Risky Business:

Why the language of Risk helps us understand cybersecurity

Tim Smith
4 min readSep 24, 2020

“I updated the firmware on our router.”
“Ok, cool, I guess?”

“Make sure you use a complicated password.”
“Ok, sure, nerd.”

“We’re about to lose hundreds of dollars.”

Often, one of the most common reactions to typical cybersecurity practices from those outside of the field is that of disdain, disinterest, or just plain annoyance. To many people, cybersecurity is just “computer stuff” best left to the experts. Granted, this perspective might be a little justified when professionals get too “into the weeds” about terminology and protocols, but, regarding who should practice good cybersecurity habits, nothing could be further from the truth. In today’s world, cybersecurity affects everyone — (who doesn’t interact with a computer or smartphone on a daily basis?) — and the repercussions of bad cybersecurity practices can be both long-lasting and severe, regardless of technical experience. Therefore, one of the primary (but often overlooked) responsibilities of the cybersecurity professional is effective and coherent communication.

Enter Risk Management.

We all understand risks: we make choices about them every day. What we spend our time on, what problems we try to fix, who we talk to, where we go — all of these decisions are informed by how we perceive the potential risks at play. Businesses and companies speak the language of risk as well — “Will this cause us to lose money? Can taking a certain action give us a competitive advantage?” These are all questions of risk. In fact, any attempt to offset an event, condition, or reality that may negatively impact an individual or organization can be considered risk management. Risk management helps all departments in a company, regardless of technical level or knowledge, speak a unified language that everyone (particularly leadership) can understand and engage with.

Cybersecurity, broadly defined as the practice of protecting computer systems and data, is ultimately about risk management. When we implement new procedures or technologies to improve teamwork and efficiency, we are managing risk. When we encrypt data to prevent theft, we are managing risk. Adopting a risk management framework isn’t just a nice checklist to show “seriousness” or “maturity” as a business — it is fundamental to good cybersecurity.

On a personal level, I have always had more success trying to convince friends or family to adopt a new cyber habit by emphasizing the impact or risk involved. They may not care about the cryptography at play when they make an online purchase, but they definitely pay more attention if they know their credit card data can get stolen if that website isn’t encrypting communications (and if we can automate that process so that https connections are automatic, all the better). Likewise, we can deploy this type of psychology on a company-wide level, allowing executives who maybe don’t have the time to learn the intricacies of cybersecurity to make decisions that ultimately lead to mitigating cyber risk.

There are a variety of risk management frameworks out there for businesses to adopt. Some are free, others are paid for, and not all of them are tailored to cybersecurity. What frameworks you use is somewhat dependent on the industry and needs of your business, but, in most every case, a framework is a critical tool for communicating the needs and objectives of your cybersecurity program.

A very basic example of a Risk Register I whipped up for a project a few months ago.

The classic formula used for risk in many frameworks is:

Risk = Threat x Vulnerability x Impact

While the threat, vulnerability, and impact of something may be somewhat subjective, if a company or department can agree on a common understanding of these aspects, risks can be broken down in a numerical way, giving even outsiders an understanding of where to direct priorities and resources. The idea of a numeric indicator for risk is the basis behind the ubiquitous CVSS (Common Vulnerability Scoring System) score for common vulnerabilities and exposures (CVE) — Basically, a CVE (otherwise known as an identify vulnerability for a protocol or utility) is given a CVSS score based on severity. So, when a vulnerability is given a CVSS score of 10 (like the recently disclosed vulnerability CVE-2020–1472, or “Zerologon”), you know it’s a big deal.

(Relatedly, Microsoft admins, if you haven’t patched your domain controllers for the Zerologon vulnerability, uhhhh, you may want to do that ASAP).

I’m most familiar with the NIST Risk Framework (SP 800–37/800–53) and ISO 31000 framework for private companies, but you may have your own favorite framework for treating risk (government agencies are required to keep to FedRAMP, for instance). If so, let me know about them in the comments!

Some intro-level further reading on risk:

Kreiser, J. (2013, August, 29). Five Benefits of Enterprise Risk Management. https://www.claconnect.com/resources/articles/five-benefits-of-enterprise-risk-management'

Peterson, O. (2019a, July 1). Basics of Enterprise Risk Management (ERM): How to Get Started. https://www.process.st/enterprise-risk-management/

Bresnahan, E. (2019, May 23). Using NIST 300–80 to Implement the NIST Cybersecurity Framework. https://securityboulevard.com/2019/05/using-nist-800-30-to-implement-the-nist-cybersecurity-framework/