What’s math got to do with it?
Take a moment and picture the concept of “cybersecurity” in your mind.
…
What did you think about?
Was it a hacker in a hoodie typing away in a dark room, with green lines of code scrolling across their face (or even a mask)? Maybe it was a string of numbers from your Multi-Factor Authentication (MFA) app, creating an extra layer of security for your logins. Perhaps you pictured a recent phishing email you received, given how common those are becoming these days.
These mental images are all great examples within the category of cybersecurity; but I’m willing to bet that the first thing that came to mind wasn’t this formula:
Risk = Likelihood x Impact
(If you did think of this, congratulations – you know your stuff!)
This formula is at the heart of “risk-based cybersecurity,” a strategic approach to cybersecurity that allows for more informed decision-making, with better control and understanding of your risks. But what exactly does the formula represent, and how does it lead to these benefits?
Let’s explore to find out!
What is Risk, Likelihood, and Impact?
Risk, as defined by the National Institute of Standards and Technology (NIST), is “a measure of the extent to which an entity is threatened by a potential circumstance or event.”1 To make risk something that we can measure – something numerical – we need to break it down into its component parts.
If we think abstractly about the word “threat” within the definition of risk, a few thoughts come to mind:
- If something is a “threat,” then there must be a chance (probability) that it can actually happen.
- If something is a “threat,” then there must be a negative cost if that event does happen.
- If there is no chance that a negative event occurs and/or there is no negative cost associated with the event, then the event itself bears no threat and there is no associated risk.
From Point 1, we can deduce that the probability of a negative event occurring (Likelihood) affects the measure of risk. And from Point 2, the potential cost of a negative event occurring (Impact) also affects the measure of risk.
Putting these together, we get our formula: Risk = Likelihood x Impact
So, that’s all well and good… but what can we do with this formula?
The Helpful Math of Risk
Put simply, turning risk into a measurable quantity allows us to compare the relative level of risk between different events. Or in the case of cybersecurity, we can measure the comparative risk between different sources of risk. Let’s try an example case.
For this example, let’s pretend that we are a small business measuring and comparing the relative risks associated with not having MFA enabled and not having a visitor sign-in sheet for our office. We will assign values of 1-5 for Likelihood and Impact, with 1 indicating Low Likelihood/Impact, and 5 indicating High Likelihood/Impact, respectively.
For MFA, we’ll say that, given the current cyber threat environment, there’s a High Likelihood that not having MFA enabled will be exploited and assign it a 5. Likewise, if a bad actor should gain access to sensitive data within the systems that are not protected by MFA, that could spell disaster for our business; regulatory fines, reputational damage, legal battles, and much more, which could put an end to the business. We’ll put Impact at 5 as well. If we plug those numbers into the formula, this MFA situation would have a Risk Score of 25 (Risk Score [25] = Likelihood [5] x Impact [5]).
We’ll quickly do the same for not having a visitor sign-in sheet, indicating a 2 for Likelihood (our office doesn’t get that many visitors) and 3 for Impact (we still have cameras and other ways to track visitors, but it’s still not great if exploited), which would give us a Risk Score for 6 for this example scenario.
You may have already guessed, but these Risk Scores give us a useful shorthand for knowing which situations present a greater risk than others and allow us to focus our remediation steps accordingly. In our (very simple) example scenario, the MFA situation having a score of 25 – the highest possible score for our rubric – would indicate that this is a Critical risk and should be addressed immediately. By contrast, not having a visitor sign-in sheet scored a 6; we should still address it, but other situations that scored higher can and should take precedence.
By examining our risks with thorough, quantitative measurements, we can make more informed decisions on our next steps. This method also allows us to avoid fear-based cybersecurity, overreacting to perceived threats with knee-jerk responses and wasting resources on supposed cure-all solutions. Or worse: doing nothing at all.
What Now?
There is so much more to risk-based cybersecurity than one blog can explore. We highly recommend that you check out our Cybersecurity Handbook to learn more about other key concepts involved in the work we do as cybersecurity specialists, such as the CIA Triad of Information Security, Risk Tolerance, and the difference between “Risk” and “Secure.”
If you aren’t in the habit already, we also recommend that you conduct a regular Risk Assessment with a cybersecurity partner of your choice. (We have a helpful Cybersecurity Vendor Guide to aid your search.) A thorough Risk Assessment will help inventory and categorize your organization’s risks using the core concepts of risk-based cybersecurity we just explored. You can then work towards remediating those risks, ideally with help from those same cybersecurity experts.
As always, feel free to use our contact form with any questions or concerns you may have about your own cybersecurity needs. Rhodian Group is here to help!
This blog article is part of Summer of Cyber 2025, hosted by Rhodian Group and Angela Adams Consulting. Follow along on their social media pages for insightful and informative cybersecurity content throughout the summer!
Sources:
- Stoneburner et al., Guide for Conducting Risk Assessments, NIST Special Publication (SP), 800-30 Revision 1, National Institute of Standards and Technology, Gaithersburg, Maryland, September 2012, 95pp. http://dx.doi.org/10.6028/NIST.SP.800-30r1
