The IT Law Wiki


Computer security[]

A risk is

the expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result.[1]
a combination of the likelihood that a particular vulnerability in an organization's systems will be either intentionally or unintentionally exploited by a particular threat agent and the magnitude of the potential harm to the organization's operations, assets, or personnel that could result from the loss of confidentiality, integrity, or availability.[2]
a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.[3]
[t]he level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system, given the potential impact of a threat and the likelihood of that threat occurring.[4]
[the] effect of uncertainty on objectives. Note: risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.[5]

National security[]

A risk is

[t]he potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences. Risk-based decision making is defined as the determination of a course of action predicated primarily on the assessment of risk and the expected impact of that course of action on that risk.[6]


Risk in the 21st century results from a complex mix of man-made and naturally occurring threats and hazards, including terrorist attacks, accidents, natural disasters, and other emergencies. Within this context, critical infrastructure and key resources (CIKR) may be directly exposed to the event themselves or indirectly exposed as a result of the dependencies and interdependencies among CIKR.

Risk, in the context of critical infrastructure and terrorism, can be defined as the potential consequence associated with a particular kind of attack or event against a particular target, discounted by the likelihood that such an attack or event will occur (threat) and the likelihood that the target will sustain a certain degree of damage (vulnerability).

Threat includes not only the identification of specific adversaries, but also their intentions and capabilities (both current and future). Consequences include lives and property lost, short term financial costs, longer term economic costs, environmental costs, etc.

Given this definition, risk is not threat, nor vulnerability to a threat, nor the estimated consequences associated with a specific attack, but some integration of the three.[7]

"Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood . . . of occurrence."[8]

"Types of risk include program risk; compliance/regulatory risk; financial risk; legal risk; mission/business risk; political risk; security risk; privacy risk; project risk; reputational risk; safety risk; strategic planning risk; and supply chain risk."[9]


See also[]