One term that is widely thrown around in cybersecurity, without always being well understood, is risk.
Strictly speaking, risk is defined as the probability that a vulnerability (something that has a negative impact on you) will be exploited, multiplied by the impact (what it will ultimately cost you if this vulnerability is actually exploited).
Let's leave this rather theoretical definition behind and look at "how" organisations should approach this term. Saying that a risk is high doesn’t actually mean anything. I often hear people say: "... as the risk is very high, you really should do something ... ". (e.g. install new tools, etc.).
Most of these recommendations come from unscrupulous salespeople who themselves have no concept of "risk" or, worse still, who ask their customers to do something that they themselves would not do.
During this holiday season, some like nothing better than heading off to the mountains to try out the fresh powder snow (provided the resort is up high enough). What's the first thing you notice on a snow-covered slope? Risk-takers: those who feel invincible and veer off-piste (well away from the ski runs). You could call them "extreme" risk-takers. On the other hand, you have the more reasonable people, who stay on the marked runs.
Why this comparison? Because it shows that human beings have different attitudes to risk. Some people are prepared to take risks, regardless of their magnitude, while others are not: this is known as a the "risk aversion/appetite" profile.
To come back to cybersecurity, you shouldn't "do something" when the risk is high, but when you consider that you’re not ready to accept the risk... That's quite a difference!
There's one last point, but not the least: do organisations, or the people who run them, have a good perception of cyber risk?
A bit like skiers who go off-piste thinking they are invincible, some find it hard to assess the extent of the risk facing their business. This takes us to the second challenge in relation to the term “risk”: how do you assess it at its true level? To help these organisations, a security assessment or a cyber risk audit are good starting points... but they call for a rigorous approach combining know-how and expertise.
In conclusion, if you really want to manage cyber risk in an organisation, it is essential that you start off by first determining the "risk profile" and carrying out a "cyber risk assessment".