Understanding Cybersecurity Risk

Risk management is not about achieving zero risk: it is about aligning security controls with organisational appetite and opportunity.

The Fundamental Risk Equation

icon-world

Threat

x

icon-hacking

Vulnerability

x

icon-passkey

Consequence

=

RISK

The Threat

Threats represent the “who” and “how” of potential harm. While accidents happen, we focus on malicious entities with three defining attributes:

Capability

The specific technical skills and resources the entity possesses.

Opportunity

The potential pathways to reach target systems via vulnerabilities.

Intent

The motivation: Why do they want to harm us? How much and what type?

Mitigation Strategies

  • Zero Trust Segmentation: Isolate network segments to prevent lateral movement.
  • Limited Routing: Reduce the attack surface by limiting externally routable paths.
  • Monitoring & Logging: Full visibility through logging and real-time threat detection.
  • Secure Identity: Strong credentials and multiple layers of identity verification.
  • Incident Response: A clear, actionable plan to handle active threats.

Vulnerabilities

“The weaknesses an adversary exploits.”

Intrinsic Weaknesses

Common Vulnerabilities and Exposures (CVE) and the Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities (KEV) catalog.

Configuration Errors

Human error in deployment, operational mismanagement, or insecure defaults.

Supply Chain

Vulnerabilities inherited from third-party code, components, or service providers.

Consequences

The measurable downside of a realised threat exploiting a vulnerability.

icon-businessman

Economic

icon-mod

Reputational

icon-client

Human Life & Health

The Risk Matrix

By rating Probability and Impact on a three-by-three scale, organisations can visualize their risk landscape. This intersection helps assess risk appetite: focusing resources where controls are needed most.

The left edge is probability, the bottom edge is impact, both rated from 1 to 3, the intersection is the multiplication of these two, and coloured.

3

6

9

2

4

6

1

2

3

Risk Categorisation

icon-technician

Technical Factors

  • Software Common Vulnerabilities and Exposures
  • Misconfigurations
  • Legacy Systems
icon-technician

Cultural

  • Security Awareness
  • Internal Policy
  • Social Engineering
icon-technician

Supply Chain

  • Software Common Third-party Code
  • Vendor Vulnerabilities
  • External Dependencies