Risk in general refers to the possibility of suffering significant loss. Risk analysis often breaks down the assessment of risk into more detailed categories. Some of these include:
Depending on the specific emphasis being applied to the term risk, various formulas may be employed to estimate risk in a quantitative manner. One such formula is:
Risk = Threat x Vulnerability x Asset Value
In line with definitions available elsewhere in this glossary, threats are external factors, vulnerabilities are internal weaknesses, and asset value is estimated in financial terms. The equation above thus provides an estimate of potential loss for some time period based on 1) the seriousness of the threat, 2) the severity of the vulnerability, and 3) the appraised value of the data or systems at risk.
Other equations for risk analysis provide a tighter focus on expected loss over particular time periods. For example:
Under this system, the relevant calculation is:
ALE = SLE x ALO
The formula above assumes knowledge or reasonable estimates of 1) how much value would be lost in a single incident, and 2) the probability that such an incident would occur within a given year.
The first formula, Risk = Threat x Vulnerability x Asset Value, is more technically focused and suggests a key point of leverage in changing the odds to lessen risk. Assuming threats and external and assets are constant, the way to reduce risk is to minimize vulnerabilities. Improved security procedures should accomplish precisely that.
The second formula, ALE= SLE x ALO, is more financially focused and allows for things like insurance, hedging, or cost effectiveness calculations. Of course, hybrid formulas are possible, including terms to capture the probability of a security breach and the estimated cost of such a breach occurring. Creating a unified technical and business view of securty risk management is by many accounts very much a work in progress.
See also ARTS.
References:
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf