Difference between revisions of "Risk"

Revision as of 18:59, 18 July 2015

Definitions

European Definitions

[[EU]

The possibility of loss, damage or injury having regard to the value placed on the asset by its owner/operator and the impact of loss or change to the asset, and the likelihood that a specific vulnerability will be exploited by a particular threat. ^[1]

The probability of adverse effects caused by a hazardous phenomenon or substance in an organism, a population, or an ecological system. ^[2]

International Definitions

NATO CEP / EAPC

The possibility of loss, damage or injury. ^[3]

The level of risk is a condition of two factors: (1) the value placed on the asset by its owner/operator and the impact of loss or change to the asset, and (2) the likelihood that a specific vulnerability will be exploited by a particular threat.

UNISDR

The combination of the probability of an event and its negative consequences. ^[4]

National Definitions

Australia

The chance of something happening that will have an impact on objectives. It is measured in terms if likelihood and consequence. ^[5]

^[6] provides three other Australian definitions of risk.

Brazil

Risco: efeito da incerteza nos objetivos. ^[7]
Risk is the uncertainty effect on goals.

Canada

Risk is the combination of the likelihood and the consequence of a specified hazard being realized.

Combinaison de la possibilité qu’un aléa donné se produise et des conséquences potentielles pouvant y être associées. ^[8] ^[9]

Risk refers to the vulnerability, proximity or exposure to hazards, which affects the likelihood of adverse impact.

Czech Republic

Riziko: (1) Nebezpečí, možnost škody, ztráty, nezdaru. (2) Účinek nejistoty na dosažení cílů. (3) Možnost, že určitá hrozba využije zranitelnosti aktiva nebo skupiny aktiv a způsobí organizaci škodu. ^[10]

Risk is either defined as: (1) Danger, possibility of damage, loss, failure. (2) Effect of uncertainty to achieve objectives. (3) Possibility that a certain threat would utilize vulnerability of an asset or group of assets and cause damage to an organization. ^[11]

Finland

Riski: kielteisen seikan tai tapahtuman todennäköisyyden ja vaikutusten yhdistelmä.

Risk is the combination of probability and consequences of a negative circumstance or event. -unofficial translation- ^[12]

Germany

Likelihood of a serious danger which (a) constitutes a threat to human life, (b) will impair the health of a large number of people, or (c) affects economic activity, public services and technical infrastructures and may cause damage to the environment, in particular animals and plants, the soil, the water, the atmosphere and cultural and material assets. ^[13]

India

Risk is the potential of damage to a system or associated assets that exists as a result of the combination of security threat and vulnerability. ^[14]

Netherlands

Risk is the annual loss expectancy (ALE) by the manifestation of threats.

Risico is de jaarlijks te verwachten schade door het manifesteren van bedreigingen. ^[15]

Republic of Trinidad & Tobago

The combination of the probability of an event and its negative consequences. ^[16]

United Kingdom (UK)

Risk is a measure of the significance of a potential emergency in terms of its assessed likelihood and impact. ^[17]

United States

DHS

The potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences. ^[18]

NIST

The level of impact on organizational operations (including mission,functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring. ^[19]

Standard Definitions

[ISO|ISO/IEC 27000:2014 ]]

Effect of uncertainty on objectives. ^[20] (based on the ISO Guide 73:2009^[21])

An effect is a deviation from the expected — positive or negative.

Uncertainty is the state, even partial, of deficiency of information related to, understanding or * knowledge of, an event (2.25), its consequence, or likelihood.

Risk is often characterized by reference to potential events and consequences, or a combination of these.

Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.

In the context of information security management systems, information security risks can be expressed as effect of uncertainty on information security objectives.

Information security risk is associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets and thereby cause harm to an organization.

