Published Mar 20, 2023Updated May 15, 2024
Contribute to Docs

Risk is the possibility that a threat will exploit a vulnerability to cause harm to an asset. Risks posed to people, processes, or technology could result in financial loss, operational disruption, or physical damage.

Types of Risk

Risk can take several forms. External cyber risks include cyber attacks, phishing, ransomware, and DDoS attacks. Internal risks can come from malicious insider threats, however, they can also come as a result of employee negligence. Unpatched software, poor training, and misconfiguring databases are all examples of how employees can mistakenly expose information.

Different Frameworks for Assessing Risk

A cybersecurity framework provides a common set of standards for organizations to assess and understand their overall security postures. Here are a few of the most common cybersecurity frameworks:

  • NIST (National Institute of Standards and Technology): This was established by President Obama in an effort to better define and understand cyber risk. NIST is probably the most recognizable and widely used framework for assessing cybersecurity maturity, identifying security gaps, and meetings cybersecurity regulations.
  • ISO (International Organization for Standardization) 27001 and ISO 27002: The ISO frameworks are considered the international standard for validating a cybersecurity program. The basic goal of these frameworks is to protect the confidentiality, integrity, and availability of information.
  • GDPR (The General Data Protection Regulation): GDPR is the gold standard for privacy law. It impacts all organizations that are established in the European Union as well as any US business that collects and stores private data of European Union citizens.

Calculating Risk

Risk = Threat * Vulnerability

This calculation states that a single vulnerability multiplied by the potential threat can give an estimate of the risk involved. In order for an organization to begin the process of risk mitigation, vulnerabilities and threats need to be understood.

Other variables, not mentioned in this calculation, like the possibility of a threat occurring and its potential impacts are also a factor in determining risk.

All contributors

Looking to contribute?

Learn Cybersecurity on Codecademy