Risk Identification and Risk Register

Risk is the potential for loss or harm resulting from a threat exploiting a vulnerability. In information security, risk is expressed as the combination of likelihood (how probable the event is) and impact (how severe the damage would be). Understanding risk allows organizations to make informed, cost-effective security decisions rather than trying to eliminate every possible threat.

Risk identification begins with three core elements. An asset is anything of value — servers, databases, intellectual property, or reputation. A threat is any potential event that could harm an asset, such as a ransomware attack or a disgruntled employee. A vulnerability is a weakness that a threat can exploit, such as an unpatched system or weak password policy. Risk exists where threats meet unprotected assets.