A quick look at key concepts and standards in cybersecurity risk management

By Nick Sanna

In today’s digital economy, organizations are increasingly exposed to cyber risks that can disrupt operations, compromise sensitive data, and cause financial and reputational harm. But what exactly is cyber risk? To answer this, let’s start by understanding risk in general and how different frameworks define it before diving into the specifics of cyber risk and how it is measured.

Cyber Threats - SAFE One Threat Center

SAFE One Threat Center

What Is Risk?

Risk is the potential for loss, harm, or adverse consequences resulting from an uncertain event. It is typically represented as a combination of the likelihood of an event occurring and the impact it would have. In essence, risk is about uncertainty and its probable effects on objectives.

What Is Not Risk?

Not everything that seems uncertain or dangerous is a risk. For instance, uncertainty without potential consequences is not a risk. Similarly, vulnerabilities or threats alone do not constitute risk; they must be paired with a likelihood of exploitation and an impact to create a risk scenario. For example, a vulnerability in a system that has no exposure to threats (e.g., an air-gapped system) does not pose a risk.

What Is Risk According to Standards Like FAIR, ISO 31000, and NIST RMF?

Different standards define risk in nuanced ways:

  • FAIR (Factor Analysis of Information Risk): Defines risk as the probable frequency and magnitude of future loss events. It focuses on quantitative analysis.
  • ISO 31000: Defines risk as the effect of uncertainty on objectives, emphasizing a structured risk management approach that includes identifying, assessing, and treating risk.
  • NIST RMF (Risk Management Framework): Aligns with broader cybersecurity risk management by defining risk as a function of threats, vulnerabilities, likelihood, and impact.

These standards are actually complementary in nature, as organizations can enrich the risk management processes described by ISO 31000 or NIST RMF, with accurate risk descriptions and measurements from a risk analysis standard such as FAIR. 

What Is Cyber Risk?

Cyber risk refers to the potential for loss or harm resulting from cyber threats exploiting vulnerabilities in an organization’s digital assets. This can include data breaches, ransomware attacks, insider threats, and operational disruptions. Cyber risk encompasses:

  • Financial loss from cyber incidents
  • Data loss or theft
  • Reputational damage
  • Regulatory and legal consequences
  • Operational disruptions due to cyberattacks

Cyber Risk vs. Technology Risk vs. Information Risk

  • Cyber Risk: Specifically pertains to risks arising from cyber threats targeting digital assets and networks.
  • Technology Risk: A broader category that includes risks associated with IT systems, software failures, hardware malfunctions, and obsolescence. Sometimes, cyber risk and technology risk are used interchangeably. 
  • Information Risk: Encompasses risks related to the confidentiality, integrity, and availability of information, whether in digital or non-digital form.

How Do You Measure Cyber Risk?

Measuring cyber risk involves assessing both the likelihood and impact of cyber events. This can be done using:

  1. Risk Matrices: Assigning qualitative values (e.g., low, medium, high) to likelihood and impact. 
  2. Quantitative Methods: Using financial loss metrics, historical and real-time threat and controls data, and statistical models to estimate potential losses. 

Qualitative vs. Quantitative Assessment of Cyber Risk

  • Qualitative Risk Assessment: Uses descriptive analysis to assess cyber risks, often through risk matrices and expert judgment. Qualitative risk matrices can be subjective, inconsistent, and prone to misinterpretation, leading to imprecise risk prioritization and ineffective decision-making.
  • Quantitative Risk Assessment: Uses numerical values, financial modeling, and probabilistic analysis to calculate expected losses. Quantitative analyses, especially when supported by actual threat and control data (vs expert judgment) better support risk-informed decision making. The FAIR Framework for Cyber Risk Management is a leading framework for this approach, providing a structured and automated way to quantify cyber risk.

While risk matrices are an ineffective tool to analyze risk, they can be effective in simplifying the representation of risk to business stakeholders and can support decision-making, as long as they are based on sound quantitative risk analysis. 

Conclusion

Cyber risk is an evolving and critical challenge for organizations. By understanding its nature, differentiating it from other types of risk, and applying proven assessment methods, businesses can make informed decisions to manage and mitigate cyber threats effectively. Using industry standards and frameworks helps create a structured, consistent approach to cyber risk management, ensuring better resilience in an increasingly digital world.

Contact us to learn how SAFE can help you build an effective cyber risk management program

RELATED POSTS

Blog

Feb 3, 2025

From Day One to Year One at SAFE: Software Engineer Finds a ‘Whole New Level of Ownership’

Blog

Jan 29, 2025

How to Bring Infosec and IT Together to Report on Cyber Risk to the Board

Blog

Jan 29, 2025

SAFE’s ServiceNow Apps Bring FAIR to Integrated Risk Management (IRM)