Information Security Risk
It’s about contextual risk.
- Anurag Agrawal, in conversation with the author, 2014
The success of the assessment depends greatly upon the assessor’s ability to calculate or rate the risk of the system. There is the risk of the system as it’s planned at the moment of the assessment. And there’s the risk of each attack vector to the security posture of the system. Most importantly, the risk from the system to the organization must be determined in some manner. If computer security risk cannot be calculated in a reasonable fashion and consistently over time, not only does any particular assessment fail, but the entire assessment program fails. An ability to understand, to interpret, and, ultimately, to deliver risk ratings is an essential task of the architecture risk assessment (ARA) and threat modeling.
The word “risk” is overloaded and poorly defined. When discussing it, we usually don’t bother to strictly define what we mean; “risk” is thrown around as though everyone has a firm understanding of it. But usage is often indiscriminate. A working definition for the purposes of security assessment must be more stringent. “Risk,” for our purposes, will be defined more formally, below. For the moment, let’s explain “risk” as Jack Jones does: “the loss exposure associated with the system.”1 This working definition encompasses both the likelihood of a computer event occurring and its negative impact.