Vocabulary – Risk

Introduction

Dictionary defines: risk – possibility of loss

FAIR defines: risk – the probable frequency and probable magnitude of future loss.

More complete than the dictionary

COBIT and ISACA defines: risk – the combination of the probability of an event and its consequence

The term “event” is ambiguous introducing complexity

O-TTPS defines: Risk – An event or condition that has a potentially negative impact and the possibility that such an event will occur and adversely affect an entity’s assets and artifacts, activities, and operations.

Complete but verbose.

OWASP defines: risk – Risk is the possibility of a negative or undesirable occurrence. There are two independent parts of risk: Impact and Likelihood.

Relies on context for specialized terms.

CIS defines: risk – an estimation of the likelihood that a threat will create an undesirable impact.

Relies on context for specialized terms.

CNSS defines: risk – possibility that a particular threat will adversely impact an IS by exploiting a particular vulnerability

Relies on context for specialized terms

NIST CSF and 800-53 defines: risk – a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

Not simple. Relies on context for specialized terms

PCI DSS defines: risk assessment – Process that identifies valuable system resources and threats; quantifies loss exposures (that is, loss potential) based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure.

Not simple. Provides a description rather than a definition.

ESA defines: IT-related risk – the net mission/business impact (probability of occurrence combined with impact) from a particular thereat source exploiting, or triggering, a particular information technology vulnerability.

Not simple. Relies on context for specialized terms

ISO 27000 defines: risk – effect of uncertainty on objectives

Unclear by choice of defining terms.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s