NIST defines risk, R, as “a measure of the extent to which an entity is threatened by a potential circumstance or event, and [is] typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.”11 Basically, ‘bad things can and do happen.’ However, while risk—at least from a security perspective—is often viewed negatively, one should always remember that risk may be positive as well. Investing in the stock market is a perfect example of this: no risk, no reward.
Likelihood, L, is generally expressed as a probability and impact, I, is provided in various forms although monetary values are preferred. Risk is often expressed as a simple multiplicative function, whether the computation is performed quantitatively or qualitatively.
R = L x I
An alternate approach foregoes the use of probability in favor of frequency or rate of occurrence, which can be estimated based on how often an event is observed in a specified time period. Called annualized loss expectancy, ALE, it is expressed as a function of the annual rate of occurrence, ARO, and the single loss expectancy, SLE, i.e., the expected loss to an asset from a single occurrence of the event.12
The model also recognizes an adverse event may not and probably would not result in the total loss of an asset. For example, a brick building may suffer less damage from a fire than one made entirely of wood, and one building may suffer less damage due to having fire control and response mechanisms than another building identical to the first in every other way. Subsequently asset value, AV, is modified by an exposure factor, EF, to reflect the probable loss as opposed to the possible loss.
ALE = ARO x SLE = ARO x (AV x EF)
ALE is expressed as dollars per year, ARO is simply the number of times one might expect to see the event occur per year, AV is expressed in dollars, and EF is unitless as it is generally provided as a percentage.
This brings us to some important but sometimes misunderstood concepts around risk appetite, tolerance, and capacity.
Although included in the following figure, risk appetite is actually a qualitative description of an organization’s willingness to accept a certain amount of risk to achieve its objectives. But, although qualitative, risk appetite is used to help an organization define risk tolerance, which is a quantitative measure of the level of risk taking it would consider acceptable in the pursuit of a specific objective or to manage a certain category of risk.
Figure 1. Risk Concepts
As one might expect, tolerable risk exists between the lower and upper bounds of an organization’s risk tolerance around its risk target. (Recall that not all risk is negative. One may wish to control less risk if the dollars would be better spent elsewhere.)
Residual risk is risk that is not controlled. If all controls specified by an organization’s risk analysis are implemented, residual risk should only exist above the organization’s risk target. If it is also below the upper bound of risk tolerance, the residual risk would, by definition, be tolerable (i.e., acceptable) to the organization. Residual risk becomes intolerable (i.e., unacceptable) if it exceeds the upper bound. And finally, the organization’s risk appetite and tolerances should always be below its risk capacity, i.e., the maximum amount of risk it can absorb without disrupting the achievement of its business strategies and objectives.
NIST defines risk management as “the total process of identifying, controlling, and eliminating or minimizing uncertain events that may adversely affect system resources. It includes risk analysis, cost benefit analysis, selection, implementation and testing, security evaluation of safeguards, and overall security review.”13 Risk management is essentially all the things we do to manage risk to a tolerable level.
Using this definition, we can now model a generic 4-step risk management process as shown in the following figure.14
Figure 2. General 4-Step Risk Management Process
The cost benefit analysis mentioned in the NIST definition of risk management occurs in the second step when specifying an appropriate set of controls to manage risk within the tolerances set by the organization. Testing of controls also occurs upon implementation and periodically thereafter as part of a continuous cycle of management.
11 NIST (2022b). Information Technology Laboratory: Computer Security Resource Center: Glossary.
12 Hansche, S., Berti, J., and Hare, C. (2004). Official (ISC)2 Guide to the CISSP Exam. Boca Raton, FL: Auerbach.
13 NIST (2022b).
14 Cline, B. (2017, Sep). Leveraging a Control-Based Framework to Simplify the Risk Analysis Process, ISSA Journal, 15(9), pp. 39-42.