Appendix G - Risk Terms and Definitions

consequence outcome of an event (There can be more than one consequence from one event and the se consequences can range from positive to negative and can be expressed qualitatively o quantitatively.

event occurrence of a particular circumstance or set of circumstances. The probability associated with the event can be estimated for a given period of time.

interested party person or group having an interest in the performance or success of an organization EXAMPLES: Customers, owners, people in an organization, suppliers, bankers, unions, partners or society. A group can comprise an organization, a part thereof, or more than one organization. [ISO 9000:2000, definition 3.3.7]

mitigation limitation of any negative consequence of a particular event

probability extent to which an event (3.1.4) is likely to occur. This can be numeric between 0 and 1 or using such terms as rare / unlikely / moderate / likely / almost certain or similar depending on the organisational standards

residual risk is risk remaining after risk treatment

risk acceptance decision to accept a risk. The verb "to accept" is chosen to convey the idea that acceptance has its basic dictionary meaning. Risk acceptance depends on risk criteria.

risk analysis systematic use of information to identify sources and to estimate the risk. Risk analysis provides a basis for risk evaluation, risk treatment and risk acceptance.

risk assessment overall process of risk analysis and risk evaluation

risk avoidance decision not to become involved in, or action to withdraw from, a risk situation. The decision may be taken based on the result of risk evaluation.

risk combination of the probability of an event and its consequence ("risk" is generally used only when there is at least the possibility of negative consequences).

risk communication exchange or sharing of information about risk between the decision-maker and other stakeholders NOTE The information can relate to the existence, nature, form, probability, severity, acceptability, treatment or other aspects of risk.

risk control actions implementing risk management decisions. Risk control may involve monitoring, re-evaluation, and compliance with decisions.

risk criteria terms of reference by which the significance of risk is assessed. Risk criteria can include associated cost and benefits, legal and statutory requirements, socioeconomic and environmental aspects, the concerns of stakeholders, priorities and other inputs to the assessment.

risk estimation process used to assign values to the probability and consequences of a risk, which can consider cost, benefits, the concerns of stakeholders and other variables, as appropriate for risk evaluation.

risk evaluation process of comparing the estimated risk against given risk criteria to determine the significance of the risk. Risk evaluation may be used to assist in the decision to accept or to treat a risk.

risk financing provision of funds to meet the cost of implementing risk treatment and related costs. In some industries, risk financing refers to funding only the financial consequences related to the risk.

risk identification process to find, list and characterize elements of risk. Elements can include source or hazard, event, consequence and probability. Risk identification can also reflect the concerns of stakeholders.

risk management coordinated activities to direct and control an organization with regard to risk. Risk management generally includes risk assessment, risk treatment, risk acceptance and risk communication.

risk management system set of elements of an organization's management system concerned with managing risk

risk optimization process, related to a risk, to minimize the negative and to maximize the positive consequences and their respective probabilities. Risk optimization depends upon risk criteria, including costs and legal requirements.

risk perception way in which a stakeholder views a risk, based on a set of values or concerns. Risk perception depends on the stakeholder's needs, issues and knowledge. Risk perception can differ from objective data.

risk reduction actions taken to lessen the probability, negative consequences or both, associated with a risk

risk retention acceptance of the burden of loss, or benefit of gain, from a particular risk. Risk retention includes the acceptance of risks that have not been identified but does not include treatments involving insurance, or transfer by other means.

risk transfer sharing with another party the burden of loss or benefit of gain, for a risk. Legal or statutory requirements can limit, prohibit or mandate the transfer of certain risk. Risk transfer can be carried out through insurance or other agreements but risk transfer can create new risks or modify existing risk.

risk treatment process of selection and implementation of measures to modify risk. The term "risk treatment" is sometimes used for the measures themselves and risk treatment measures can include avoiding, optimizing, transferring or retaining risk.

source identification process to find, list and characterize sources

source item or activity having a potential for a consequence

stakeholder any individual, group or organization that can affect, be affected by, or perceive itself to be affected by, a risk. The decision-maker is also a stakeholder

