. What is a vulnerability?
  3. How do we define asset value?
  4. What is the value-added of the second risk equation?
  5. Ignoring the equations, how do you define risk?