# Understanding Cyber Security Risk # Understanding Cybersecurity Risk Risk management is not about achieving zero risk: it is about aligning security controls with organisational appetite and opportunity. ## The Fundamental Risk Equation ![icon-world](https://www.agilicus.com/www/9b679333-icon-world.svg.svg) #### Threat ### x ![icon-hacking](https://www.agilicus.com/www/ec25be3d-icon-hacking.svg.svg) #### Vulnerability ### x ![icon-passkey](https://www.agilicus.com/www/36b8aaae-icon-passkey.svg.svg) #### Consequence ### = #### RISK ### The Threat Threats represent the "who" and "how" of potential harm. While accidents happen, we focus on **malicious entities** with three defining attributes: #### Capability The specific technical skills and resources the entity possesses. #### Opportunity The potential pathways to reach target systems via vulnerabilities. #### Intent The motivation: Why do they want to harm us? How much and what type? ### Mitigation Strategies - Zero Trust Segmentation: Isolate network segments to prevent lateral movement. - Limited Routing: Reduce the attack surface by limiting externally routable paths. - Monitoring & Logging: Full visibility through logging and real-time threat detection. - Secure Identity: Strong credentials and multiple layers of identity verification. - Incident Response: A clear, actionable plan to handle active threats. ### Vulnerabilities "The weaknesses an adversary exploits." #### Intrinsic Weaknesses Common Vulnerabilities and Exposures (CVE) and the Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities (KEV) catalog. #### Configuration Errors Human error in deployment, operational mismanagement, or insecure defaults. #### Supply Chain Vulnerabilities inherited from third-party code, components, or service providers. ### Consequences The measurable downside of a realised threat exploiting a vulnerability. ![icon-businessman](https://www.agilicus.com/www/dbf2a1ee-icon-businessman.svg.svg) #### Economic ![icon-mod](https://www.agilicus.com/www/13e18f18-icon-mod.svg.svg) #### Reputational ![icon-client](https://www.agilicus.com/www/0c0dc01e-icon-client.svg.svg) #### Human Life & Health ### The Risk Matrix By rating **Probability** and **Impact** on a three-by-three scale, organisations can visualize their risk landscape. This intersection helps assess **risk appetite**: focusing resources where controls are needed most. The left edge is probability, the bottom edge is impact, both rated from 1 to 3, the intersection is the multiplication of these two, and coloured. 3 6 9 2 4 6 1 2 3 ### Risk Categorisation ![icon-technician](https://www.agilicus.com/www/400d7546-icon-technician.svg.svg) #### Technical Factors - Software Common Vulnerabilities and Exposures - Misconfigurations - Legacy Systems ![icon-technician](https://www.agilicus.com/www/400d7546-icon-technician.svg.svg) #### Cultural - Security Awareness - Internal Policy - Social Engineering ![icon-technician](https://www.agilicus.com/www/400d7546-icon-technician.svg.svg) #### Supply Chain - Software Common Third-party Code - Vendor Vulnerabilities - External Dependencies