The massive volume of network transactions, messages and other events that occur in real time makes predicting the risk of an incident difficult, but not impossible. Credit: RetroRocket / Getty Images I don’t know how many times I’ve heard cybersecurity professionals say something like, “Not having multi-factor authentication is a huge risk for our organization.” The truth is, that type of statement may illustrate a control weakness, but unless the unwanted outcome is a ding in an audit report where MFA is required, that is not the real risk. The real risk is the probability of a ransomware incident, for example, or the leak of personally identifiable information (PII) from a customer database.For enterprises, risk lay in the potential losses associated with unwanted outcomes incurred through their computing environments. (The cybersecurity piece of this typically focuses on incidents where these outcomes were caused by an intelligent adversary.) A simple way to think about unwanted outcomes is to consider the ways we might fail to meet one or more of our control objectives – confidentiality, integrity, availability, or other objectives – and experience one of the aforementioned incidents, among others.Once risk is understood, it becomes easier to see that much of what we do in cybersecurity revolves around addressing control weaknesses that essentially act as risk placeholders. We feel like there is no real way to determine risks and assess their likelihood and so therefore rely on best practices and control frameworks to fill in the gaps. So, while most of us perform our duties in service to risk management activities, there is almost never any proof that fixing control weaknesses would ever lead to a true reduction in unwanted outcomes that lead to loss events. Cybersecurity risk lives in real timeI believe there is one big reason why this is true: We don’t internalize the fact that the risk we aim to manage “lives” within the real-time activities happening throughout our IT environments. That is, the risk exists within the millions, billions, trillions, quadrillions of transactions and messages and sessions and other structured elements. While we can’t definitively measure risk because at its core risk is a prediction about future outcomes, we can at least make those risk predictions and then test their accuracy after the fact by measuring the pertinent activities. Then we can use that data to inform our future risk predictions and their follow-on decisions. So, when Cisco says, “Spam accounts for nearly two-thirds (65%) of total email volume, and our research suggests that global spam volume is growing due to large and thriving spam-sending botnets. According to Cisco threat researchers, about 8% to 10% of the global spam observed in 2016 could be classified as malicious. In addition, the percentage of spam with malicious email attachments is increasing, and adversaries appear to be experimenting with a wide range of file types to help their campaigns succeed” as it did in its 2017 Annual Cybersecurity Report, you can derive the probability part of risk of getting a malicious email message as about 6%.Some of my astute colleagues may point out that risk must also include a magnitude element expressed in financial losses. While that is ultimately my goal as well, I don’t consider it a necessary condition as long as one can intuit the losses associated with receiving a malicious email message. This allows us to circle back around not to control weakness, but to its strength, depending on how many of those messages a solution can stop before an incident occurs. With so much of our cybersecurity activity revolving around people and process, it is easy to become distracted or deceived into thinking incorrectly. It is crucial to understand that amidst the massive amounts of activities occurring in our IT environments, real-time is where the risk is. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe