Risk is one of those standard terms within cybersecurity that, when asked to define, many struggle to explain what risk is and how it applies to cybersecurity. To start, we need to understand risk as it applies to security. Risk, like mathematics, is an artificial construct that humans use to understand and describe their environment.
In a fundamental sense, risk can be defined as the likelihood of an adverse or unwanted event occurring and the Impact should that event be realized. A simple calculation to express risk is that risk is the function (f) of the likelihood as expressed as a probability (P) and the Impact should the event occur. Often expressed in monetary terms. (I). The calculation appears as R=f(PI). (Quantifying CyberRisk- Solving the riddle | AT&T Cybersecurity (att.com)
Consider a house that is worth $100,000. Suppose that an insurance agency calculates a 1% likelihood of the house burning to the ground each year, resulting in a total loss of the house. The Annualized Loss Expectancy (ALE) can be calculated as R=f(PI) or R = f(.01 • $100,000) or $1,000 per year. The insurance company would then calculate the premium based on the ALE and add a margin.
In much the same way, risk can be used within the safety and all security domains to identify the most significant risks to address in a prioritized fashion. Using another simple example, consider two examples. According to NASA, people are struck by meteorites approximately every nine years on Earth. There are at least seven recorded fatalities from people being struck by meteorites. (Death From Above: Seven Unlucky Tales of People Killed by Meteorites | Discover Magazine)
While being struck by a meteorite is certainly not a fun thing to consider, compare that to the number of car accidents that result in fatality in a given year. According to the National Safety Council, there are approximately 35,000 deaths annually caused by automobile accidents and over 2 million accidents annually. ( NSC Statement on NHTSA Motor Vehicle Fatality Estimates for 2019 - National Safety Council).
Suppose you leave your house and are only allowed to consider a single control to manage risk. You can buy a Titanium helmet to reduce the risk of a meteorite strike or buckle your seatbelt when you get into your car. Which of the controls is most likely going to mitigate the most significant amount of risk? The risk of being struck by a meteorite is infinitesimally small, whereas the likelihood of being in a car accident is much greater. In this scenario, wearing the seatbelt and forgoing meteorite protection would be wise.
In much the same way, risk analysis can help companies prioritize and mitigate their cyber risk effectively and efficiently. All companies face infinite risks, from meteorites (as demonstrated), hackers, and malicious insiders to natural events such as floods. All organizations have finite budgets and resources to address infinite risks. The question becomes: “how does a company most effectively allocate those resources to address the greatest risks?”
By applying a risk-based approach, organizations can quickly identify and prioritize their risks based on a number of factors. While not a complete listing, aspects such as the type of data being protected (intellectual property, PII, NPI, etc.), the industry in which the organization works (national defense, retail, manufacturing, etc.), and the types of technologies employed all play a factor in identifying the risk profile and strategies to reduce the identified risks to an acceptable level.
Many companies have chosen to use cyber insurance as their primary source of risk mitigation. This is a flawed approach. There are four different means of risk mitigation. Each should be considered for a comprehensive risk management strategy. They include 1) Risk Reduction/Control (by implementing controls as discussed), 2) Risk Transference (such as with cyber insurance) 3) Risk Acceptance (accepting the de minimus risk that is not worth addressing) 4) Risk Avoidance (avoid the risk by not engaging in the business or actions that expose one to risk).
While each of the strategies above has value, choosing one without considering the others does not allow for a comprehensive risk management strategy. By applying a risk-based approach to security, companies can most efficiently and effectively address risks and threats cost-effectively.