Using The Risk Equation To Set Security Priorities

risk-equationUntil recently most cybersecurity efforts focused on prevention, and this created the anti-malware software, firewall and perimeter defense industries.  But the fact of the matter is that cyber-attackers are going fly right past your perimeter defense and get into your network via port 80 or 110, firewall ports that are open on every network for email and web browsing.  our recommendation is to start managing the consequences of the inevitable security breach.  One way to accomplish this is by using the Risk Equation.  Risk = Threat x Vulnerability x Cost

Threats are the intentions or actions of malicious actors against your network.  A threat, by definition, is an external factor.

Vulnerability is a condition that exists on your network that would provide an attack surface for a malicious actor.  A vulnerability is an condition that is internal to your network.  When a threat successfully meets a vulnerability, you end up with a breach.

Cost or the consequences of a breach are the damage that is cause to your organization.  These costs can include hard costs such as damage to hardware or software, IT staff time, and resources spent on remediation, as well as lost business due to network downtime.  These costs are usually monetary.  Then there are soft or non-monetary costs, which can include loss of use, damage to your business reputation, decreased customer or public confidence, and loss of business opportunities.

The first step is to identify your assets and engage in a vulnerability assessment of those assets.  You may want to contract with an outside cybersecurity firm for this part.

Putting values to these factors will require looking at issues like the likelihood that an attacker would target your business, the value of network assets and stored data, and the weaknesses you discover the last time your company ran a vulnerability assessment.  Then take those results and add the known and anticipated threats to find your results for the Risk Equation. A value of zero in any of the three categories will result in zero risk, because when in mathematics anything that is multiplied by zero equals zero.

The results you get from your risk assessment should help you prioritize the where you spend your money and resources first. Going through this exercise will not be easy, especially the last part, but it will help management focus on the most important issues first, and give you a road map to continuing improvement.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.