Risk

Intersection of Threats, Assets, and Vulnerabilities is your Risk

Risk is the potential for an unwanted or adverse outcome resulting from an incident, event, or occurrence, as determined by the likelihood that a particular threat will exploit a particular vulnerability, with the associated consequences.

Risk is the combination of threats and vulnerabilities to an asset. Risk is calculated in business by looking at three different categories. 

• ARO– Annual Rate of Occurrence (Chance that incident will happen)
• SLE– Single Loss Expectancy (Dollar amount expected to lose if incident is to occur)
• ALE– Annual Loss Expectancy (How much should be budgeted for incident)

The Annual Loss Expectancy is calculated by using this formula: ARO x SLE = ALE. 

• Example: 50% chance that a ransomware attack occurs that would cost the company $1,000,000 if attack were to occur. 
• ARO x SLE = ALE -> (0.5) x (1,000,000) = $500,000 -> $500,000 is the Annual Loss Expectancy

Source: DHS Risk Lexicon, NIPP and adapted from: CNSSI 4009, FIPS 200, NIST SP 800-53 Rev 4, SAFE-BioPharma Certificate Policy 2.5

Related Terms: Threat, Vulnerability

To learn more about cyber risk, watch this short video: