How to Think About Risk

Risk is at the heart of security. All security decisions are a tradeoff between business risk and investment in making things more secure.

But what do we mean when we say “risk”? Project managers measure risk like this:


So for a given event, the risk of it happening is made up of its likelihood to happen, and the impact on us if it happens. Likelihood is typically expressed as a percentage, and impact as an approximate cost, and these are used to help calculate a project’s contingency budget.

How do these concepts translate to security?

Let’s break this down.

Likelihood cannot be accurately predicted. For a start, you don’t know everything about the actors involved. If your organisation consumes Cyber Threat Intelligence as part of your security operations, you may know the groups most likely to conduct attacks against you, and you may have knowledge about how they operate (known as Tactics, Techniques and Procedures, or TTPs). However, this knowledge won’t include everything, and it won’t be a 100% predictor of where the next attack will come from or how it will be conducted. And for some reading this, your organisation may not even have access to threat intelligence (or the resources to make use of it) in the first place!

Actors also change their behaviour over time, looking for new ways to make money, new ways to extort organisations, and new methods of attack. The cloud is gaining adoption rapidly, and many new, novel attacks are directed at this environment.

So for likelihood, we can only speculate. There are threat actors and entire attacks which we don’t yet know about. Ransomware, for example, has only become a favourite for hackers in the last decade, and before that was never encountered by the average IT department.

On the other hand, the impact side of the risk equation is something we know much more about. If your core customer database is compromised, we can estimate the likely fallout and cost. If your main source of revenue is cut off (for example, an ecommerce business’s website), the costs of that are plain as well. If you don’t directly know what the impact of a particular security risk is, there likely is someone in your business who does, and possibly in some detail.

When we think about risk then, we know more about impact than likelihood. The standard risk/impact/likelihood calculation puts equal weight on both factors, so a high-impact, low-likelihood threat would appear to be of only moderate risk.

In security, it’s more sensible to add more weight to what you know, the impact, and less to the ever-changing likelihood. With this in mind, I advise my clients to ‘lean’ on impact when assessing security risks, with an 80%/20% weighting. (The specific numbers may vary depending on the client’s circumstances and any additional intelligence, but the general rule always tends to apply in my experience.)

By taking this approach you’ll be taking more account of the data which you know, and less of that which you don’t, and gaining some protection against changes in cyberspace. This provides a stronger foundation on which to make your assessment of risk.

Latest Articles

Six Steps to get your Threat Model Started

February 9, 2023
Threat Models are a hugely valuable resource for modern tech businesses. They provide a framework for reducing risk and...

What are the Benefits of a Threat Model?

February 9, 2023
I’m an engineer by background, and one very common trait amongst software engineers is that they love to do things...

The Fallacy of Perfection

February 9, 2023
This is one of those posts stating the obvious. At least, it's obvious to those who are in the know. If you're not in...

How Secure is your AWS environment?

Take 2 minutes to complete my AWS Scorecard to find out.