Efecto de la
incertidumbre sobre la consecución de los objetivos. [UNE-ISO GUÍA 73:2010]
NOTA 1 Un
efecto es una desviación, positiva y/o negativa, respecto a lo previsto.
NOTA 2 La
incertidumbre es el estado, incluso parcial, de deficiencia en la información
relativa a la comprensión o al conocimiento de un suceso, de sus consecuencias o
de su probabilidad.
NOTA 3 Con
frecuencia, el riesgo se caracteriza por referencia a sucesos potenciales y a
sus consecuencias o una combinación de ambas
NOTA 4 Con
frecuencia, el riesgo se expresa en términos de combinación de las
consecuencias de un suceso (incluyendo los cambios en las circunstancias) y de
su probabilidad.
NOTA 5: En el
contexto de sistemas de gestión de la seguridad de la información, los riesgos
de seguridad de la información se pueden expresar como el efecto de la
incertidumbre sobre los objetivos de seguridad de la información.
NOTA 6: El
riesgo de seguridad de la información se relaciona con la posibilidad de que
las amenazas exploten vulnerabilidades de un activo o grupo de activos de
información y causen daño a una organización.
[UNE-ISO/IEC 27000:2014]
Efecto de la
incertidumbre sobre la consecución de los objetivos.
NOTA 4. Con
frecuencia, el riesgo se expresa en términos de combinación de las
consecuencias de un suceso (incluyendo los cambios en las circunstancias) y de
su probabilidad.
[ISO Guía
73:2010]
Estimación
del grado de exposición a que una amenaza se materialice sobre uno o más
activos causando daños o perjuicios a la organización. [UNE-71504:2008]
Los riesgos
del sistema de información en la hipótesis de que no hubieran salvaguardas
presentes. [UNE-71504:2008]
Un posible
Evento que podría causar daño o pérdidas, o afectar la habilidad de alcanzar
Objetivos. Un Riesgo es medido por la probabilidad de una Amenaza, la
Vulnerabilidad del Activo a esa Amenaza, y por el Impacto que tendría en caso
que ocurriera. [ITIL:2007]
Estimación
del grado de exposición a que una amenaza se materialice sobre uno o más
activos causando daños o perjuicios a la Organización. [Magerit:2012]
Probabilidad
de que una amenaza se materialice aprovechando una vulnerabilidad causando daño
(impacto) en un proceso o sistema. [CCN-STIC-401:2007]
El potencial
de que una amenaza específica explote las debilidades de un activo o grupo de
activos para ocasionar pérdida y/o daño a los activos. Por lo general se mide
por medio de una combinación del impacto y la probabilidad de ocurrencia.
[COBIT:2006]
Dícese del
calculado tomando en consideración el valor propio de un acti-vo y el valor de
los activos que depende de él. Este valor se combina con la degradación causada
por una amenaza y la frecuencia estimada de la misma. [Magerit:2012]
Dícese del
calculado tomando en consideración únicamente el valor propio de un activo.
Este valor se combina con la degradación causada por una amenaza y la
frecuencia estimada de la misma, medidas ambas sobre ac-tivos de los que
depende. [Magerit:2012]
Probabilidad
de que una vulnerabilidad propia de un sistema de información sea explotada por
las amenazas a dicho sistema, con el objetivo de penetrarlo. [CESID:1997]
A measure of the extent to which
an entity is threatened by a potential circumstance or event, and typically a
function of: (i) the adverse impacts that would arise if the circumstance or
event occurs; and (ii) the likelihood of occurrence.
Framework for Improving
Critical Infrastructure Cybersecurity, National Institute of Standards and
Technology, February 12, 2014
effect of uncertainty on
objectives [ISO Guide 73:2009]
NOTE 1: An effect is a
deviation from the expected — positive or negative.
NOTE 2: Uncertainty is the
state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
NOTE 3: Risk is often
characterized by reference to potential events and consequences, or a
combination of these.
NOTE 4: Risk is often
expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated likelihood of occurrence.
NOTE 5: In the context of
information security management systems, information security risks can be
expressed as effect of uncertainty on information security objectives.
NOTE 6: Information security
risk is associated with the potential that threats will exploit vulnerabilities
of an information asset or group of information assets and thereby cause harm
to an organization.
[ISO/IEC 27000:2014]
effect of uncertainty on
objectives
NOTE 4. Risk is often
expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated likelihood of occurrence.
[ISO Guide 73:2009]
A probable situation with
uncertain frequency and magnitude of loss (or gain) [RiskIT-PG:2009]
The risk level or exposure
without taking into account the actions that management has taken or might take
(e.g., implementing controls) [RiskIT-PG:2009]
The business risk associated
with the use, ownership, operation, involvement, influence and adoption of IT
within an enterprise [RiskIT-PG:2009]
1: An instance of an IT risk
2: A combination of control,
value and threat conditions that impose a noteworthy level of IT risk
[RiskIT-PG:2009]
potential for an unwanted
outcome resulting from an incident, event, or occurrence, as determined by its
likelihood and the associated consequences
Extended Definition:
potential for an adverse outcome assessed as a function of threats,
vulnerabilities, and consequences associated with an incident, event, or
occurrence
Annotation:
1) Risk is defined as the
potential for an unwanted outcome. This potential is often measured and used to
compare different future situations.
2) Risk may manifest at the
strategic, operational, and tactical levels.
DHS Risk Lexicon, September
2008
A measure of the extent to
which an entity is threatened by a potential circumstance or event, and typically
a function of:
(i) the adverse impacts that
would arise if the circumstance or event occurs; and
(ii) the likelihood of
occurrence.
Information system-related
security risks are those risks that arise from the loss of confidentiality,
integrity, or availability of information or information systems and reflect
the potential adverse impacts to organizational operations (including mission,
functions, image, or reputation), organizational assets, individuals, other
organizations, and the Nation. [FIPS 200, Adapted]
[NIST-SP800-53:2013]
A measure of the extent to
which an entity is threatened by a potential circumstance or event, and
typically a function of 1) the adverse impacts that would arise if the
circumstance or event occurs; and 2) the likelihood of occurrence.
Note: Information
system-related security risks are those risks that arise from the loss of
confidentiality, integrity, or availability of information or information
systems and reflect the potential adverse impacts to organizational operations
(including mission, functions, image, or reputation), organizational assets,
individuals, other organizations, and the Nation.
[CNSSI_4009:2010]
1. (I) An expectation of
loss expressed as the probability that a particular threat will exploit a
particular vulnerability with a particular harmful result. (See: residual
risk.)
2. (O) /SET/ "The
possibility of loss because of one or more threats to information (not to be
confused with financial or business risk)." [SET2]
[RFC4949:2007]
A possible Event that could
cause harm or loss, or affect the ability to achieve Objectives. A Risk is
measured by the probability of a Threat, the Vulnerability of the Asset to that
Threat, and the Impact it would have if it occurred. [ITIL:2007]
The potential that a given
threat will exploit vulnerabilities of an asset or group of assets to cause
loss and/or damage to the assets. It usually is measured by a combination of
impact and probability of occurrence. [COBIT:2006]
The level of impact on
organizational operations (including mission, functions, image, or reputation),
organizational assets, or individuals resulting from the operation of an
information system given the potential impact of a threat and the likelihood of
that threat occurring. [FIPS-200:2006]
As used in this guideline,
the term 'risk' means a combination of:
·
the
likelihood that a particular vulnerability in an agency information system will
be either intentionally or unintentionally exploited by a particular threat
resulting in a loss of confidentiality, integrity, or availability, and
·
the
potential impact or magnitude of harm that a loss of confidentiality,
integrity, or availability will have on agency operations (including mission,
functions, and public confidence in the agency), an agencys assets, or
individuals (including privacy) should there be a threat exploitation of
information system vulnerabilities.
[NIST-SP800-60V2:2004]
A combination of the
likelihood that a threat will occur, the likelihood that a threat occurrence
will result in an adverse impact, and the severity of the resulting adverse
impact. Reducing either the threat or the vulnerability reduces the risk.
[TDIR:2003]
A measure of the exposure to
which a system or potential system may be subjected. [CRAMM:2003]
The net mission/business
impact (probability of occurrence combined with impact) from a particular
threat source exploiting, or triggering, a particular information technology
vulnerability. IT related-risks arise from legal liability or mission/business
loss due to:
·
Unauthorized
(malicious, non-malicious, or accidental) disclosure, modification, or destruction
of information.
·
Non-malicious
errors and omissions.
·
IT
disruptions due to natural or man-made disasters.
·
Failure to
exercise due care and diligence in the implementation and operation of the IT.
[NIST-SP800-33:2001]
Flaws and bugs lead to risk.
Risks are not failures. Risks capture the probability that a flaw or a bug will
impact the purpose of the software. Risk measures also take into account the
potential damage that can occur. A very high risk is not only likely to happen
but also likely to cause great harm. Risks can be managed by technical and
non-technical means.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/risk/248-BSI.html
Risks capture the likelihood
that a vulnerability will be exploited, as well as the potential damage
(impact) that will occur if it is. It is important to note that risks, threats,
and exploits are all separate things. Risks may be present in the target software,
on the target host, or in the broader operational environment of the software.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/attack/590-BSI.html
A measure of the potential
degree to which protected information is subject to loss through adversary
exploitation.
http://www.ioss.gov/docs/definitions.html
The potential for the
occurrence of an adverse event if no mitigating action is taken (i.e., the
potential for any applicable threat to exploit a system vulnerability).
[TDIR:2003]
The uncertainty that can
create exposure to undesired future events and outcomes. It is the expression
of the likelihood and impact of an event with the potential to impede the
achievement of an organization's objectives.
http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=16578
In the context of RIDM, risk
is the potential for shortfalls, which may be realized in the future, with
respect to achieving explicitly-stated performance commitments. The performance
shortfalls may be related to institutional support for mission execution, or
related to any one or more of the following mission execution domains: safety,
technical, cost, schedule.
As applied to CRM, risk is
characterizedas a set of triplets:
a. The scenario(s) leading to degraded performance
in one or more performance measures,
b. The likelihood(s) of those scenarios,
c. The consequence(s), impact, or severity of the
impact on performance that would result if those scenarios were to occur.
Uncertainties are included
in the evaluation of likelihoods and consequences.
NASA Risk Management
Handbook, NASA/SP-2011-3422, Version 1.0, November 2011
effet de l'incertitude
sur l'atteinte des objectifs [ISO Guide 73:2009]
Un événement possible
pouvant causer une déficience ou une perte, ou affecter la possibilité
d'atteindre des objectifs. Un risque se mesure par la probabilité d'une menace,
la vulnérabilité d'un actif à cette menace et l'impact qu'il aurait s'il se
produisait. [ITIL:2007]
Incertitude que peut
engendrer l'exposition à des événements ou résultats non désirés. Il s'agit de
l'expression de la probabilité et de l'incidence d'un événement susceptible de
nuire à la réalisation des objectifs d'une organisation.
http://www.tbs-sct.gc.ca/pol/doc-fra.aspx?id=16578