What is Risk?
Risk is a critical cybersecurity concept. A risk is a vulnerability or weakness exposed to a threat and the consequences if that that should be realized. Thinking about the factors that make it likely or not likely make an organization think if they need to do something about it.
Let's say you have an aging power grid. That power grid is vulnerable. There are weaknesses with it. Now we need to think about threats. Lets think about the strong winds of a hurricane. Then we need to think about the potential consequences. What happens if the strong winds of a hurricane rip into a weak power infrastructure? Most likely the power will go out. Something else that needs to be considered is the likelihood. If I live in Florida where hurricanes are a somewhat regular occurrence, the risk is a lot higher. If I live in upstate NY far from the ocean, while it might happen, it is not going to be all that likely. If I'm in Florida, I would probably update the power grid. If I'm in NY, I might put off the updates for a bit and gamble that a hurricane won't hit in that time.
What does this mean for cybersecurity? Organizations need to think about risks. They need to understand their data and information systems and what type of an attacker might pose them harm. What type of data and what type of an attacker make a big difference. Are you dealing with a lone person out for money? Or are you dealing with a nation state attacker from another country? Is your data or information systems highly valuable to your organization? If something happened to them would you be out of business? Or would it be just an inconvenience? Do you know where your weak spots are? Is it a system that has no outside access? Or is it a system exposed to the internet?
To relate it back to our power grid example, where are your systems weak like the aging power grid? What threats are you facing like the hurricane? Will your power go out and you be out of business like if the aging power grid will be out of power if it was hit by hurricane force winds? Is the system exposed to the internet and likely to be attacked like Florida is likely get hit by a hurricane? Or is it locked away in a back room on a machine never connected to the internet like central NY is far away from the ocean?
It's important to understand your risks and be proactive about managing them before your company is the next big cybersecurity breach headline.