Cloud Risks & Risks Management
matador
RiskConcepts.pdf
2/2/22, 5:20 PM Risk Concepts
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-concepts.html?ou=622270 1/4
Learning Topic
Risk Concepts The term risk has many different uses and meanings in society. On Wall Street or in the
financial markets, investors talk about calculating or taking risks to make a profit. In
everyday speech, we use the adjective risky to describe behaviors such as not wearing a
seat belt or eating junk food. At work, we talk about managing risk to reduce on-the-job
injuries or to avoid cost overruns or schedule delays. We can increase risk, decrease risk,
manage risk, or avoid it. But, what exactly is risk?
The answer is: it depends. How we define and use the term risk is dependent on context
and perspective. In this section and throughout this course module, we will examine the
concept of risk as it is used within the fields of cybersecurity and information security in
business, government, and other types of organizations. Organizations are our context.
Cybersecurity and information security are our perspective.
Risk
Risk is the uncertain outcome of an event that has not yet occurred. Or, said another way,
a risk is the possibility that an event may occur that carries with it the potential for an
organization to either benefit or suffer a loss or harm.
For example, the loss of a thumb drive is a possible future event that could be a source of
risk to an organization. The thumb drive could be lost forever, or it could be found and
returned. Each of these outcomes is uncertain since it is not possible to determine in
advance whether or not a lost thumb drive will be found and returned to its owner.
A consequence is a potential outcome of a specific risk. Loss of confidentiality due to
theft of data is an example of a consequence.
Every risk has a likelihood or probability of occurrence.
Each risk also has a payoff value. This payoff may be positive or negative and is associated
with the consequence. Some consequences are good or beneficial, while other
consequences are bad or harmful. Payoff values are usually expressed in monetary terms
2/2/22, 5:20 PM Risk Concepts
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-concepts.html?ou=622270 2/4
and can require complex calculations involving multiple consequences for a single risk.
The term impact is used to refer to the change in the value of an asset that results from
the occurrence of a specific risk. Impact can be positive or negative and is usually
expressed in monetary terms. Impact can also be expressed in relative terms (low,
medium, high).
A simple risk-impact metric can be calculated using the likelihood of the event and the
payoff if the event occurs, such that risk = likelihood × payoff.
Internal Risks
Internal risks arise from inside of the company, and can be classified under the categories
technology, physical, and people. Examples of each are below:
Type Example
Technology The company's software cannot function in a cloud environment due
to a programming error.
Physical The company suffers a fire at its headquarters and loses all physical
prototypes of its voting devices.
People A dishonest employee steals the company's plan for migration and
publishes it. This erodes public trust and results in contract
cancellation.
External Risks
External risks arise from outside of the company and include natural factors, such as
natural disasters, and political factors, such as new political leadership.
Vendor-Related Risks
Vendor-related risks are substantial for the cloud computing model, and can include
vendor insolvency, service outages, and a vendor arbitrarily choosing to discontinue cloud
services without notice.
2/2/22, 5:20 PM Risk Concepts
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-concepts.html?ou=622270 3/4
Service-Level-Related Risks
In a cloud computing model, your internal information technology organization is not
responsible for all aspects of your company's platform. If your cloud computing vendor
suffers an outage, then your customers suffer as well, and you may not have any recourse.
This situation could lead to a significant impact on revenue, and be detrimental to
customer perception of your organization.
Opportunities and Threats
Opportunities are situations or events where the anticipated payoff of a risk is positive or
beneficial. For example, a textbook buyer has the opportunity to save money by
purchasing lower-cost, time-limited access for an electronic version of the textbook for a
course.
Threats, in contrast, are situations or events that could result in negative payoffs or
undesirable outcomes. Undesirable outcomes may be financial losses or, for information
and information systems, the outcome may be a loss of confidentiality, integrity,
availability, nonrepudiation, and so on.
Vulnerabilities
A vulnerability is a weakness in an asset that can be exploited by a threat to cause harm
or loss. For risks arising out of threats, the risk metric is expanded to incorporate a
measure of the vulnerability of the asset to each specific threat. The risk metric becomes
risk (threat, asset) = probability × vulnerability × impact
where
risk (threat, asset) means the risk metric associated with a specific threat to a
specific asset,
and where
probability is the likelihood of occurrence,
vulnerability is a measure of the asset's susceptibility to the threat, and
impact is a measure of loss or damage to the asset (based upon the asset's value).
2/2/22, 5:20 PM Risk Concepts
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-concepts.html?ou=622270 4/4
References
National Institute of Standards and Technology. (2011, March). Managing information
security risk: Organization, mission, and information system view (NIST Special
Publication 800-39). Gaithersburg, MD: Author. Retrieved from
http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
Organization for Economic Cooperation and Development. (2005). Corporate governance.
Retrieved from http://stats.oecd.org/glossary/detail.asp?ID=6778
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
