What is a “Risk”?

Leave a Comment / Endpoint Security Basics / By
Cybersecurity risk as visualized by ChatGPT

What is a risk? To put it simply – a risk is the potential for a problem. It seems too simple doesn’t it? Luckily, this is one of those terms in cybersecurity that can be taken at face value. A risk is just the chance that something can happen.

If we are going for the technical definition of risk: “Cybersecurity risk refers to the potential for exposure or loss resulting from a cyber attack or data breach on an organization’s information systems.”

When you are just starting to learn cybersecurity – the simple definition is all you really need at first. As you move on in your career, how you think about risk will change.

The simple stuff:

A risk can be a number of different things:

  • A weak password
  • Clicking on a link from an unknown sender
  • Writing your passwords on a post-it note on your desk
  • Not updating your computer

A risk simply provides an attacker with the means to gain an advantage or a foothold in a system.

Understanding risk means to be aware of these items, their potential for misuse, and how to mitigate – or lessen – the likelihood of that risk being used.

For example – using the password “password” would be considered a risk as it is easy to guess. However, using a complex password like “$vhi*RUGH98650q” is still a risk if you use the same password everywhere. In this case the password is harder to guess, but once it is discovered it can be used anywhere you have an account.

Similarly – updates (or the lack of installing them) can be viewed as a risk. Security updates are provided by software developers to patch known issues with their software. Once an attack is discovered for a piece of software it can be easy to replicate and many times attackers will attempt to leverage these attacks on as many systems as they can in the hopes of finding an unpatched computer.

A risk is simply the potential for a problem to arise due to an oversight, misconfiguration, or defect in the tools and software you use every day.

The more advanced stuff:

When you are first starting out in cybersecurity – the simple explanation is enough to understand the concept. However, as I mentioned above – as you mover further in your career you will change how you think about risk. Sadly in cybersecurity – virtually everything we do exposes us to risk. This means that we need to have a better understanding of what a risk means to us.

One general concept is that Risk = Threat x Vulnerability. Or in other works, a risk is only present if there is a weakness and the threat of it being acted upon. This is typically called risk analysis and helps cybersecurity professionals prioritize risks.

For example: There is a new ransomware targeting computers with Windows 10. If all of your computers are running Windows 11 – there is zero risk to your organization. However, if you have 100 computers and 10 of them are running Windows 10 – you have a LOW amount of risk overall, but a HIGH amount of risk for those 10 machines.

There is also a concept of quantified risk. This is when we take a vulnerability, access the chance of action against it (threat), and calculate the cost to the business if that threat is realized. The act of quantifying this risk helps us decide if we should take extra measures to prevent the risk or just accept it might happen. The act of attempting to resolve a risk its called mitigation. Taking no action is risk acceptance and means that either the risk of loss, or the cost of recovering from the loss, is low enough that it does not warrant action.

Here is an example of quantified risk and how it helps us:

  • Ransomware example: Continuing the example from above – we have 10 machines out of 100 that are exposed to a new ransomware risk. These computers have patient data on them, which is federally protected.
    • If these machines are lost to ransomware it – the business will potentially lose sensitive data which will result in a fine of $500,000. We know that this ransomware attack is 100% effective if targeted.
      • This means the minimal cost of this risk is $500,000 and has a HIGH chance of occurrence.
      • The cost of replacing these 10 machines is $8000 and will mitigate the risk entirely. This makes mitigating the risk a high level of importance. Minimal effort and minimal cost completely resolves a high level of risk.

Using similar logic – we are able to calculate risk scores in other areas. For example, the US Government sponsors the National Vulnerability Database. This is a collection of known and disclosed software vulnerabilities and a calculated severity. This severity lets us understand a number of things, such as how easily a vulnerability can be acted on and how much impact it can have on a system if successful. While this severity is not a “risk” score itself – it helps us to more quickly assess risk and how it should be handled.

For example: If a new vulnerability is announced for Google Chrome with a critical severity of 10 – this means very bad things can happen. If that vulnerability is on 80 out of your 100 systems – it makes since to run an update on those systems as soon as possible. This is because the cost to the business of recovering those computers is HIGH, but the cost of running an update is typically only a day or so delay on other projects while you test the patch.

What is a risk? Its simply the potential for a problem. How we handle that risk will depend on how likely loss from that risk becomes a reality. In cybersecurity it is important to remember that we are not here to be blockers of the business, but to help the business find a way to mitigate that risk.

Related Posts

What is Endpoint Security?

What is Endpoint Security?

Endpoint Security focuses on protecting a device from potential threats - such as viruses, ransomware, or other malicious activities. The term "endpoint" is...

Leave a Comment

Your email address will not be published. Required fields are marked *

Subscribe
Subscribe
Scroll to Top