Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

A  |  B  |  C  |  D  |  E  |  F  |  G  |  H  |  I  |  J  |  K  |  L  |  M  |  N  |  O  |  P  |  Q  |  R  |  S  |  T  |  U  |  V  |  W  |  X  |  Y  |  Z

risk

Abbreviation(s) and Synonym(s): Definition(s):

  A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.
Source(s):
NIST SP 800-53 Rev. 4 under Risk (FIPS 200 - Adapted)

  A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.
Source(s):
NIST SP 800-53 Rev. 4 under Risk (FIPS 200 - Adapted)

  Effect of uncertainty on objectives. Note: Risk can be positive or negative, where positive risk may also be referred to as an opportunity.
Source(s):
NIST SP 800-160 [Superseded] (ISO 73)

  The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Source(s):
FIPS 200 under RISK

  A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. [Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Adverse impacts to the Nation include, for example, compromises to information systems that support critical infrastructure applications or are paramount to government continuity of operations as defined by the Department of Homeland Security.]
Source(s):
NIST SP 800-137 under Risk (FIPS 200 - Adapted)
NIST SP 800-37 Rev. 1 under Risk (FIPS 200 - Adapted)
NIST SP 800-53A Rev. 4 under Risk (CNSSI 4009)

  The level of potential impact on an organization operations (including mission, functions, image, or reputation), organization assets, or individuals of a threat or a given likelihood of that threat occurring.
Source(s):
NIST SP 800-79-2 under Risk

  The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system, given the potential impact of a threat and the likelihood of that threat occurring.
Source(s):
NIST SP 800-82 Rev. 2 under Risk (NIST SP 800-30)

  Effect of uncertainty on objectives. Note: Risk can be positive or negative, where positive risk may also be referred to as an opportunity.
Source(s):
NIST SP 800-160 [Superseded] (ISO 73)

  A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
Source(s):
NIST SP 800-171 Rev. 1 (FIPS 200 - Adapted)
NISTIR 7621 Rev. 1 under Risk (NIST SP 800-53 Rev. 4)

  The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Source(s):
NIST SP 800-18 Rev. 1 under Risk (NIST SP 800-30)

  A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. See Information System-Related Security Risk.
Source(s):
NIST SP 800-30 Rev. 1 under Risk (CNSSI 4009)

  The net mission impact considering the probability that a particular threat will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and the resulting impact if this should occur.
Source(s):
NIST SP 800-47 under Risk

  Within this document, synonymous with “IT-related risk.”
Source(s):
NIST SP 800-27 Rev. A [Withdrawn]
NIST SP 800-33

  A measure of the likelihood and the consequence of events or acts that could cause a system compromise, including the unauthorized disclosure, destruction, removal, modification, or interruption of system assets.
Source(s):
NIST SP 800-28 Version 2 under Risk

  A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. [Note: System-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Adverse impacts to the Nation include, for example, compromises to systems that support critical infrastructure applications or are paramount togovernment continuity of operations as defined by the Department of Homeland Security.]
Source(s):
NIST SP 800-12 Rev. 1 under Risk (NIST SP 800-37)

  A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Adverse impacts to the Nation include, for example, compromises to information systems that support critical infrastructure applications or are paramount to government continuity of operations as defined by the Department of Homeland Security.
Source(s):
CNSSI 4009-2015

  the probability that a particular security threat will exploit a system vulnerability.
Source(s):
NIST SP 800-16 under Risk

  The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Source(s):
NIST SP 800-60 Vol. 1 Rev. 1 under Risk (FIPS 200 - Adapted)
NIST SP 800-60 Vol. 2 Rev. 1 under Risk (FIPS 200 - Adapted)

  o Security risk – the level of impact on agency operations (including mission functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring. o Investment risk – risks associated with the potential inability to achieve overall program objectives within defined cost, schedule, and technical constraints. OMB has defined 19 areas of investment risk, all of which are required to be addressed in the Exhibit 300.
Source(s):
NIST SP 800-65 under Risk

  An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result.
Source(s):
NIST SP 800-32 under Risk

  The highest acceptable probability for an inauthentic message to pass the decryption-verification process.
Source(s):
NIST SP 800-38C under Risk

  A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. [Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.]
Source(s):
NIST SP 800-39 under Risk (CNSSI 4009)

  An ISCM capability that focuses on reducing the successful exploits of the other non-meta capabilities that occur because the risk management process fails to correctly identify and prioritize actions and investments needed to lower the risk profile.
Source(s):
NISTIR 8011 Vol. 1 under Capability, Manage and Assess Risk

  A measure of the extent to which an organization is threatened by a potential circumstance or event, and typically a function of the following: a. The adverse impacts that would arise if the circumstance or event occurs; and b. The likelihood of occurrence. Likelihood is influenced by the ease of exploit and the frequency with which an assessment object is being attacked at present.
Source(s):
NISTIR 8011 Vol. 1 under Risk

  See Capability, Manage and Assess Risk.
Source(s):
NISTIR 8011 Vol. 1 under Risk (ISCM Capability)

  the relative impact that an exploited vulnerability would have to a user’s environment.
Source(s):
NISTIR 7435 under Risk

  effect of uncertainty on objectives. Note: risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.
Source(s):
NISTIR 8053 (ISO/IEC 27000:2014)

  A measure of the extent to which an entity or individual is threatened by a potential circumstance or event, and typically is a function of: (i) the adverse impact that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
Source(s):
NISTIR 8062 under Risk (NIST SP 800-30 Rev. 1, NIST SP 800-30 Rev. 1)