Risk is the effect of uncertainty on objectives.

Source: ISO 31000

1. Risk = Uncertainty + Objectives + Effect
2. Threat = Negative Risk = Uncertainty + Objectives + Negative Effect
   • Uncertainty = Likelihood = Threat Source + Threat Event + Vulnerability
   • Objectives = CIA
   • Negative Effect = Adverse Impacts = Impacts
3. Threat = (Threat Source + Threat Event + Vulnerability) + CIA + Impacts
4. Risk Exposure = f(Uncertainty, Effect) = Uncertainty * Effect
5. Exposure is short for Risk Exposure or Threat Exposure

Take Away

1. “Risk” is a neutral term for both opportunity and threat. It introduces the business mindset.
2. “Threat” specifically refers to information (security) risk with negative effects.
3. The idea that a threat is a risk with negative effects connects cybersecurity to the discipline of risk management.
4. It’s a common misnomer to refer “risk” or “threat” to “exposure”.

The NIST Generic Risk Model

NIST SP 800-30 R1

Threat

Any circumstance or event with the potential to adversely impact

• organizational operations (including mission, functions, image, or reputation),
• organizational assets,
• individuals,
• other organizations, or
• the Nation through an information system

via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service. [CNSSI No.4009]

Threat Event

An event or situation that has the potential for causing undesirable consequences or impact.

Threat Scenario

A set of discrete threat events, associated with a specific threat source or multiple threat sources, partially ordered in time. Synonym for Threat Campaign.

Threat Assessment

Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat. [CNSSI No. 4009]

Information Security