ISO/IEC 31000:2009

Effect of uncertainty on objectives. ^[22]

Other Definitions

Ontario (Canada)

Risk is the product of the probability of the occurrence of a hazard and its consequences. ^[23]

Risque: produit de la probabilité qu’un danger se produise et de ses conséquences. ^[23]

Notes

↑ EC COM(2006) 787 final, Directive of the Council on the identification and designation of European Critical Infrastructure and the assessment of the need to improve their protection, EC, Brussels 12.12.2006.
↑ European Commission's CBRN Glossary, 2012
↑ NATO EAPC(SCEPC) lexicon 2003.
↑ 2009 UNISDR Terminology on Disaster Risk Reduction, United Nations International Strategy for Disaster Reduction (UNISDR), Geneva, Switzerland, May 2009.
↑ Glossary of the Government of Queensland
↑ Australian Emergency Management Glossary, Emergency Management Australia (1998)
↑ GUIA DE REFERÊNCIA PARA A SEGURANÇA DAS INFRAESTRUTURAS CRÍTICAS DA INFORMAÇÃO Versão 01 (Nov. 2010)
↑ [http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/mrgnc-mngmnt-frmwrk/index-eng.aspx An Emergency Management Framework for Canada (Second Edition)
↑ Vocabulaire de la gestion des urgencies/Emergency Management Emergency Management Vocabulary 281 (2012)
↑ http://www.govcert.cz/download/nodeid-561 Výkladový slovník kybernetické bezpečnosti (2013)
↑ Act No. 181 of 23 July 2014 On Cyber Security and Change of Related Acts (Act on Cyber Security)
↑ Vocabulary of Comprehensive Security. Helsinki (TSK 47) (2014)
↑ http://www.kritis.bund.de/SharedDocs/Downloads/Kritis/EN/Baseline%20Protection%20Concept.pdf Protection of Critical Infrastructures – Baseline Protection Concept: Recommendation for Companies, BMI.
↑ India's DGQA Cyber Security Policy (2015)
↑ Zakboekje Preventie Cybercrime (2008
↑ Comprehensive Disaster Management Policy Framework for Trinidad and Tobago
↑ Glossary - Revision to Emergency Preparedness, Cabinet Office (2012)
↑ DHS Risk Lexicon 2010 Edition, September 2010
↑ NISTIR 7298 rev 2: Glossary of Key Information Security Terms, May 2013/FIPS 200
↑ ISO/IEC 27000:2014, Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary
↑ ISO Guide 73:2009 Risk management -- Vocabulary
↑ ISO/IEC 31000:2009, Risk management -- Principles and guidelines
↑ ^23.0 ^23.1 Province of Ontario’s Emergency Management Glossary of Terms

[1] EC COM(2006) 787 final, Directive of the Council on the identification and designation of European Critical Infrastructure and the assessment of the need to improve their protection, EC, Brussels 12.12.2006.

[CBRN-2] European Commission's CBRN Glossary, 2012

[3] NATO EAPC(SCEPC) lexicon 2003.

[4] 2009 UNISDR Terminology on Disaster Risk Reduction, United Nations International Strategy for Disaster Reduction (UNISDR), Geneva, Switzerland, May 2009.

[5] Glossary of the Government of Queensland

[6] Australian Emergency Management Glossary, Emergency Management Australia (1998)

[7] GUIA DE REFERÊNCIA PARA A SEGURANÇA DAS INFRAESTRUTURAS CRÍTICAS DA INFORMAÇÃO Versão 01 (Nov. 2010)

[8] [http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/mrgnc-mngmnt-frmwrk/index-eng.aspx An Emergency Management Framework for Canada (Second Edition)

[canada-9] Vocabulaire de la gestion des urgencies/Emergency Management Emergency Management Vocabulary 281 (2012)

[10] ttp://www.govcert.cz/download/nodeid-561 Výkladový slovník kybernetické bezpečnosti (2013)

[11] Act No. 181 of 23 July 2014 On Cyber Security and Change of Related Acts (Act on Cyber Security)

[TSK-12] Vocabulary of Comprehensive Security. Helsinki (TSK 47) (2014)

[13] ttp://www.kritis.bund.de/SharedDocs/Downloads/Kritis/EN/Baseline%20Protection%20Concept.pdf Protection of Critical Infrastructures – Baseline Protection Concept: Recommendation for Companies, BMI.

