The term “information security risk” alludes to the damage that a breach of, or attack on, an information technology (IT) system could cause. IT security risk can be defined in:

  • Monetary terms, which measures the effects of a cybersecurity breach on organizational assets, or
  •  Non-monetary terms, which comprise reputational, strategic, legal, political, or other types of risk.

Although “risk” is often conflated with “threat,” the two are subtly different. “Risk” is a more conceptual term—something that may or may not happen, whereas a “threat” is concrete—an actual danger.

For instance, when we cross a busy street, we risk being hit by a car. We can manage the risk by looking both ways to ensure the way is clear before we cross. A threat occurs when a car heads our way as we cross and is in danger of striking us. Threats are more difficult to control.

The first step in IT security management is conducting a risk assessment or risk analysis of your information system. Risk assessments typically entail:

  • Identifying the issues that contribute to risk, including vulnerabilities and security threats such as ransomware.
  • Analyzing the significance of these issues and their possible impacts.
  • Deciding how to deal with each risk, including incident response.

Information security risk management considers the likelihood that a data breach will occur and how to handle the risk of cyberattacks. The risk management process generally allows for four types of response to risk:

  • Accept: Perhaps because the risk is low or the cost of managing the risk is higher than the impact of a security incident would be.
  • Share: Often, by outsourcing IT functions.
  • Transfer: By buying cybersecurity insurance, for example.
  • Avoid: By eliminating the source or cause of the risk, for instance, by moving sensitive data away from a risky environment.

Mitigate: Usually with security controls, perhaps those outlined in a cybersecurity framework such as the National Institute for Standards and Technology’s (NIST) 800-53 publication or an enterprise risk management (ERM) or other risk mitigation software.