In cyber security, risk is the potential for a threat to exploit a vulnerability and cause harm. It is usually expressed as a combination of likelihood (how probable an adverse event is) and impact (how bad the consequences would be if it occurred). Risk is the language used to prioritise security investment, because finite resources cannot eliminate every weakness in a complex environment.
Threat, vulnerability, asset
A useful working model: a threat is a potential attacker or adverse event; a vulnerability is a weakness the threat could exploit; an asset is the thing of value at risk. Risk exists only where all three are present. A vulnerability with no threat that can reach it (because the system is isolated) is not a meaningful risk. A threat with no vulnerability (because the relevant control is sound) is not a meaningful risk either.
Measuring risk
Qualitative scales (Low, Medium, High, Critical) are common because they are easy to communicate and to aggregate. Quantitative methods (Annual Loss Expectancy, Monte Carlo simulation, the FAIR model) attempt to express risk in financial terms, which is more useful when comparing security spend against other investment. The right approach depends on the maturity of the organisation and the audience.
Risk treatment
Once measured, every identified risk receives a treatment decision. Mitigate: implement controls to reduce likelihood or impact. Transfer: shift the consequence to a third party (most commonly cyber insurance, but also contractual arrangements with suppliers). Accept: document the risk and live with it, usually with executive sign-off. Avoid: change the activity so the risk no longer applies (decommissioning the service, removing the data, moving the function out of scope).
Risk and penetration testing
A penetration test surfaces vulnerabilities and demonstrates exploit paths, but a finding is only as serious as its real risk. A CVSS 9.8 critical on a system that holds no sensitive data and is not reachable from any untrusted network is a lower business priority than a CVSS 6 medium on the public-facing application that processes customer payments. Mature reporting frames findings in terms of asset value and business impact, not just technical severity.
Frameworks
ISO 27005, NIST SP 800-30, and the FAIR model are the most widely used risk frameworks. UK organisations also align with the NCSC Cyber Assessment Framework and the relevant sector regulators (FCA, ICO, PRA).
Related terms
See also: vulnerability, vulnerability assessment, and penetration testing.
Leave a Reply