The most generalized way to define risk I can come off is the ‘chance of misfortune.’ As we can see, risk exists in every field and industry and can be defined specifically to each of them, widely defined using uncertainty or probability. This post covers every dimension of that definition, from first principles to real-world cyber catastrophe.
The foundation
What Is Risk?
Risk can be defined as an uncertain event that, if it ever occurs, causes ill effects. It shows up in finance, in medicine, in logistics, in engineering. The word gets thrown around a lot, but the underlying idea is always the same: something bad might happen, and there is some chance of it actually happening.
In security, we get more specific. Risk is the probability of a threat succeeding in exploiting a defined vulnerability. That definition forces you to think about three things at once: the threat, the vulnerability, and the likelihood that one meets the other in a way that causes harm.
Risk is the probability of a threat succeeding in exploiting a defined vulnerability, and the harm that results from it.
A threat with nothing to exploit is not an active risk. A vulnerability with no one targeting it is a latent problem, not an immediate one. Risk is the intersection of the two, and it is never static. As threats evolve, as new vulnerabilities surface, as assets change in value, the risk picture shifts. A point-in-time assessment is never enough on its own.
Two ways to measure it
Qualitative vs. Quantitative Risk Analysis
Once you understand what risk is, the next question is how to measure it. There are two approaches, and you need both. Treating them as competing methods is one of the more common mistakes I see in security programs.
The Big Picture
Qualitative analysis involves expressing risk in raw form, showcasing the big picture, usually through comparison and scope, without putting it into any metrics. It mainly involves identifying risks, the reason behind their existence, the likelihood of occurring, and their impact if they succeed. It deals with defining the source of the risk, the asset at stake, and the scope it tends to impact.
The Metrics
Quantitative risk follows in the same footsteps as qualitative analysis but assigns computable values to the impact and probability. This lets you differentiate threats, vulnerabilities, and assets at a higher granular level. It turns the picture into numbers you can act on, prioritize, and take to leadership.
Qualitative framing is where you start, when you are trying to get your arms around what the threats even are. Quantitative is where you go when you need to prioritize and justify decisions with real data. Think of it this way: qualitative gives you the map, quantitative gives you the elevation. You need both to navigate.
I want to bring in something from my forensics work here, because it illustrates a dimension of risk that most frameworks miss. While researching Adylkuzz malware, which is a by-product of the NSA being infiltrated by the Shadow Brokers who stole tools the agency had developed, it became clear that the risk of keeping or developing such tools and maintaining them secretly is quite different from any other risk an organization faces. Standard qualitative and quantitative frameworks were not built for a situation where the asset itself is an offensive weapon, where secrecy is the primary control, and where the blast radius of exposure is global. That context matters when you apply risk frameworks honestly.
Why scale is the real problem
The Near-Infinite Scope of a Cyber Attack
A cyber attack’s scope is close to infinite. A particular system or server could lead to the breakdown of an entire organization, impacting all its associated and collaborating actors, its internal subdivisions, and every individual part of it. On top of that, the organization might be handling information and assets belonging to third parties, who are also affected.
In a physical world, a fire in a warehouse burns the warehouse. Maybe it spreads next door. In a networked world, a single vulnerable system can propagate to everything it touches, and everything those systems touch, with no geographic limit and no natural stopping point. That is not theoretical. We have seen it happen twice at a scale that is genuinely hard to comprehend.
I can think of only two cyber attacks that truly capture this.
What makes this example so important for understanding risk is that Maersk was not the intended target. They were caught in the blast radius. That is the defining property of cyber risk that no other risk domain shares: the people who pay the price are not always the ones who were targeted.
These attacks could easily cause more than $100 billion in damages individually. But the risk lesson goes beyond the dollar figure. The NSA made a risk calculation: keep these tools, because the intelligence value outweighs the exposure risk. That calculation did not account for the possibility of the tools being stolen and repurposed by actors with no restraint on their use. The risk of secretly developing and maintaining offensive cyberweapons is unlike any other organizational risk, because once the asset leaves your control, it becomes a weapon pointed at everyone.
Both examples point to the same thing: when doing risk analysis in cybersecurity, scope cannot be treated as bounded. Every connection an organization has is also a potential attack path. The more integrated you are, the larger your potential blast radius.
How we estimate likelihood
Objective vs. Subjective Probability
Risk management calculations are based on probability estimates, and those estimates come in two forms. Getting this distinction right is one of the more underappreciated parts of doing risk work well.
