Risk (and risk management)

by John Bandler

Here is a quick definition of the term and explanation of cybersecurity best practices.

Risk definition in sum

Risk is the chance of something bad happening. Risk management is about evaluating risks, and deciding what (if anything) to do about them.

Good risk management means taking reasonable and diligent actions, after reasonable consideration.

Now let's get a little more technical. Risk is about threats, probabilities, and potential harms.

Threats are things that could do something to cause something bad to happen. Cybercrime is a threat. Mother nature is a threat. In a way, a government or individual who wants to sue also presents a threat.

Probabilities are the chance that something might happen. Or the frequency with which something might happen.

Harms are the bad results that could happen, if the event occurs, including their magnitude, duration, and of course costs.

Of course, risk looks to the future, and the future is always uncertain. But we can use some logic and common sense to generally assess the risks, and decide if we need to take action to reduce those risks.

Risk management is the process of assessing risks and deciding what -- if anything -- to do about them. A person or organization might decide to do nothing, try to mitigate (reduce) risks, or transfer risks or some of the costs of risks (with insurance or contract terms).

Risk in practical terms

Risk and risk management are areas that some organizations spend millions of dollars on, and much has been written about it, including entire frameworks.

But we can put it into practical terms we are all familiar with.

Every decision (in life, business, cybersecurity, and etc.) involves identifying a number of options, weighing pros and cons, making judgments about the future, and then picking one of those options. We do it all the time.

Risk best practices in sum

Every individual and organization makes choices about risk daily, often unconsciously. Large organizations may have an entire department devoted to risk management, and a risk management program might even be required by law or regulation.

I think of risk best practices in terms of law and cybersecurity best practices. Be reasonable and diligent. Don't be negligent or sloppy.

We can never eliminate all risk in life or for organizations, and we should never try. But we need to make thoughtful assessments.

Risk worst practices

There are definitely some "wrong" ways to manage risk. These would be signs that an organization has not properly assessed and managed risks.

  • Organization cybersecurity dial is at zero
  • Organization does not know what two factor authentication is, and has not considered implementing it
  • Organization does not know what a data breach is
  • Organization does not know what ransomware is
  • Organization does not know what business email compromise is (email based funds transfer frauds)
  • Organization does not know what their legal duties are regarding cybersecurity and data breach notification
  • Organization has not thought about cybercrime threats or thinks it won't happen to them
  • Organization has good policies on paper but doesn't practice them

Related terms

This is a key term definition article

I have decided to experiment by creating short webpages to provide definitions and best practices for certain key terms. This is one of those webpages.

These are terms that I have explained or defined dozens or even hundreds of times in my life, either through conversation or in writing. After explaining the term I try to explain best practices relating to those terms. These are terms or guidance that may appear in my cybersecurity policies.


This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

This is to inform, you assume all risk for cybersecurity decisions you make. This is a work in progress. This is a limited amount of words.

I may explain nuances further in other articles, or one of my books. Other experts may have differing opinions.

Ask ten different IT or IS experts, you will get ten or more different definitions for a term, and as many different recommendations for cybersecurity posture. Cybersecurity is about decisions and risk management.


If you are a cybercrime victim, see the resources here, and contact me if you need professional assistance.

If your organization needs help with improving its cybersecurity and identity theft protection, feel free to contact me.

Additional reading

This article is hosted at https://johnbandler.com/passwords, copyright John Bandler, all rights reserved.

This article is also available on Medium.com at NOT YET (though not kept as up to date).

Originally posted 3/30/2023, updated 1/8/2024.