IT risk
IT Risk is a relatively new discipline that has evolved from Information Security due to an increasing awareness that IT Security is simply one facet of a multitude of risks that are relevant to Information Technology and the real world processes it supports.
3 definitions of IT Risk are presented below, two of them because they come from highly influential standardization organizations and the third one because it is concise and practical for risk assessments.
ISO definition
IT Risk: The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of an event and its consequence [ISO/IEC 13335-1:2005]
NIST definition
IT-Related Risk: The net mission impact considering (1) the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and (2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to—
1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or man-made disasters 4. Failure to exercise due care and diligence in the implementation and operation of the IT system. [NIST 800-53 rev2]
FAIR definition
Risk = The probable frequency and probable magnitude of future loss.
References
- [Definition of IT Risk http://www.opensecurityarchitecture.org]
- [Risk Management Guide for Information Technology Systems http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf]
- [FAIR: Factor Analysis for Information Risks http://www.riskmanagementinsight.com/media/docs/FAIR_introduction.pdf]