[14] India's DGQA Cyber Security Policy (2015)

[15] Zakboekje Preventie Cybercrime (2008

[16] Comprehensive Disaster Management Policy Framework for Trinidad and Tobago

[17] Glossary - Revision to Emergency Preparedness, Cabinet Office (2012)

[DHSLex-18] DHS Risk Lexicon 2010 Edition, September 2010

[NISTIR7298-19] NISTIR 7298 rev 2: Glossary of Key Information Security Terms, May 2013/FIPS 200

[ISO27000-14-20] ISO/IEC 27000:2014, Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary

[21] ISO Guide 73:2009 Risk management -- Vocabulary

[ISO31000-09-22] ISO/IEC 31000:2009, Risk management -- Principles and guidelines

[Ontario-23] 23.0 ^23.1 Province of Ontario’s Emergency Management Glossary of Terms

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

@@ Line 1: / Line 1: @@
 ==Definitions==
 === European Definitions ===
+====[[EU]====
 {{definition|The possibility of loss, [[damage]] or injury having regard to the value placed on the [[asset]] by its owner/operator and the [[impact]] of loss or change to the [[asset]], and the likelihood that a specific [[vulnerability]] will be exploited by a particular [[threat]]. <ref>[http://eur-lex.europa.eu/LexUriServ/site/en/com%/2006/com2006_0787en01.pdf EC COM(2006) 787 final, Directive of the Council on the identification and designation of European Critical Infrastructure and the assessment of the need to improve their protection, EC, Brussels 12.12.2006.]</ref>}}<br />
@@ Line 7: / Line 8: @@
 === International Definitions ===
-==== NATO CEP / EAPC ====
+==== [[NATO|NATO CEP / EAPC]] ====
 {{definition|The possibility of loss, [[damage]] or injury. <ref>NATO EAPC(SCEPC) lexicon 2003.</ref>}}
 <big>The level of risk is a condition of two factors: (1) the value placed on the asset by its owner/operator and the impact of loss or change to the asset, and (2) the likelihood that a specific vulnerability will be exploited by a particular threat.</big>
 <br />
-==== UNISDR ====
+==== [[UNISDR]] ====
 {{definition|The combination of the probability of an [[event]] and its negative [[consequence|consequences]]. <ref>[http://www.unisdr.org/we/inform/terminology 2009 UNISDR Terminology on Disaster Risk Reduction, United Nations International Strategy for Disaster Reduction (UNISDR), Geneva, Switzerland, May 2009.]</ref>}}
 <br />
 === National Definitions ===
-==== Australia ====
+==== [[Australia]] ====
 {{definition|The chance of something happening that will have an impact on objectives. It is measured in terms if likelihood and consequence. <ref>[http://www.safeguarding.qld.gov.au/criticalinfrastructure/glossary.htm Glossary of the Government of Queensland]</ref>}}
 <ref>[https://www.em.gov.au/Documents/Manual03-AEMGlossary.PDF Australian Emergency Management Glossary, Emergency Management Australia (1998)]</ref> provides three other Australian definitions of risk. <br />
-==== Brazil ====
+==== [[Brazil]] ====
 {{definition|Risco: efeito da incerteza nos objetivos. <ref>[http://www.biblioteca.presidencia.gov.br/publicacoes-oficiais-1/catalogo/orgao-essenciais/gabinete-de-seguranca-institucional/guia-de-referencia-para-seguranca-de-infraestruturas-criticas-da-informacao/at_download/file GUIA DE REFERÊNCIA PARA A SEGURANÇA DAS INFRAESTRUTURAS CRÍTICAS DA INFORMAÇÃO Versão 01 (Nov. 2010)]</ref><br />Risk is the uncertainty effect on goals.}} <br />
-==== Canada ====
+==== [[Canada]] ====
