Risk in Cyber is the probability of exploitation of a vulnerability by a threat actor that would lead to loss of confidentiality, integrity or availability of data or disruption of service.
Risk = Threat x Vulnerability
We can add impact attribute to enhance the risk calculation for better view of the risk with the impact analysis of the asset.
Risk = Threat x Vulnerability x Impact
The total risk calculation will be as follows considering the asset value of the target asset.
Total Risk = Threat x Vulnerability x Asset Value
The risk can be mitigated as following:
Risk Mitigation reduces the risk by implementing controls which brings down the impact or probability like implementing Firewall or installing Anti-Virus to protect the vulnerable asset from attackers
Risk Avoidance completely removes the subject that is causing the risk like removing the program, software, hardware etc.
Risk Transfer is done by transferring the risk. Cyber Insurance is an example, where the risk is transferred to the Insurer.
Risk Acceptance is where the risk is accepted due to low profile of the risk or if there are no options to address the risk.
The risk after applying the above risk reduction methods will become the Residual Risk.
Residual Risk = Total Risk – Control
The Risk analysis can be done in the following methods:
Quantitively Risk Analysis is the analysis method in which there is a monetary value given to the risk. A cost value in currency is mapped to the risk.
Qualitative Risk Analysis is the analysis method in which the risks are categorized. Mostly they are categorized as High, Medium and Low.