Codecademy Logo

Cybersecurity Risk Management and Analysis

Cyber Risk

Cybersecurity risks relate to the loss of confidentiality, integrity, or availability of information, data, or information (or control) systems.

These risks pose potential adverse impacts to organizational operations and assets. They can cause financial, legal, and reputational harm.


In Cybersecurity, a threat can be defined as any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset.

Cyber threats can come in many different forms. Some of the more common threats include:

  • Ransomware
  • Phishing attacks
  • Malware
  • Denial of service (DoS) attacks


A cybersecurity vulnerability is any weakness within an organization’s information systems that can be exploited. Vulnerabilities are extremely important to monitor because any gap can lead to a breach!

Vulnerabilities differ from threats in that vulnerabilities are usually there from the very beginning. Very rarely are vulnerabilities created as a result of actions taken by cyber criminals.

Types of Risk

Cybersecurity risk types can include:

  • Viruses
  • Malicious hackers
  • Disgruntled employees
  • User errors
  • Physical damage
  • Personnel privilege abuse
  • Loss of data
  • IP theft
  • Changes or compromises to data classification or security policies
  • Intentional attacks

Cybersecurity Controls

Controls exist to mitigate or reduce risk. There are different types of controls:

  • Physical
  • Technical
  • Administrative

They include any type of policy, procedure, action or device designed to help accomplish that goal. Firewalls, surveillance systems, and antivirus software are common examples of controls.

Risk management

Cyber risk management is an ongoing process of identifying, analyzing, and remediating your organization’s cybersecurity threats.

Some of the key components include:

  • Development of policies and procedures
  • Identification of emerging risks
  • Testing of the overall security posture
  • Documentation of vendor risk management.

Business Risk Types

Risks to an IT infrastructure are NOT always IT-based.

Human-made and natural disasters can have far reaching consequences for an organization’s IT assets. Systems, servers, and applications can be disrupted if the event is severe enough. Therefore, it’s important to factor these types of risks into any risk assessment.

These types of risk can include:

  • Natural disasters
  • Physical security breaches
  • Physical theft
  • Equipment failure
  • Government
  • Political or military intrusions or restrictions

Cybersecurity Risk Assessment Methodologies

Two important risk assessment methodologies in Cybersecurity are:

  • Qualitative Analysis
  • Quantitative Analysis
An image showing two pieces of paper. The one titled "Quantitative" shows graphs while the one titled "Qualitative" has a checklist where someone must rate different risk as a Low, Medium, or High risk.

Qualitative Risk Assessment

In Cybersecurity, qualitative risk assessment is more scenario-based. Rather than assigning numbers and dollar figures, risks are ranked on a scale to evaluate their overall effect.

An example of qualitative risk assessment might be conducting a maturity assessment mapped to the NIST framework.

Quantitative Risk Assessment

In Cybersecurity, quantitative risk assessment generates concrete probabilities of risk. Essentially, it assigns a quantity to a risk.

Typically, the end report has dollar figures for levels of risk, potential loss, cost of countermeasures, and value of safeguards.

Annual Loss Expectancy (ALO)

The Annual Loss Expectancy (ALE) is the possible yearly cost of all instances of a specific threat against an asset.

It is calculated using the following formula:

ALE = Single Loss Expectancy (SLE) * Annualized Rate of Occurrence (ARO)

Single Loss Expectancy (SLE)

Single Loss Expectancy (SLE) refers to the expected monetary loss each time an asset is at risk. It’s commonly used during risk assessments and aims to put a monetary value on each threat.

It can be calculated as:

SLE = Asset Value (AV) * Exposure Factor (EF)

Annualized Rate of Occurrence (ARO)

The Annualized Rate of Occurrence (ARO) is the expected frequency with which a specific threat or risk will occur. ARO calculation is also known as probability determination.

Calculating the ARO can be tricky! It can be derived from historical records, statistical analysis, or guesswork.

Asset Value (AV)

The Asset Value (AV) is the total value of the specific asset. If your asset is a server, and the server is worth $10,000, your AV is $10,000.

Many assets are tangible items such as computers and software. Others are intangible like databases, plans, and sensitive information.

Exposure Factor (EF)

The Exposure Factor (EF) is represented as a percentage of loss if a specific asset were harmed. It is also sometimes referred to as loss potential.

The EF is usually small for assets that are replaceable, such as hardware. It can be very large for irreplaceable assets, such as product designs.

Quantitative Risk Assessment Terms

In Cybersecurity, some important terms related to quantitative risk analysis include:

  • Single Loss Expectancy (SLE)
  • Annualized Loss Expectancy (ALE)
  • Annualized Rate of Occurrence (ARO)
  • Asset Value (AV)
  • Exposure Factor (EF)

Laws and Frameworks

Some important Cybersecurity laws are:

  • GDPR
  • CCPA

Some important Cybersecurity frameworks are:

  • NIST
  • ISO

Risk Management Strategies

In Cybersecurity, some risk management strategies are:

  • Acceptance
  • Avoidance
  • Risk Transfer
  • Mitigation

Acceptance Risk Management Strategy

The Acceptance risk management strategy covers when an individual or organization is willing to accept the level of risk associated with a given activity or business objective.

Avoidance Risk Management Strategy

The Avoidance risk management strategy covers eliminating risks and hazards that can negatively affect an organization and its assets.

Transfer Risk Management Strategy

The Risk Transfer risk management strategy covers shifting of pure risk from one party to another.

Mitigation Risk Management Strategy

The Mitigation risk management strategy covers how controls and other preventive measures can reduce the level of risk facing an organization.

Third-Party Risk

Third-party risk is the potential threat presented to organizations’ employee and customer data, financial information, and operations by external vendors.

Third-Party Cyber Risk Types

In Cybersecurity, some third-party security risks are:

  • Intellectual property (IP) theft (theft of copyrighted material, trade secrets, and trademark violations)
  • Credential theft
  • Spear phishing
  • Data exfiltration
  • Network intrusion (any unauthorized activity on a network)
  • Fileless malware

Other Third-Party Risk Types

Security incidents can cause risks beyond general security and IT.

Other risks to using third-party businesses can include:

  • Operational risk
  • Legal, regulatory, and compliance risk
  • Reputational risk
  • Financial risk
  • Strategic risk

Assessing Third-Party Risk

Third-party risk can be assessed by:

  • Identifying vendors: create an inventory or central repository of all third-party vendors.
  • Determine risk levels: classify vendors based on the inherent risk they pose to the organization.
  • Develop a security scorecard: assign a risk rating (low, medium, high) to vendors based on their level of threat to the organization.
  • Train employees: make training mandatory so that employees learn to be aware of common third-party risks.

Learn More on Codecademy