Risk (and risk management)
by John Bandler
Here is a quick definition of the term and explanation of cybersecurity best practices.
Risk definition in sum
Risk is the chance of something bad happening. Risk management is about evaluating risks, and deciding what (if anything) to do about them.
Good risk management means taking reasonable and diligent actions, after reasonable consideration.
Now let's get a little more technical. Risk is about threats, probabilities, and potential harms.
Threats are things that could do something to cause something bad to happen. Cybercrime is a threat. Mother nature is a threat. In a way, a government or individual who wants to sue also presents a threat.
Probabilities are the chance that something might happen. Or the frequency with which something might happen.
Harms are the bad results that could happen, if the event occurs, including their magnitude, duration, and of course costs.
Of course, risk looks to the future, and the future is always uncertain. But we can use some logic and common sense to generally assess the risks, and decide if we need to take action to reduce those risks.
Risk management is the process of assessing risks and deciding what -- if anything -- to do about them. A person or organization might decide to do nothing, try to mitigate (reduce) risks, or transfer risks or some of the costs of risks (with insurance or contract terms).
Risk in practical terms
Risk and risk management are areas that some organizations spend millions of dollars on, and much has been written about it, including entire frameworks.
But we can put it into practical terms we are all familiar with.
Every decision (in life, business, cybersecurity, and etc.) involves identifying a number of options, weighing pros and cons, making judgments about the future, and then picking one of those options. We do it all the time.
Risk best practices in sum
Every individual and organization makes choices about risk daily, often unconsciously. Large organizations may have an entire department devoted to risk management, and a risk management program might even be required by law or regulation.
I think of risk best practices in terms of law and cybersecurity best practices. Be reasonable and diligent. Don't be negligent or sloppy.
We can never eliminate all risk in life or for organizations, and we should never try. But we need to make thoughtful assessments.
Risk worst practices
There are definitely some "wrong" ways to manage risk. These would be signs that an organization has not properly assessed and managed risks.
- Organization cybersecurity dial is at zero
- Organization does not know what two factor authentication is, and has not considered implementing it
- Organization does not know what a data breach is
- Organization does not know what ransomware is
- Organization does not know what business email compromise is (email based funds transfer frauds)
- Organization does not know what their legal duties are regarding cybersecurity and data breach notification
- Organization has not thought about cybercrime threats or thinks it won't happen to them
- Organization has good policies on paper but doesn't practice them
Related terms
- Cybersecurity dial
- Bandlers Four Pillars of Cybersecurity
- Two factor authentication
- Passwords
- Email security
- Authentication (factors of authentication)
- Risk (this article)
This is a key term definition article
I have decided to experiment by creating short webpages to provide definitions and best practices for certain key terms. This is one of those webpages.
These are terms that I have explained or defined dozens or even hundreds of times in my life, either through conversation or in writing. After explaining the term I try to explain best practices relating to those terms. These are terms or guidance that may appear in my cybersecurity policies.
Disclaimer
This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.
This is to inform, you assume all risk for cybersecurity decisions you make. This is a work in progress. This is a limited amount of words.
I may explain nuances further in other articles, or one of my books. Other experts may have differing opinions.
Ask ten different IT or IS experts, you will get ten or more different definitions for a term, and as many different recommendations for cybersecurity posture. Cybersecurity is about decisions and risk management.
Conclusion
If you are a cybercrime victim, see the resources here, and contact me if you need professional assistance.
If your organization needs help with improving its cybersecurity and identity theft protection, feel free to contact me.
Additional reading
- Related key terms
- Cybersecurity dial
- Bandlers Four Pillars of Cybersecurity
- Two factor authentication
- Passwords
- Email security
- Authentication (factors of authentication)
- Risk (this article)
- Fuller articles
- Cybersecurity Tips from John Bandler
- Bandler's Four Pillars of Security
- Cybersecurity Policy (Free Version)
- The Three Priority Cybercrime Threats
- Identity theft
- Cybercrime
- Policies and Procedures Book
- Five Components for Policy Work
- Policies, Procedures, and Governance of an Organization
- Cybersecurity and Privacy for You and Your Organization
- Cybersecurity for the Home and Office (book)
- Cybercrime Investigations (book)
- The Western Express Case
- Cybersecurity Laws and Regulations Part 1
- NIST resources on risk
- NIST risk management main landing page, https://csrc.nist.gov/projects/risk-management
- NIST small enterprise risk management quick start guide NIST SP 1314 (July 2024), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1314.pdf
- NIST Special Publication 800-37, Revision 2 (Dec 2018), Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
This article is hosted at https://johnbandler.com/risk, copyright John Bandler, all rights reserved.
Originally posted 3/30/2023, updated 10/21/2024.