Risk
Risk is the possibility that a threat will exploit a vulnerability to cause harm to an asset. Risks posed to people, processes, or technology could result in financial loss, operational disruption, or physical damage.
Types of Risk
Risk can take several forms. External cyber risks include cyber attacks, phishing, ransomware, and DDoS attacks. Internal risks can come from malicious insider threats, however, they can also come as a result of employee negligence. Unpatched software, poor training, and misconfiguring databases are all examples of how employees can mistakenly expose information.
Different Frameworks for Assessing Risk
A cybersecurity framework provides a common set of standards for organizations to assess and understand their overall security postures. Here are a few of the most common cybersecurity frameworks:
- NIST (National Institute of Standards and Technology): This was established by President Obama in an effort to better define and understand cyber risk. NIST is probably the most recognizable and widely used framework for assessing cybersecurity maturity, identifying security gaps, and meetings cybersecurity regulations.
- ISO (International Organization for Standardization) 27001 and ISO 27002: The ISO frameworks are considered the international standard for validating a cybersecurity program. The basic goal of these frameworks is to protect the confidentiality, integrity, and availability of information.
- GDPR (The General Data Protection Regulation): GDPR is the gold standard for privacy law. It impacts all organizations that are established in the European Union as well as any US business that collects and stores private data of European Union citizens.
Calculating Risk
Risk = Threat * Vulnerability
This calculation states that a single vulnerability multiplied by the potential threat can give an estimate of the risk involved. In order for an organization to begin the process of risk mitigation, vulnerabilities and threats need to be understood.
Other variables, not mentioned in this calculation, like the possibility of a threat occurring and its potential impacts are also a factor in determining risk.
Contribute to Docs
- Learn more about how to get involved.
- Edit this page on GitHub to fix an error or make an improvement.
- Submit feedback to let us know how we can improve Docs.
Learn Cybersecurity on Codecademy
- Skill path
Fundamentals of Cyber Resilience and Risk Management
Learn strategies for risk management and quantitative and qualitative risk analysis and dive deeper into the world of cybersecurity.Includes 6 CoursesWith CertificateBeginner Friendly1 hour - Free course
Introduction to Cybersecurity
Learn about the fast-growing field of cybersecurity and how to protect your data and information from digital attacks.Beginner Friendly3 hours
