Defining Risk
We all use the term, but have we stopped for a moment to try and understand what it really means?
What is “risk”? We all use the term, but have we stopped for a moment to try and understand what it really means?
That sounds “risky”.
Too much “risk” involved with that.
What is the “risk” of doing something? Or not doing something?
Have we stopped to think about what we are asking for specifically?
For those outside the security field, these may seem like normal questions, but for those in security, we like to be more specific.
In our world, we like data, and specifics.
In today’s essay, I would like to walk you through some of the more specific terminology we use in the security field and how you can better communicate and understand “risk”.
We’re going back to the basics here, but it’s an important reminder for many.
Braking Down Risk
(typo intended!)
Let’s take driving as an example.
Driving a car over the speed limit is “risky”.
I’m going to guess here, but half of you will agree and the other half will not. If you’re in compliance, you may be in agreement.
But what does this statement actually mean? Is it true on its own? Is it vague? Is it universally understood?
It’s ambiguous, not clear, and can vary based on a LOT of variables.
For example:
Is the driver new or experienced?
How much over the speed limit?
Is the car in good shape and condition?
Is this a highway or a local road?
What are the road conditions? Wet, dry, congested?
Which state are you in? (NJ and CA drivers may have a different opinion than say Georgia lol)
As you can see there are a lot of variables in play here. All of which completely change the degree of “risk” being introduced.
Not to mention, there are other factors that are at risk here. While we may be focused on the driver, what about bystanders, or the vehicle itself?
Cybersecurity Terms
Let’s go over some more specific terms in the industry.
Vulnerability: The state in which a system can be taken advantage of to do something unintended.
Exploit: The actual act of taking advantage of a vulnerability.
Threat or Threat Actor: The vehicle in which a vulnerability can be exploited. This can be an attacker or a misconfiguration.
Exposure / Attack Surface: The available space for a vulnerability to be exploited.
Likelihood: The probability that a vulnerability can be exploited, based on precedence, environment, and/or attack surface.
Impact or Blast Radius: The total affected area should a vulnerability be exploited.
(Guess what, I wrote all that by hand without any AI or even webster!)
As you can see, these terms are more specific. Combined together they paint a clear picture of “risk”.
Revisiting Risk
So in our above example, let’s expand the original phrase so it’s clearer and defined.
Driving a car over 30 miles over the speed limit for more than two minutes on a highway exposes the driver and those around them to the possibility of a fatal accident and a total loss of the vehicle.
As you can see we were very specific. Let’s go over the details.
Vulnerability: Driving the vehicle 30 miles over the speed limit for an extended period of time (2 mins)
Exploit: An error or accident. Not defined here, but can be anything from a tire blowout to being cutoff, to bad handling of the vehicle.
Attack Surface: At 90mph for 2 mins, the attack surface is 3 miles.
Likelihood: We don’t know the experience of the driver, or conditions of the vehicle/road. They could be a cop, or a teenager. They could be sober or not. There could be traffic or an empty desert road.
Impact or Blast Radius: The driver, the vehicle, surrounding drivers, vehicles, property, and passerby
As you can see there is a lot behind calling something risky or not.
As a cybersecurity leader, we often have to back up our claims with data and numbers. We may underestimate or overestimate the risk of a given scenario, both of which are “risky” to a professional’s reputation (pun intended!).
The KEY here is having all the right information available to us. Blind spots can come from many different sources.
We may be new to the environment and not have the full picture.
Or we may have been in the environment so long, that we are blind to the realities of a vulnerable situation and under or over estimate our position, both of which are not great.
Or we may not have the technical insights into any of the five factors outlined above, also leading to an incomplete picture.
So the next time you say something is “risky”, step back for a moment and ask yourself what are you trying to convey actually.
Appendix
I would be amiss if I didn’t point out some useful resources in this space:
How to Measure Anything In Cybersecurity Risk
CVSS (Common Vulnerability Scoring System)
Note: This entire article was organically sourced and hand written end to end