Justified and Verifiable
Objective probability is generalized using justifiable, quantifiable values that can be obtained from previous events or calculated from current and future chances of occurring. The estimate has supporting evidence. It holds up when someone asks “how did you get to that number?”
Judgment-Based
Subjective probability estimates cannot be fully justified. There is no proof to support their accuracy, and they often depend on the desirability or undesirability of performing an action. The willingness to take, deal with, or live with risk depends largely on the risk-taker’s mindset, since the probability of failure or success following the decision cannot be determined in advance.
The most interesting part of this distinction is the connection between the two. We can assume an objective probability estimate without proper proof or support could be treated as a subjective probability in some cases. Consider a postal service with a history of never being late. The risk of late delivery can be objectively estimated, but the value depends on many factors such as the driver, vehicle, traffic, riots, or natural calamities, which are not quantifiable. In this case, a customer might take their chance based on what we would call a subjective probability estimate.
Or think about it in terms of a game. In airplane chess, the same problem can be calculated using both subjective and objective lenses. Consider the claim that rolling a 6 has a probability of 1/12. Without strong support for that claim, it is a subjective estimate. But assume you have observed this pattern consistently for a very long period of time across different scenarios, and something makes your statement verifiable. At that point, it becomes an objective estimate. The same event, the same claim, either subjective or objective depending on the evidence behind it.
In security risk management: if an organization constantly observes a pattern of incoming threats over time, such as port scanning or an IPS detecting intrusion patterns, we might increase the probability of a successful exploit even if there is not yet a confirmed active threat. If confirmation exists that these are not false positives, that is an objective risk estimate. If not, it stays subjective. That distinction matters when deciding how aggressively to respond and how to justify that response to leadership.
Based on the above, when applied to risk management, we can conclude that an accurate objective risk estimate intersects with the individual’s subjective assessment of the future outcome. The two are not opposites on a binary scale. They live on a continuum, and where any given estimate sits on that continuum depends entirely on the quality and volume of supporting evidence.
Putting it together
Risk Is Not a Checkbox
Risk is not something you assess once, file away, and revisit at the next audit. It is a continuous, multi-dimensional problem that spans the definition of assets, identification of threats, measurement of vulnerabilities, estimation of likelihood, calculation of impact, and the judgment calls that sit at the intersection of all of them.
In cybersecurity, that problem is made harder by scale, interconnection, and the fact that the people who get hurt are not always the ones who were targeted. A single misconfigured server, a single stolen credential, a single zero-day in the wrong hands can cascade into something global. NotPetya did not need a sophisticated multi-stage plan. It needed one vulnerable system connected to enough others.
Every framework, qualitative or quantitative, objective or subjective, is a tool. None of them is the answer on its own. The answer is the ongoing discipline of using them together honestly, with real data where you have it and honest judgment where you do not, always with a clear-eyed view of what the actual scope of impact could be if things go wrong.
That is what it means to understand risk. Not a definition you memorize, but a way of thinking you apply continuously.
- The most generalized definition of risk is the chance of misfortune. In security, it is the probability of a threat successfully exploiting a defined vulnerability.
- Risk is the relationship between threat and vulnerability. A threat with nothing to exploit, or a vulnerability with no one targeting it, is not active risk.
- Qualitative and quantitative analysis are not competing methods. You need both. Qualitative to understand the picture, quantitative to prioritize and justify decisions.
- A cyber attack’s scope is close to infinite. A single compromised system can cascade globally, affecting partners, subdivisions, and third parties simultaneously.
- Objective and subjective probability exist on a continuum. A pattern observed consistently over time with enough supporting evidence graduates from subjective to objective, and the reverse is true too.
- In security operations, the line between subjective and objective risk comes down to one question: are the signals you are seeing confirmed real, or are they noise?
- Risk is not a checkbox. It is a continuous discipline, and the goal is not to eliminate it but to understand it clearly enough to make better decisions.
References
- Objective Risk Levels and Subjective Risk Perception, Purdue University. apps.dtic.mil
- On how to define, understand and describe risk. ScienceDirect
- Risk: Objective or subjective, facts or values. ResearchGate
- NotPetya: The cyberattack that crashed the world. Wired
- The 10 most expensive data breaches in corporate history. Firmex
- Biggest cyber attacks and their cost to the global economy. Technology.org
- Risk definition overview. StakeholderMap
- Risk concepts and definitions. ThisMatter