 {{definition| Risk is the combination of the likelihood and the consequence of a specified hazard being realized.<br /><br />Combinaison de la possibilité qu’un aléa donné se produise et des conséquences potentielles pouvant y être associées. <ref> [http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/mrgnc-mngmnt-frmwrk/index-eng.aspx An Emergency Management Framework for Canada (Second Edition) </ref> <ref name="canada">[http://www.bt-tb.tpsgc-pwgsc.gc.ca/publications/documents/urgence-emergency.pdf Vocabulaire de la gestion des urgencies/Emergency Management Emergency Management Vocabulary 281 (2012)]</ref>}}
 Risk refers to the vulnerability, proximity or exposure to hazards, which affects the likelihood of adverse impact.<br />
-==== Czech Republic ====
+==== [[Czech Republic]] ====
-{{definition|Risk is either defined as: (1) Danger, possibility of damage, loss, failure. (2) Effect of uncertainty to achieve objectives. (3) Possibility that a certain threat would utilize vulnerability of an asset or group of assets and cause damage to an organization. <ref>[http://www.govcert.cz/download/nodeid-1143/ Act  No. 181 of 23 July 2014 On Cyber Security and Change of Related Acts (Act on Cyber Security)]</ref>}}
+{{definition|Riziko: (1) Nebezpečí, možnost škody, ztráty, nezdaru. (2) Účinek nejistoty na dosažení cílů. (3) Možnost, že určitá hrozba využije zranitelnosti aktiva nebo skupiny aktiv a způsobí organizaci škodu. <ref> http://www.govcert.cz/download/nodeid-561  Výkladový slovník kybernetické bezpečnosti (2013)</ref> <br/><br/>Risk is either defined as: (1) Danger, possibility of damage, loss, failure. (2) Effect of uncertainty to achieve objectives. (3) Possibility that a certain threat would utilize vulnerability of an asset or group of assets and cause damage to an organization. <ref>[http://www.govcert.cz/download/nodeid-1143/ Act  No. 181 of 23 July 2014 On Cyber Security and Change of Related Acts (Act on Cyber Security)]</ref>}}
-(1) Nebezpečí, možnost škody, ztráty, nezdaru. (2) Účinek nejistoty na dosažení cílů. (3) Možnost, že určitá hrozba využije zranitelnosti aktiva nebo skupiny aktiv a způsobí organizaci škodu.<br />
+<br />
-====Finland====
+====[[Finland]]====
 {{definition|Riski: kielteisen seikan tai tapahtuman todennäköisyyden ja vaikutusten yhdistelmä.<br/><br/>Risk is the combination of probability and [[consequence|consequences]] of a negative circumstance or [[event]]. -''unofficial translation''- <ref name=TSK>[http://www.spek.fi/loader.aspx?id=1c66e01d-a75e-4a9a-80ec-9816340ce752 Vocabulary of Comprehensive Security. Helsinki (TSK 47) (2014)]</ref>}}<br />
-==== Germany ====
+==== [[Germany]] ====
 {{definition|Likelihood of a serious danger which (a) constitutes a threat to human life, (b) will impair the health of a large number of people, or (c) affects economic activity, public services and technical infrastructures and may cause [[damage]] to the environment, in particular animals and plants, the soil, the water, the atmosphere and cultural and material assets. <ref>http://www.kritis.bund.de/SharedDocs/Downloads/Kritis/EN/Baseline%20Protection%20Concept.pdf Protection of Critical Infrastructures – Baseline Protection Concept: Recommendation for Companies, BMI.</ref>}}
 <br />
-====India====
+====[[India]]====
 {{definition|Risk is the potential of [[damage]] to a system or associated [[Asset|assets]] that exists as a result of the combination of security [[threat]] and [[vulnerability]]. <ref>[http://www.dgqadefence.gov.in/documents/pdf/cyber-security-policy-dgqa-2015.pdf India's DGQA Cyber Security Policy (2015)] </ref>}} <br />
-==== Netherlands====
+==== [[Netherlands]]====
 {{definition|Risk is the annual loss expectancy (ALE) by the manifestation of [[threat|threats]].<br/><br/>Risico is de jaarlijks te verwachten schade door het manifesteren van bedreigingen. <ref>[http://www.pblq.nl/media/63123/HEC%20Zakboekje%20preventie%20cybercrime.pdf Zakboekje Preventie Cybercrime (2008]</ref>}}<br />
