Risk is at the heart of security. Every security decision is a trade-off between business risk and the investment needed to reduce it. But what does "risk" actually mean in a security context, and how should you think about it?
Risk as a formula
Project managers measure risk as likelihood multiplied by impact. For a given event, the risk is a function of how likely it is to happen and what the consequences would be if it did. Likelihood is expressed as a percentage, impact as an approximate cost, and together they feed into contingency planning.
Security works from the same foundation, but the specifics of each factor are very different.
Why likelihood is hard to pin down
Likelihood in a security context cannot be accurately predicted. You do not know everything about the threat actors who might target you. If your organisation uses cyber threat intelligence, you may know which groups are most likely to target businesses like yours, and you may have insight into their tactics, techniques and procedures. But that knowledge is never complete, and it is not a reliable predictor of where the next attack will come from.
Threat actors also change their behaviour over time. They look for new ways to make money, new methods of extortion and new attack techniques. Cloud environments have attracted entirely new attack patterns that did not exist a few years ago. Ransomware became a dominant threat only in the last decade. Before that, most IT departments had never encountered it.
For likelihood, we can only speculate. There are attackers and attack methods we do not yet know about, and that is simply the reality.
Why impact is more knowable
Impact is different. If your core customer database is compromised, you can estimate the likely fallout and cost. If your main revenue stream is cut off, the financial consequences are fairly clear. If you are not sure what the impact of a particular risk would be, there is usually someone in your business who does know, and often in some detail.
The standard risk calculation puts equal weight on likelihood and impact. That means a high-impact, low-likelihood threat looks only moderately serious. In security, that framing can be misleading.
Weighting impact over likelihood
Given that we know more about impact than likelihood, it makes more sense to weight the calculation accordingly. My approach with clients is to lean on impact when assessing security risk, with roughly an 80 to 20 weighting in favour of impact over likelihood.
The specific numbers may vary depending on the client's circumstances and any additional threat intelligence available. But the general principle applies consistently: the factor you know more about should carry more weight in your assessment.
This approach means you are making decisions based more on what you know and less on what you are guessing. It also provides some protection against changes in the threat landscape, since a new attack method or threat actor changes likelihood but does not necessarily change the impact of a successful attack on your systems.
The result is a stronger foundation for assessing risk and making security investment decisions that hold up over time.
Jonny founded Threatplane in 2017. With a background in offensive security, he has spent 15+ years helping organisations across defence, financial services, healthcare, and manufacturing understand and manage their technology risks.
Full bio →