A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
[Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Adverse impacts to the Nation include, for example, compromises to information systems that support critical infrastructure applications or are paramount to government continuity of operations as defined by the Department of Homeland Security.]
Sources:
NIST SP 800-137
under Risk
from
FIPS 200 - Adapted
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
Sources:
NIST SP 1800-11B
from
NIST SP 800-30 Rev. 1
NIST SP 1800-21B
under Risk
from
NIST SP 800-30 Rev. 1
NIST SP 1800-30B
from
NIST SP 800-30 Rev. 1
NIST SP 1800-34B
from
NIST SP 800-30 Rev. 1
NIST SP 800-188
NIST Cybersecurity Framework Version 1.1
under Risk
NIST IR 8323r1
from
NIST SP 800-37 Rev. 2
NIST IR 8401
from
NIST SP 800-37 Rev. 2
NIST IR 8441
from
NIST SP 800-37 Rev. 2
NIST Privacy Framework Version 1.0
under Risk
from
NIST SP 800-30 Rev. 1
NISTIR 7621 Rev. 1
under Risk
The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Sources:
NIST SP 800-18 Rev. 1
under Risk
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. [Note: System-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Adverse impacts to the Nation include, for example, compromises to systems that support critical infrastructure applications or are paramount togovernment continuity of operations as defined by the Department of Homeland Security.]
Sources:
NIST SP 800-12 Rev. 1
under Risk
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of: (i) the adverse impact, or magnitude of harm, that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
Sources:
NIST SP 800-171Ar3
from
OMB Circular A-130 (2016)
NIST SP 800-171r3
from
OMB Circular A-130 (2016)
NIST SP 800-172
from
OMB Circular A-130 (2016)
NIST SP 800-172A
from
OMB Circular A-130 (2016)
NIST SP 800-37 Rev. 2
from
OMB Circular A-130 (2016)
NIST SP 800-53 Rev. 5
from
OMB Circular A-130 (2016)
NIST SP 800-53A Rev. 5
from
OMB Circular A-130 (2016)
NIST SP 800-53B
from
OMB Circular A-130 (2016)
NISTIR 8228
under Risk
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Adverse impacts to the Nation include, for example, compromises to information systems that support critical infrastructure applications or are paramount to government continuity of operations as defined by the Department of Homeland Security.
Sources:
CNSSI 4009-2015
A measure of the likelihood and the consequence of events or acts that could cause a system compromise, including the unauthorized disclosure, destruction, removal, modification, or interruption of system assets.
Sources:
NIST SP 800-28 Version 2
under Risk
Risk that arises through the loss of confidentiality, integrity, or availability of information or information systems considering impacts to organizational operations and assets, individuals, other organizations, and the Nation.
Sources:
NIST SP 800-30 Rev. 1
under Information System-Related Security Risk
The highest acceptable probability for an inauthentic message to pass the decryption-verification process.
Sources:
NIST SP 800-38C
under Risk
The level of potential impact on an organization operations (including mission, functions, image, or reputation), organization assets, or individuals of a threat or a given likelihood of that threat occurring.
Sources:
NIST SP 800-79-2
under Risk
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of (i) the adverse impacts that would arise if the circumstance or event occurs and (ii) the likelihood of occurrence.
Sources:
NIST SP 1800-17b
under Risk
NIST SP 1800-17c
under Risk
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of the adverse impacts that would arise if the circumstance or event occurs; and the likelihood of occurrence.
Sources:
NIST SP 800-160 Vol. 2 Rev. 1
from
CNSSI 4009-2015, OMB Circular A-130 (2016)
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
[Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.]
Sources:
NIST SP 800-39
under Risk
from
CNSSI 4009
The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Sources:
NIST SP 800-60 Vol. 1 Rev. 1
under Risk
from
FIPS 200 - Adapted
NIST SP 800-60 Vol. 2 Rev. 1
under Risk
from
FIPS 200 - Adapted
The net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.
Sources:
NIST SP 1800-15B
under Risk
NIST SP 1800-15C
under Risk
The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Sources:
NIST SP 1800-10B
under Risk
from
FIPS 200
NIST SP 1800-25B
under Risk
from
FIPS 200
NIST SP 1800-26B
under Risk
from
FIPS 200
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
Sources:
NIST SP 800-161r1-upd1
[11/1/2024 errata update]
under Risk
from
NIST SP 800-39
NIST SP 800-30 Rev. 1
under Risk
Effect of uncertainty on objectives.
Sources:
NIST SP 800-160v1r1
from
ISO Guide 73
NIST SP 800-221
from
OMB Circular A-11
The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system, given the potential impact of a threat and the likelihood of that threat occurring.
Sources:
NIST SP 800-82r3
from
FIPS 200 - adapted
effect of uncertainty on objectives. Note: risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.
Sources:
NISTIR 8053
the relative impact that an exploited vulnerability would have to a user’s environment.
Sources:
NISTIR 7435
under Risk
An ISCM capability that focuses on reducing the successful exploits of the other non-meta capabilities that occur because the risk management process fails to correctly identify and prioritize actions and investments needed to lower the risk profile.
Sources:
NISTIR 8011 Vol. 1
under Capability, Manage and Assess Risk
A measure of the extent to which an organization is threatened by a potential circumstance or event, and typically a function of the following:
a. The adverse impacts that would arise if the circumstance or event occurs; and
b. The likelihood of occurrence. Likelihood is influenced by the ease of exploit and the frequency with which an assessment object is being attacked at present.
Sources:
NISTIR 8011 Vol. 1
under Risk
See Capability, Manage and Assess Risk.
Sources:
NISTIR 8011 Vol. 1
under Risk (ISCM Capability)
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. [Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.]
Sources:
NISTIR 8170
under Risk
from
CNSSI 4009
A measure of the extent to which an entity or individual is threatened by a potential circumstance or event, and typically is a function of: (i) the adverse impact that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
Sources:
NISTIR 8062
under Risk
from
NIST SP 800-30 Rev. 1
The effect of uncertainty on objectives.
Sources:
NISTIR 8286
under Risk
from
OMB Circular A-11
The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals that result from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Sources:
NIST IR 8270