There are many potential definitions of risk—some general and others more technical. Additionally, it is important to distinguish between a risk and a threat. Although many people use the words threat and risk synonymously, they have two very different meanings. As with any key concept, there is some variation in definition from one organization to another. For the purposes of this guide, we will define terms as follows:
Risk: The combination of the probability of an event and its consequence , Risk is mitigated through the use of controls or safeguards.
Threat: Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. Some organizations make a further distinction between a threat source and a threat event, classifying a threat source as the actual process or agent attempting to cause harm, and a threat event as the result or outcome of a threat agent’s malicious activity.
Asset: Something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation.
Vulnerability: A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events.
Although much of cybersecurity is focused on the design, implementation and management of controls to mitigate risk, it is critical for security practitioners to understand that risk can never be completely eliminated. Beyond the general definition of risk provided above, there are other, more specific types of risk that apply to cybersecurity.
Residual risk: Even after safeguards are in place, there will always be residual risk, defined as the remaining risk after management has implemented a risk response.
Inherent risk: The risk level or exposure without taking into account the actions that management has taken or might take (e.g., implementing controls)