Introduction to risk management

Introduction to risk management

You can define risk in general terms as 'the possibility of loss or damage'.

Thinking about risk in a cyber security context, this is classified as 'the possibility of loss or damage related to technical infrastructure, use of technology or reputation of an organisation.'

For example, if a business has a hardware failure, this could cause loss of data and damage to the business through loss of service delivery or brand damage.

You can use the following equation to classify the risk:

Risk = Likelihood (probability) x Impact (consequence)

The assessment of risk for any particular threat is considered to be a function of the impact and the likelihood that the threat occurs.

Risks should not be considered in isolation of everything else going on around them. Sometimes, you’ll see side effects that result in the risks increasing.

Decorative image:The Risk equation; Risk= Likelihood x Impact

Figure 1: The risk equation


So, we can see from the equation that the character of risk varies according to the makeup of the likelihood and impact elements. 

For example, a risk may have a high likelihood but a low impact, so even though its probability is high, the damage or loss that might result is low. On the other hand, a risk that is low likelihood, but high impact is rarer but would cause much greater loss or damage. Now, let us look at the elements of risk which relate to Internet security management. 

Consider the following scenario. A system has a vulnerability where it does not enforce a password policy. Users can select any password length and complexity, and because of this, the passwords typically selected are weak and easily cracked. Alice has selected a weak password. Hacker Bob knows about the vulnerability and decides to break into Alice’s account. Since Alice works in the HR department, Bob could look at the HR records of other employees in the company, while the audit trail registers the activity from Alice’s account.

Assessing the risk, you would classify both the likelihood and impact as high. As a result, the risk is high. Furthermore, since Alice works in the HR team, they also have responsibility for creating new computer accounts. By breaking into Alice’s account, Hacker Bob can now create any number of bogus accounts on the system, which in itself is a high risk to the organisation.

As you can see from this example, a single vulnerability can result in multiple risks.

What’s next?

Now you will look at the key terms of cyber risk.

1h 4m

In this course, you’ll be looking at numerous aspects of the risk matrix including the risk and threats involved in big data, the Internet of Things (IoT), the dark web and social media. You'll also be exploring threat intelligence, unified threat management (UTM), and security risk. You'll also see how you can use open-source intelligence (OSINT) and Dark Web Threat Intelligence to help you establish, improve and refine your risk treatment. All of this ensures that your organisation is protected from and alert to the constantly evolving series of information security threats. 

However, before you go on to threat management, let's first review risk and see how it relates to cyber security. 

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.