Vendor Risk Management

Cybersecurity Risk: A Thorough Definition

Melissa Stevens | January 10, 2017

Risk is commonly defined as threat times vulnerability times consequence. This formula applies to anything that could be exposing you to danger, but when applied to cybersecurity—the unique risks individuals and businesses face as a result of using interconnected technological systems—it provides us with a great deal of insight on risk mitigation.

A Thorough Definition Of Cybersecurity Risk: Threat x Vulnerability x Consequence


There are range of threat actors out there, including nation states, criminal syndicates and enterprises, hacktivists, insiders, and lone wolf actors. These threat actors play on a variety of motivations, including financial gain, political statements, corporate or government espionage, and military advantage.


Threat actors are able to launch cyber attacks through the exploitation of vulnerabilities. In cybersecurity, these vulnerabilities deal with a process, procedure, or technology.

For example, an insider could know that:

  • Everyone in their company uses the password “12345.”
  • Usernames consist of an employee’s first and last name.
  • Their organization is very lax on additional security controls like multifactor authentication.

This failure in both process and technology could then be exploited by said insider. And, of course, there are a number of vulnerabilities in both hardware and software that can be exploited from the outside.


The consequence is the harm caused to an exploited organization—from a loss of sensitive data, to a disruption in a corporate network, to physical electronic damage. Consequences from a cybersecurity incident do not only affect the machine or data that was breached—they also affect the company’s customer base and society in general. These can be considered direct and indirect costs.

For instance, if your company handles a great deal of sensitive information and something happens to that information, you may lose a great deal of customers. This is a direct consequence. But once word spreads of this violation of your customer’s privacy, other potential customers may be wary and choose not to employ your services. This is an indirect consequence. Both direct and indirect consequences can be very costly to an organization.

Cybersecurity Risk Management: 4 Things To Focus On

Understanding the definition of cybersecurity risk as laid out by the risk formula is helpful, but ensuring that you can properly manage cybersecurity is another issue entirely. You already know that you want to keep threat actors from accessing sensitive data—but the challenge is that many of those threat actors can be extremely sophisticated.

For this reason, cybersecurity management comes down to the data you’re trying to protect. There are always going to be vulnerabilities and threat actors—so focusing on lessening the potential consequence is your best course of action.

Here are four best practices you can begin working on (or continue working on) today to help your security program.

1. Ensure that your senior management is involved.

Security has become a market differentiator in recent years. Companies will win and lose contracts because of cybersecurity alone. Furthermore, it’s difficult to get departmental buy-in without ensuring that the top individuals in your organization are supporting a push for reducing cyber risk. Therefore, senior executives and Board members are going to have to be involved in cybersecurity and risk management conversations.

2. Identify your material data.

Material risk does not include a run-of-the-mill cyber incident where a few records are compromised. This is a frustration—but however unfortunate, it wouldn’t make a critical impact on your day-to-day business operations. The data you care most about is your material data. Depending on your line of business, this could be a number of different things, including sensitive customer information, customer data, intellectual property, or trade secrets. It could even be the reliable operations of your IT systems or manufacturing capabilities.

3. Limit the number of people who have privileged access to sensitive data.

When individuals in your organization are given access to privileged information or vital data, there are several steps that should be taken to monitor and observe their behavior. First, you’d want to find out what every employee has access to and determine whether it’s necessary for each of those individuals to have that level of access. You would then want to limit access to those who have it unnecessarily. Finally, it’s important to closely monitor those who have necessary access to highly sensitive data and information to ensure that the information is only used for necessary purposes.

4. Implement the right technology.

Having the right cybersecurity risk management tool makes all the difference. An ideal system enables you to monitor your third parties in real time (or at least daily). Real-time monitoring is what you need to keep up with today’s cyberthreats. For instance, BitSight allows you to monitor your organization's and your vendors’ Security Ratings, which gives you a good indication of overall security posture. If that number changes—for better or for worse—you’ll have a good sense of whether or not your organization may have been negatively impacted by a cybersecurity incident or if your third parties are putting adequate controls in place to protect your data and improve their security.

In Summary

Yes, cybersecurity risk management is a long process, and it’s an ongoing one. You’re never “done” with it. That being said, it’s important not to get fatigued immediately or think cybersecurity risk is something you can pass along to IT and forget about. Cybersecurity affects the entire organization, and in order to mitigate your cyber risk, you’ll need to onboard the help of multiple departments and multiple roles. Your finance team could play just as large of a role as your IT team in some areas!

More importantly, if you fail to take the right precautions, your company, customers, and vendors—could all pay the price. View this guide to learn about 16 valuable, easy-to-understand cybersecurity risk KPIs that can be integrated into a dashboard for any member of an organization who wants to become more aware of cyber risk.

cybersecurity kpi

Suggested Posts

Guide: Fourth-Party Cyber Risk & Management

In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party...


4 Ways to Minimize the Risk of a Third-Party Data Breach

Today, 59% of data breaches originate with third-party vendors. And, as globalization brings more interconnected supply chains, that number is anticipated to grow.


How to Develop a Vendor Cyber Risk Management Framework

Third-party vendors are an essential part of today’s business ecosystem. A study by Gartner finds that, in 2019, 60% of organizations work with more than 1,000 third parties and those networks are only expected to grow.


Subscribe to get security news and updates in your inbox.