What is Cybersecurity Risk?
Continuing from the example of losing the photos stored in a computer from my last post, we know that we are concerned about losing these precious photos. There is a chance that these photos would be lost. This "chance" is cybersecurity risk.
To be precise, it is the chance that something will cause an impact to a thing. In cybersecurity, usually in a negative sense, a chance that something will cause an negative consequence to the system or data.
Let me dissect the term cybersecurity risk a little deeper. For there to be a cybersecurity risk, you must have the following conditions:
- There must be an Event that could occur due to a cause or several causes. This event must also be pertaining to something that you are concerned about.
i.e. losing photo files.
- There must be a Likelihood that the event could occur. If there is no way that it could occur, then it is not a concern, right?
i.e. MTBF. - There must be a Cause for the event to occur. It is important not to mix up the cause and the event. Photo files are lost because of hardware malfunction, not the other way round. There could be multiple causes for an event to occur.
i.e. hardware malfunction. - There must be a Consequence (or Outcome) when the event occur. This highlight why one should be concerned about the risk. Usually, we should quantify it with some value. If we are too vague on the consequence, the reader may not feel the gravity of the risk.
i.e. 1000 photos are lost.
There is no risk, if any of these conditions do not exist.
To push the idea deeper, other than hardware failure, there are other scenarios where the photos could be lost: someone or something accidentally or purposefully render the files inaccessible either by deletion, corruption or kidnapping (no kidding!) the files. Therefore, it is usual that there could be many different events that end up with same or similar consequence.
Let's go on to the different type of risk definitions.
What is Inherent (Current) Risk?
This is security risk level given the current situation or scenario. Depending on where you read, it may mean either 'in the absence of controls' or 'current situation with existing controls in place'. In reality, it is more practical to see the risk with existing controls rather than the more academic (purist) way.
For example, say you password protect the photo files to prevent others from being able to access it without your permission, one risk that one can think of is usage of weak password that could allow someone to guess it in a very short time.
What is Secondary Risk?
This is security risk that appears as a result of treating a security risk.
For example, say you use a password manager to help you set a strong password to the photo files. One risk that the author can think of is a weakness in the password manager allowing someone to steal the password stored in it. This risk exist because you treated a security risk, in this case, the risk of a weak password, with a password manager.
What is Residual Risk?
Residual risk is the risk remaining after treating the risk. (ISO/IEC 27001:2018 Information Security Management)
For example, after using password manager to set a strong password to the photo files and then safeguarding the password, one can think that there could be a risk of forgetting the password to the password manager. Haha...
Till then. I will find time to write more.