Risk is:

• The likelihood of the occurrence of a vulnerability

            X Multiplied by

• The impact of the resulting event (or, the value of the loss)

Likelihood

• Expressed as fraction of 1.0 or a percentage (%)
• May be known (eg actuarial tables)
• May need judgement (document the process)
• Often reduced to High, Medium or Low

Impact

• Normally focuses on potential loss
• It's most straightforward to gather
• Can be combined up the hierarchy
• eg loss of HR for a week may have high value to them, but the organisation will be able to carry on for a while… (So long as payroll is OK)

Aim: Prevent exploitation of vulnerability

Through:

• Application of policy
  
• Training and education
  
• Countering threats
  
• Technical security controls
  
• In combination
  

Aim: Shift the risk to other organisations

Through:

• Insurance
• Outsourcing
• Sharing (part transference)
• Can create new (hopefully lesser) risks

Aim: Reduce the damage caused by exploitation of vulnerability

Through:

• Incident response process
• Disaster recovery
• Business continuity

Aim: Bear the cost

Through:

• Doing nothing
• Can make sense if controlling the risk is more expensive
• Related to risk appetite…

The likelihood of the occurrence of a vulnerability

X Multiplied by the impact of the information asset

- Minus the percentage of the risk mitigated by current controls

+ Plus the uncertainty of current knowledge of the vulnerability