An Introduction To Information, Network and Internet Security
Appendix G - Risk Terms and Definitions consequence outcome of an event (There can be more than one consequence from one event and the se consequences can range from positive to negative and can be expressed qualitatively o quantitatively. event occurrence of a particular circumstance or set of circumstances. The probability associated with the event can be estimated for a given period of time. interested party person or group having an interest in the performance or success of an organization EXAMPLES: Customers, owners, people in an organization, suppliers, bankers, unions, partners or society. A group can comprise an organization, a part thereof, or more than one organization. [ISO 9000:2000, definition 3.3.7] mitigation limitation of any negative consequence of a particular event probability extent to which an event (3.1.4) is likely to occur. This can be numeric between 0 and 1 or using such terms as rare / unlikely / moderate / likely / almost certain or similar depending on the organisational standards residual risk is risk remaining after risk treatment risk acceptance decision to accept a risk. The verb "to accept" is chosen to convey the idea that acceptance has its basic dictionary meaning. Risk acceptance depends on risk criteria. risk analysis systematic use of information to identify sources and to estimate the risk. Risk analysis provides a basis for risk evaluation, risk treatment and risk acceptance. risk assessment overall process of risk analysis and risk evaluation risk avoidance decision not to become involved in, or action to withdraw from, a risk situation. The decision may be taken based on the result of risk evaluation. risk combination of the probability of an event and its consequence ("risk" is generally used only when there is at least the possibility of negative consequences). risk communication exchange or sharing of information about risk between the decision-maker and other stakeholders NOTE The information can relate to the existence, nature, form, probability, severity, acceptability, treatment or other aspects of risk. risk control actions implementing risk management decisions. Risk control may involve monitoring, re-evaluation, and compliance with decisions. risk criteria terms of reference by which the significance of risk is assessed. Risk criteria can include associated cost and benefits, legal and statutory requirements, socioeconomic and environmental aspects, the concerns of stakeholders, priorities and other inputs to the assessment. risk estimation process used to assign values to the probability and consequences of a risk, which can consider cost, benefits, the concerns of stakeholders and other variables, as appropriate for risk evaluation. risk evaluation process of comparing the estimated risk against given risk criteria to determine the significance of the risk. Risk evaluation may be used to assist in the decision to accept or to treat a risk. risk financing provision of funds to meet the cost of implementing risk treatment and related costs. In some industries, risk financing refers to funding only the financial consequences related to the risk. risk identification process to find, list and characterize elements of risk. Elements can include source or hazard, event, consequence and probability. Risk identification can also reflect the concerns of stakeholders. risk management coordinated activities to direct and control an organization with regard to risk. Risk management generally includes risk assessment, risk treatment, risk acceptance and risk communication. risk management system set of elements of an organization's management system concerned with managing risk risk optimization process, related to a risk, to minimize the negative and to maximize the positive consequences and their respective probabilities. Risk optimization depends upon risk criteria, including costs and legal requirements. risk perception way in which a stakeholder views a risk, based on a set of values or concerns. Risk perception depends on the stakeholder's needs, issues and knowledge. Risk perception can differ from objective data. risk reduction actions taken to lessen the probability, negative consequences or both, associated with a risk risk retention acceptance of the burden of loss, or benefit of gain, from a particular risk. Risk retention includes the acceptance of risks that have not been identified but does not include treatments involving insurance, or transfer by other means. risk transfer sharing with another party the burden of loss or benefit of gain, for a risk. Legal or statutory requirements can limit, prohibit or mandate the transfer of certain risk. Risk transfer can be carried out through insurance or other agreements but risk transfer can create new risks or modify existing risk. risk treatment process of selection and implementation of measures to modify risk. The term "risk treatment" is sometimes used for the measures themselves and risk treatment measures can include avoiding, optimizing, transferring or retaining risk. source identification process to find, list and characterize sources source item or activity having a potential for a consequence stakeholder any individual, group or organization that can affect, be affected by, or perceive itself to be affected by, a risk. The decision-maker is also a stakeholder	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security