1. COMP.SEC.100
  2. 3. Risk Management and Governance
  3. 3.2 What Does Risk Mean?

What Does Risk Mean?

Risk is present everywhere. People constantly make decisions that may affect them as individuals and more broadly their social networks and environment. The definition of risk is contested and can be expressed in various ways. Risk is the possibility that events or human actions lead to consequences that affect something a person values. We speak of valued or protected things or assets, and in this context the “thing” or “asset” is not limited to something physical and not even to data, it can be e.g. reputation. The definition includes the idea that the consequences of a realized risk can also be positive. In business, however, risk is often thought of as a combination of adverse events and their consequences. Risk management means systematically determining adverse events that have significant consequences and getting prepared for them.

Alternative definitions of the concept of risk

  • the possibility that events or human actions lead to consequences that in some way affect something that a person values
  • the combination of adverse events and their consequences

In the context of cybersecurity, people and technology are closely interconnected. When one fails to support the other, the result may be a social, economic, and technical catastrophe. When risk materializes, it affects something that is valued, and therefore the definition of value must be considered. In addition, we must consider the metrics used to measure and manage risks. Risk assessment requires three things:

  1. the impacts on the protected asset
  2. the likelihood of occurrence, and
  3. the formula that combines the two.

These form the basis of most risk assessment methods. The purpose of these methods is to provide a structured approach to the probability of undesirable consequences affecting protected assets, while acknowledging that events with very low probability can occur and may have significant impacts.

Risk assessment

Risks are assessed by estimating how they affect the protected asset and how likely they are to occur. The combination of these values is the magnitude of the risk. If the values are numeric, a common way is multiplication.

A key challenge is making the assumptions related to the system explicit and finding a balance between subjective conceptions and objective evidence. There is an example in the next section.

Risk management

means the systematic determination of adverse events with significant consequences and preparedness for them.

Risk assessment can be viewed as a separate phase before risk management, which in that case would be limited to developing, weighing, and selecting options for handling risks. Usually, and in this material, risk management includes risk assessment, as these activities are also carried out simultaneously. Furthermore, if the handling of a particular risk at some point is only tolerance, acceptance, or rejection (i.e., a thought model in which nothing is done), at another time the assessment may lead to active handling, e.g., selecting some mitigation method once funding has been obtained for it.

Terminology is complicated by the fact that often the term risk analysis is used, which includes identifying risks, risk assessment, and reviewing risk treatment options. Thus, risk management consists of risk analysis and the selection of measures.

As a comprehensive concept for all, there is risk governance. It can be defined as ongoing processes and principles that promote awareness, a sense of responsibility, and accountability related to risks associated with a specific situation. Risk governance pays attention to joint decision-making and also takes into account legal, social, organizational, and economic conditions.

Everyday Risk Management

Teemu Teekkari is in a university computer lab working on course assignments with his laptop. Suddenly he is struck by a huge craving for coffee, and now Teemu must decide what to do with his laptop while he goes to get some. He estimates the greatest risk to be that his laptop might be stolen. However, Teemu remembers that access to the computer labs requires an access card, so outsiders should not be in the room, and he also has great trust in his fellow students. Thus, he considers the probability of this risk low. Teemu therefore decides not to use any additional risk management measures beyond accepting the risk and leaving his laptop where it is for those few minutes.

Teemu also notices another risk: someone might be tempted to cheat by copying his answers. Although he also considers the probability of this risk low, the risk management measure needed to mitigate it does not cause Teemu much trouble. Therefore, to prevent copying, he locks his screen while he goes to get coffee.

Teemu dared to act this way in the computer lab, but perhaps in a public café the situation would be different if he had to leave his expensive laptop unattended while, for example, going to the restroom. What would you do?

Answer the questions.

Choose the correct statement.
Which of the two is this an example of: “Hipster Inc. decides to invest in a network traffic monitoring system.” ?
Which of the two is this an example of: “Hipster Inc. plans to reduce the risk of social engineering either by training staff or by reminding them of the possibility of attack with posters and emails. The company considers the first option more effective but more expensive. The second option is thought to have possible drawbacks due to increased email volume.” ?
Which of the two is this an example of: “Hipster Inc. estimates that its new blockchain application’s implementation technique faces a moderate threat of espionage.” ?
What is a risk management system?
Posting submission...