The term “information security risk” alludes to the damage that a breach of, or attack on, an information technology (IT) system could cause. IT security risk can be defined in:
- Monetary terms, which measures the effects of a cybersecurity breach on organizational assets, or
- Non-monetary terms, which comprise reputational, strategic, legal, political, or other types of risk.
Although “risk” is often conflated with “threat,” the two are subtly different. “Risk” is a more conceptual term—something that may or may not happen, whereas a “threat” is concrete—an actual danger.
For instance, when we cross a busy street, we risk being hit by a car. We can manage the risk by looking both ways to ensure the way is clear before we cross. A threat occurs when a car heads our way as we cross and is in danger of striking us. Threats are more difficult to control.
The first step in IT security management is conducting a risk assessment or risk analysis of your information system. Risk assessments typically entail:
- Identifying the issues that contribute to risk, including vulnerabilities and security threats such as ransomware.
- Analyzing the significance of these issues and their possible impacts.
- Deciding how to deal with each risk, including incident response.
Information security risk management considers the likelihood that a data breach will occur and how to handle the risk of cyberattacks. The risk management process generally allows for four types of response to risk:
- Accept: Perhaps because the risk is low or the cost of managing the risk is higher than the impact of a security incident would be.
- Share: Often, by outsourcing IT functions.
- Transfer: By buying cybersecurity insurance, for example.
- Avoid: By eliminating the source or cause of the risk, for instance, by moving sensitive data away from a risky environment.
Mitigate: Usually with security controls, perhaps those outlined in a cybersecurity framework such as the National Institute for Standards and Technology’s (NIST) 800-53 publication or an enterprise risk management (ERM) or other risk mitigation software.