This is a contributed article by Stephen Roostan, VP EMEA at Kenna Security.
The day-to-day vulnerabilities and security weaknesses found in IT infrastructure and software are often evaluated in terms of risk. One of the immediate issues organisations face, however, is working out what constitutes risk, and how we judge whether it is serious enough to require investment in prevention or remediation.
Indeed, the cybersecurity industry has debated the meaning of risk for many years, and has yet to settle on a version that everyone involved can unite behind. Dictionary definitions explain risk as the possibility of something bad happening or the chance of loss, injury or danger, whereas others, such as the economist Professor Elory Dimson simply but effectively define risk as ‘more things can happen than will happen’.
Useful as those are to everyday situations, they don’t take us far enough to satisfy the parameters of cyber risk. That’s because when assessing cyber risk we also need to measure consequences, and in doing so we get much closer to a useful definition. For cybersecurity professionals, risk is not just the chance of something happening,…