CyberSecurityTips #10: What is the difference between threats and risks?

A risk assessment looks at your current systems, information and processes to identify possible areas where a failure or a breach of one can caise some kind of damage or impact to...

A risk assessment looks at your current systems, information and processes to identify possible areas where a failure or a breach of one can caise some kind of damage or impact to your confidentiality, integrity and availability - an impact to these can further escalate to monetary loss, regulatory fine and/or reputational damage.

One important note is the need to differentiate levels of risk, many mix various hierarchal levels of risk (not severity) together and end up with an inconsistent list of risks for the organization - it is quite common to see industry peers comparing risk lists and seeing one organization having 12 risks while another is in the hundreds.

There can be many levels of risk, as many as can be defined, below is a simple example from life:

– L1: Window gets broken at the house and theft of money and documents occurs

– L2: Thief sells documents and blackmarket and our identity is stolen including financial information

– L3: Financial information is used to take loans in our name

These various levels will have different protections in place, and sometimes it is easier to break down the security controls required in the various steps - Shatter proof windows for L1, a safe and shredder for L2, Financial and identity monitoring for L3.

Threats are attacks which may or may not be targeted against you and if are successful can fulfil one of the risk scenarios that have been devised in the risk assessment and impact analysis organisations do.

As per the example above, the threats we would have identified prior to our house can include:

– Thieves, arsonists

– Nosey neighbours

– Peeping toms

– Acts of god (natural disasters)

– Children (malicious insiders)