Understanding Risk- Threats, Vulnerabilities, Impact & Likelihood
Do you really understand risk? When assessors evaluate your risk management program, they’re looking for one key thing: Do you understand how threats and vulnerabilities come together to cause damage to your organization?
Let’s talk about the four building blocks of risk—
- Threats
- Vulnerabilities
- Likelihood
- Impact
and how they work together to determine your overall risk level. We’ll use hurricane risk as an example.
Threat
A “Threat” is something bad that could happen. During CMMC assessments, I’ve noticed that organizations concentrate on cyber threats. But, a threat is anything that could cause harm to your organization or its data. Besides cyber threats, it includes insider threats, natural disasters, equipment failure, and human errors.
A vulnerability is a weakness that a threat can exploit. It could be a missing patch, an employee who hasn’t been trained, an open port, or an outdated policy. And, in the case of natural disasters, it might be a building that is built in a flood zone.
Likelihood is the probability that a threat will exploit a vulnerability. We don’t guess—it’s assessed using reasonable evidence. For example, we may know that a location may flood every 5 years on average. So, in any given year, there’s a pretty big likelihood that the surround area will flood. But… the likelihood that an intruder will enter a Big Tech data center and compromise equipment is extremely low.
The last component to risk is impact. Impact is the harm that would occur if the event actually happened. In CMMC, we measure impact in terms of confidentiality and integrity of data. Other cybersecurity standards measure availability as well. Impact measures the consequences to mission, the function of the organization, its image, and its reputation.
Let’s put all of these terms together. Risk is calculated by combining likelihood and impact. A vulnerability that is likely to be exploited and causes severe harm represents a high risk. One that could cause severe harm but is highly unlikely might pose a medium risk. And, of course, one that is unlikely and has minimal impact is a low risk.
So, we have seen that these four components—threat, vulnerability, likelihood, and impact—form the foundation of every risk decision your organization will make,
Next, we’ll see how these pieces fit into the larger NIST risk management lifecycle, and how CMMC expects organizations to use them over time.
