Defining Information Security Risk

Years ago I wrote a definition of Information Security Risk that still seems to work well for me. Here it is:

Information Security Risk is a function of (a) the likelihood of a specific threat-source exploiting a specific vulnerability in a specific information system and (b) the resulting impact of that event on confidentiality, integrity, and availability.

Do you have a different definition of Information Security Risk? Please add it as a comment!

Clint Laskowski

Hello! My name is Clint Laskowski, and I'm an Information Security Professional who helps clients identify, assess, treat, and monitor risks to information and information systems.

More Posts - Website