-==== Republic of Trinidad & Tobago ====
+==== [[Republic of Trinidad & Tobago]] ====
 {{definition|The combination of the probability of an event and its negative consequences. <ref>[http://www.odpm.gov.tt/sites/default/files/Comprehensive%20Disaster%20Management%20Policy%20Framework%20for%20Trinidad%20and%20Tobago.pdf Comprehensive Disaster Management Policy Framework for Trinidad and Tobago]</ref>}}<br />
-====United Kingdom (UK)====
+====[[United Kingdom|United Kingdom (UK)]]====
 {{definition|Risk is a measure of the significance of a potential [[emergency]] in terms of its assessed likelihood and impact. <ref> [https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/61046/EP_Glossary_amends_18042012_0.pdf Glossary - Revision to Emergency Preparedness, Cabinet Office (2012)]</ref>}} <br />
-==== United States ====
+==== [[United States]] ====
-=====DHS=====
+=====[[DHS]]=====
 {{definition|The potential for an unwanted outcome resulting from an [[incident]], [[event]], or occurrence, as determined by its [[likelihood]] and the associated [[consequence|consequences]]. <ref name="DHSLex"> [http://www.dhs.gov/xlibrary/assets/dhs-risk-lexicon-2010.pdf DHS Risk Lexicon 2010 Edition, September 2010]</ref>}}
-=====NIST=====
+=====[[NIST]]=====
 {{definition|The level of impact on organizational operations (including mission,functions, image, or reputation), organizational [[Asset|assets]], or individuals resulting from the operation of an information system given the potential impact of a [[threat]] and the likelihood of that threat occurring. <ref name="NISTIR7298"> [http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf NISTIR 7298 rev 2: Glossary of Key Information Security Terms, May 2013/FIPS 200]</ref>}}<br />
@@ Line 55: / Line 56: @@
 === Standard Definitions ===
-==== ISO/IEC 27000:2014 ====
+==== [ISO|ISO/IEC 27000:2014 ]]====
 {{definition|Effect of uncertainty on objectives. <ref name="ISO27000-14"> [http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=63411 ISO/IEC 27000:2014, Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary]</ref>  (based on the ISO Guide 73:2009<ref>[http://www.iso.org/iso/catalogue_detail?csnumber=44651 ISO Guide 73:2009 Risk management -- Vocabulary]</ref>)}}
 <big>
@@ Line 65: / Line 66: @@
 * [[Information Security|Information security]] risk is associated with the potential that [[threat|threats]] will exploit [[vulnerability|vulnerabilities]] of an information [[asset]] or group of information assets and thereby cause [[harm]] to an organization.</big>
 <br />
-==== ISO/IEC 31000:2009 ====
+==== [[ISO|ISO/IEC 31000:2009]] ====
 {{definition|Effect of uncertainty on objectives. <ref name="ISO31000-09"> [http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=43170 ISO/IEC 31000:2009, Risk management -- Principles and guidelines]</ref>}}
 <br />
 ===Other Definitions===
-==== Ontario (Canada) ====
+==== [[Ontario]] ([[Canada]]) ====
 {{definition|Risk is the product of the probability of the occurrence of a hazard and its consequences.   <ref name="Ontario">[https://www.emergencymanagementontario.ca/english/emcommunity/response_resources/GlossaryOfTerms/glossary_of_terms.html Province of Ontario’s Emergency Management Glossary of Terms ]</ref>}}<br />
 {{definition|Risque: produit de la probabilité qu’un danger se produise et de ses conséquences. <ref name="Ontario">[https://www.emergencymanagementontario.ca/english/emcommunity/response_resources/GlossaryOfTerms/glossary_of_terms.html Province of Ontario’s Emergency Management Glossary of Terms ]</ref>}}<br />