This entry is not meant to be a boring textbook rip-off, but rather provides quick understanding of what matters without feeling sleepy from text-walls.
What is Risk?
In the context of Cyber Security, we are concerned with the probability of a bad outcome.
Cyber vs Information Security
Cyber-Physical systems or Cyber (in short), refers to complex networks composed of hardware, software and potentially other types of systems (e.g. train systems control moving trains carrying passengers or goods, & also manage various station operations).
For Information (only) Systems, we are concerned with loss of data in terms of Availability (affected by Denial-of-Service attacks), Integrity (being tampered) & Confidentiality (Stolen).
But for Cyber-Physical systems, attacks can impact safety & even cause death! E.g. Ransomware incidents affecting hospitals!
How Bad (Impact) vs How Likely (Probability)
Risk Assessment is to capture Risk Exposure into lists for follow-up actions.
Image credit to https://www.theprojectmanagementblueprint.com/blog/risk-management/risk-exposure-equals-probability-times-impact
With limited resources, we need to prioritise the High Probability & High Impact scenarios.
Poor Security Posture → Easy Attacks
Unlike stick mans jumping over gaps, attacks happen often due to the lack of (or ineffective) Cyber Security controls (or measures).
After assessment, we need to follow-up with measures (aka controls) that make it harder for attackers.
A Poor Security Posture refers to NOT doing enough to lower risks (inclusive of users' risky behaviors).
The probability of attacks is HIGH when all conditions are met!
So it may not be the case that attackers are skilled, but many networks are too easy! This leads us to the next topic, the conditions of attacks that explains Why are attacks prevalent?.