The term risk has many different uses and meanings in society. On Wall Street or in the financial markets, investors talk about calculating or taking risks to make a profit. In everyday speech, we use the adjective risky to describe behaviors such as not wearing a seat belt or eating junk food. At work, we talk about managing risk to reduce on-the-job injuries or to avoid cost overruns or schedule delays. We can increase risk, decrease risk, manage risk, or avoid it. But, what exactly is risk?
The answer is: it depends. How we define and use the term risk is dependent on context and perspective. In this section and throughout this course module, we will examine the concept of risk as it is used within the fields of cybersecurity and information security in business, government, and other types of organizations. Organizations are our context. Cybersecurity and information security are our perspective.
Risk is the uncertain outcome of an event that has not yet occurred. Or, said another way, a risk is the possibility that an event may occur that carries with it the potential for an organization to either benefit or suffer a loss or harm.
For example, the loss of a thumb drive is a possible future event that could be a source of risk to an organization. The thumb drive could be lost forever, or it could be found and returned. Each of these outcomes is uncertain since it is not possible to determine in advance whether or not a lost thumb drive will be found and returned to its owner.
A consequence is a potential outcome of a specific risk. Loss of confidentiality due to theft of data is an example of a consequence.
Every risk has a likelihood or probability of occurrence.
Each risk also has a payoff value. This payoff may be positive or negative and is associated with the consequence. Some consequences are good or beneficial, while other consequences are bad or harmful. Payoff values are usually expressed in monetary terms and can require complex calculations involving multiple consequences for a single risk.
The term impact is used to refer to the change in the value of an asset that results from the occurrence of a specific risk. Impact can be positive or negative and is usually expressed in monetary terms. Impact can also be expressed in relative terms (low, medium, high).
A simple risk-impact metric can be calculated using the likelihood of the event and the payoff if the event occurs, such that risk = likelihood × payoff.
Internal risks arise from inside of the company, and can be classified under the categories technology, physical, and people. Examples of each are below:
|Technology||The company's software cannot function in a cloud environment due to a programming error.|
|Physical||The company suffers a fire at its headquarters and loses all physical prototypes of its voting devices.|
|People||A dishonest employee steals the company's plan for migration and publishes it. This erodes public trust and results in contract cancellation.|
External risks arise from outside of the company and include natural factors, such as natural disasters, and political factors, such as new political leadership.
Vendor-related risks are substantial for the cloud computing model, and can include vendor insolvency, service outages, and a vendor arbitrarily choosing to discontinue cloud services without notice.
In a cloud computing model, your internal information technology organization is not responsible for all aspects of your company's platform. If your cloud computing vendor suffers an outage, then your customers suffer as well, and you may not have any recourse. This situation could lead to a significant impact on revenue, and be detrimental to customer perception of your organization.
Opportunities and Threats
Opportunities are situations or events where the anticipated payoff of a risk is positive or beneficial. For example, a textbook buyer has the opportunity to save money by purchasing lower-cost, time-limited access for an electronic version of the textbook for a course.
Threats, in contrast, are situations or events that could result in negative payoffs or undesirable outcomes. Undesirable outcomes may be financial losses or, for information and information systems, the outcome may be a loss of confidentiality, integrity, availability, nonrepudiation, and so on.
A vulnerability is a weakness in an asset that can be exploited by a threat to cause harm or loss. For risks arising out of threats, the risk metric is expanded to incorporate a measure of the vulnerability of the asset to each specific threat. The risk metric becomes
risk (threat, asset) = probability × vulnerability × impact
risk (threat, asset) means the risk metric associated with a specific threat to a specific asset,
probability is the likelihood of occurrence,
vulnerability is a measure of the asset's susceptibility to the threat, and
impact is a measure of loss or damage to the asset (based upon the asset's value).
National Institute of Standards and Technology. (2011, March). Managing information security risk: Organization, mission, and information system view (NIST Special Publication 800-39). Gaithersburg, MD: Author. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
Organization for Economic Cooperation and Development. (2005). Corporate governance. Retrieved from http://stats.oecd.org/glossary/detail.asp?ID=6778