IT risk


Information technology risk, IT risk, IT-related risk, or cyber risk is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.
Assessing the probability or likelihood of various types of event/incident with their predicted impacts or consequences, should they occur, is a common way to assess and measure IT risks. Alternative methods of measuring IT risk typically involve assessing other contributory factors such as the threats, vulnerabilities, exposures, and asset values.

Definitions

ISO

IT risk: the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of occurrence of an event and its consequence.

Committee on National Security Systems

The Committee on National Security Systems of United States of America defined risk in different documents:
National Information Assurance Training and Education Center defines risk in the IT field as:
  1. The loss potential that exists as the result of threat-vulnerability pairs. Reducing either the threat or the vulnerability reduces the risk.
  2. The uncertainty of loss expressed in terms of probability of such loss.
  3. The probability that a hostile entity will successfully exploit a particular telecommunications or COMSEC system for intelligence purposes; its factors are threat and vulnerability.
  4. A combination of the likelihood that a threat shall occur, the likelihood that a threat occurrence shall result in an adverse impact, and the severity of the resulting adverse impact.
  5. the probability that a particular threat will exploit a particular vulnerability of the system.

    NIST

Many NIST publications define risk in IT context in different publications: FISMApedia term provide a list. Between them:
NIST SP 800-30 defines:
;IT-related risk:

Risk management insight

IT risk is the probable frequency and probable magnitude of future loss.

ISACA

published the Risk IT Framework in order to provide an end-to-end, comprehensive view of all risks related to the use of IT. There, IT risk is defined as:
According to Risk IT, IT risk has a broader meaning: it encompasses not just only the negative impact of operations and service delivery which can bring destruction or reduction of the value of the organization, but also the benefit\value enabling risk associated to missing opportunities to use technology to enable or enhance business or the IT project management for aspects like overspending or late delivery with adverse business impact

Measuring IT risk

Measuring IT risk can occur at many levels. At a business level, the risks are managed categorically. Front line IT departments and NOC's tend to measure more discreet, individual risks. Managing the nexus between them is a key role for modern CISO's.
When measuring risk of any kind, selecting the correct equation for a given threat, asset, and available data is an important step. Doing so is subject unto itself, but there are common components of risk equations that are helpful to understand.
There are four fundamental forces involved in risk management, which also apply to cybersecurity. They are assets, impact, threats, and likelihood. You have internal knowledge of and a fair amount of control over assets, which are tangible and intangible things that have value. You also have some control over impact, which refers to loss of, or damage to, an asset. However, threats that represent adversaries and their methods of attack are external to your control. Likelihood is the wild card in the bunch. Likelihoods determine if and when a threat will materialize, succeed, and do damage. While never fully under your control, likelihoods can be shaped and influenced to manage the risk.
Mathematically, the forces can be represented in a formula such as: where p is the likelihood that a Threat will materialize/succeed against an Asset, and d is the likelihood of various levels of damage that may occur.
The field of IT risk management has spawned a number of terms and techniques which are unique to the industry. Some industry terms have yet to be reconciled. For example, the term vulnerability is often used interchangeably with likelihood of occurrence, which can be problematic. Often encountered IT risk management terms and techniques include:
;Information security event
;Information security incident:
;Impact
;Consequence
The risk R is the product of the likelihood L of a security incident occurring times the impact I that will be incurred to the organization due to the incident, that is:
The likelihood of a security incident occurrence is a function of the likelihood that a threat appears and the likelihood that the threat can successfully exploit the relevant system vulnerabilities.
The consequence of the occurrence of a security incident are a function of likely impact that the incident will have on the organization as a result of the harm the organization assets will sustain. Harm is related to the value of the assets to the organization; the same asset can have different values to different organizations.
So R can be function of four factors:
If numerical values, the risk can be expressed in monetary terms and compared to the cost of countermeasures and the residual risk after applying the security control. It is not always practical to express this values, so in the first step of risk evaluation, risk are graded dimensionless in three or five steps scales.
OWASP proposes a practical risk measurement guideline based on:
The NIST Cybersecurity Framework encourages organizations to manage IT risk as part the Identify function:
Risk Assessment : The organization understands the cybersecurity risk to organizational operations, organizational assets, and individuals.
Risk Management Strategy : The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
In the following a brief description of applicable rules organized by source.

OECD

issued the following:
The European Union issued the following, divided by topic:
United States issued the following, divided by topic:
The list is chiefly based on:

ISO