Definitions Edit

Computer security Edit

A risk is

the expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result.[1]
a combination of the likelihood that a particular vulnerability in an organization's systems will be either intentionally or unintentionally exploited by a particular threat agent and the magnitude of the potential harm to the organization's operations, assets, or personnel that could result from the loss of confidentiality, integrity, or availability.[2]
a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.[3]
[t]he level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system, given the potential impact of a threat and the likelihood of that threat occurring.[4]
[the] effect of uncertainty on objectives. Note: risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.[5]

National security Edit

A risk is

[t]he potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences. Risk-based decision making is defined as the determination of a course of action predicated primarily on the assessment of risk and the expected impact of that course of action on that risk.[6]

Overview Edit

Risk in the 21st century results from a complex mix of man-made and naturally occurring threats and hazards, including terrorist attacks, accidents, natural disasters, and other emergencies. Within this context, critical infrastructure and key resources (CIKR) may be directly exposed to the event themselves or indirectly exposed as a result of the dependencies and interdependencies among CIKR.

Risk, in the context of critical infrastructure and terrorism, can be defined as the potential consequence associated with a particular kind of attack or event against a particular target, discounted by the likelihood that such an attack or event will occur (threat) and the likelihood that the target will sustain a certain degree of damage (vulnerability).

Threat includes not only the identification of specific adversaries, but also their intentions and capabilities (both current and future). Consequences include lives and property lost, short term financial costs, longer term economic costs, environmental costs, etc.

Given this definition, risk is not threat, nor vulnerability to a threat, nor the estimated consequences associated with a specific attack, but some integration of the three.[7]

"Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood . . . of occurrence."[8]

"Types of risk include program risk; compliance/regulatory risk; financial risk; legal risk; mission/business risk; political risk; security risk; privacy risk; project risk; reputational risk; safety risk; strategic planning risk; and supply chain risk."[9]

References Edit

  1. Information Security: Advances and Remaining Challenges to Adoption of Public Key Infrastructure Technology, at 74.
  2. Federal Plan for Cyber Security and Information Assurance Research and Development, at 5.
  3. FIPS 200, adapted.
  4. NIST Special Publication 800-82, at B-7.
  5. ISO/IEC 27000:2014.
  6. Blueprint for a Secure Cyber Future: The Cybersecurity Strategy for the Homeland Security Enterprise, Glossary, at D-5.
  7. Critical Infrastructures: Background, Policy, and Implementation.
  8. ISO/IEC 31000:2009, §2.
  9. NIST Special Publication 800-37, Rev. 2, at 1 n.6.

See also Edit

Community content is available under CC-BY-SA unless otherwise noted.