What is Risk?
IT Risk has many facets and is often not a well understood topic; in some cases the very definition can be elusive. When it comes to the cybersecurity and information technology fields, the National Institute of Standards and Technology (NIST) is one of the authoritative sources for which to seek answers.
According to NIST Special Publication (SP) 800-30, Guide for Conducting Risk Assessments, risk is defined as:
"a measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence."
Risk is a Measurement
Risk is first and foremost a measurement; it is a qualitative or quantitative value that you assign to a potential future negative event. That measurement takes into account how likely the negative event is to occur, and the impact to your organization if the event does occur.
Qualitative VS Quantitative Risk Measurements
Risk is typically measured in one of two ways: qualitatively or quantitatively. A qualitative measurement applies a quality to the risk such as low, moderate, or high. NIST SP 800-30 uses a scale from Very Low to Very High for qualitative measurements.
A quantitative measurement applies a quantity to the risk such as 10, 100, or $3,000,000. In NIST SP 800-30 a scale from 0 to 100 is used for quantitative value measurements.
You can conduct a risk assessment using either measurement scale, but be sure to accurately define what your scale means so you apply it consistently across multiple threat sources.
Why Measure Risk?
Properly measuring risk allows you to compare one potential future negative event (threat) against another to determine which one is more severe and therefore worth addressing. In an ideal world you would be able to address all threats faced by your organization, but in reality your resources are limited. Therefore you need a method to prioritize the threats and apply your limited resources towards addressing those that are most likely to occur and have the greatest impact, and thus are the highest risk.
The Components of Risk
A risk measurement is actually derived from multiple components. At the highest level, risk is computed based on the likelihood of a threat event occurring, and the impact of the event if it does occur.
The likelihood of occurrence can be further broken down if the threat event is adversarial in nature; meaning the threat event is intentionally caused by a human (threat actor) and is not a random occurrence. In that case the likelihood of the event occurring is based on the Capability and Intent of the threat actor.
Capability relates to the sophistication of the threat actor's expertise, tactics, and technology. Intent relates to the threat actor's willingness to carry out the threat event and their desired purpose.
The impact of the threat event can be further broken down into Severity and Vulnerability.
Severity describes the scale of the event. If the event is a hurricane, severity relates to it being a category 1 or a category 5 storm. If the event is a ransomware attack, it relates to the scale of infection and difficulty to recover.
Vulnerability describes a weakness that exists that can be exploited by the threat event. For example, if your data center is located in a flood zone, it might be vulnerable to a high water event. If your data center is located outside of a flood zone it is not vulnerable to a high water event, and therefore the impact of such an event is minimal.
IT vulnerabilities are typically described by what is known as Common Vulnerabilities and Exposures (CVE) and they are often given quantitative ratings using the Common Vulnerability Scoring System (CVSS) ranging from 0 to 10.
NIST also provides a calculator that you can use to score a vulnerability based on the CVSS standard.
Overall, the severity of a threat event and your vulnerability to the event combine to determine the impact to your organization if the event occurs.