The massive volume of network transactions, messages and other events that occur in real time makes predicting the risk of an incident difficult, but not impossible. Credit: RetroRocket / Getty Images I don’t know how many times I’ve heard cybersecurity professionals say something like, “Not having multi-factor authentication is a huge risk for our organization.” The truth is, that type of statement may illustrate a control weakness, but unless the unwanted outcome is a ding in an audit report where MFA is required, that is not the real risk. The real risk is the probability of a ransomware incident, for example, or the leak of personally identifiable information (PII) from a customer database.For enterprises, risk lay in the potential losses associated with unwanted outcomes incurred through their computing environments. (The cybersecurity piece of this typically focuses on incidents where these outcomes were caused by an intelligent adversary.) A simple way to think about unwanted outcomes is to consider the ways we might fail to meet one or more of our control objectives – confidentiality, integrity, availability, or other objectives – and experience one of the aforementioned incidents, among others.Once risk is understood, it becomes easier to see that much of what we do in cybersecurity revolves around addressing control weaknesses that essentially act as risk placeholders. We feel like there is no real way to determine risks and assess their likelihood and so therefore rely on best practices and control frameworks to fill in the gaps. So, while most of us perform our duties in service to risk management activities, there is almost never any proof that fixing control weaknesses would ever lead to a true reduction in unwanted outcomes that lead to loss events. Cybersecurity risk lives in real timeI believe there is one big reason why this is true: We don’t internalize the fact that the risk we aim to manage “lives” within the real-time activities happening throughout our IT environments. That is, the risk exists within the millions, billions, trillions, quadrillions of transactions and messages and sessions and other structured elements. While we can’t definitively measure risk because at its core risk is a prediction about future outcomes, we can at least make those risk predictions and then test their accuracy after the fact by measuring the pertinent activities. Then we can use that data to inform our future risk predictions and their follow-on decisions. So, when Cisco says, “Spam accounts for nearly two-thirds (65%) of total email volume, and our research suggests that global spam volume is growing due to large and thriving spam-sending botnets. According to Cisco threat researchers, about 8% to 10% of the global spam observed in 2016 could be classified as malicious. In addition, the percentage of spam with malicious email attachments is increasing, and adversaries appear to be experimenting with a wide range of file types to help their campaigns succeed” as it did in its 2017 Annual Cybersecurity Report, you can derive the probability part of risk of getting a malicious email message as about 6%.Some of my astute colleagues may point out that risk must also include a magnitude element expressed in financial losses. While that is ultimately my goal as well, I don’t consider it a necessary condition as long as one can intuit the losses associated with receiving a malicious email message. This allows us to circle back around not to control weakness, but to its strength, depending on how many of those messages a solution can stop before an incident occurs. With so much of our cybersecurity activity revolving around people and process, it is easy to become distracted or deceived into thinking incorrectly. It is crucial to understand that amidst the massive amounts of activities occurring in our IT environments, real-time is where the risk is. Related content news Administrator of ransomware operation LockBit named, charged, has assets frozen A Russian national alleged to have been the administrator of the notorious and prolific LockBit ransomware provider faces international charges. A $10-million reward for the suspect’s arrest has been offered. By Lucian Constantin May 07, 2024 3 mins Advanced Persistent Threats Hacker Groups Ransomware news US deploys commerce and communications against cyber threats, Blinken says The US government is moving to address the challenges of quantum computing, cloud strategies, and generative AI, Anthony Blinken said in a speech that was light on specifics. By Evan Schuman May 07, 2024 4 mins Cyberattacks Government Threat and Vulnerability Management news Change Healthcare went without cyber insurance before debilitating ransomware attack In doing so, Change exposed itself not just to greater financial risk, but reputational damage too. By John Leyden May 07, 2024 5 mins Data Breach Ransomware news Citrix quietly fixes a new critical vulnerability similar to Citrix Bleed Much similar to Citrix-Bleed, the information disclosure bug was identified within NetScaler devices configured as gateway or virtual servers. By Shweta Sharma May 07, 2024 3 mins Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe