skip to main content
Close Icon We use cookies to improve your website experience.  To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy.  By continuing to use the website, you consent to our use of cookies.
Global Search Configuration

Straight Talk Technology

Ovum view

The move toward risk-based security is gathering momentum, and enterprises are increasingly focusing security efforts where they are needed most. The most common way of assessing risk is first to investigate the likelihood of a security incident or breach happening, then second to consider the impact of such an incident or breach occurring. The objective of risk-based security is to prioritize mitigation of those risks that could cause the greatest harm to the organization.

Tolerance levels are applied to determine the likelihood and impact, which will vary between organizations. For example, if the likelihood [of a risk materializing] is below 20%, then it could be classified as "unlikely." If the impact is determined as "minor and containable" or "affects short-term goals only," then the impact could be classified as "low." Multiplying likelihood by impact gives a risk rating: In this instance, the resultant risk rating is likely to be "minimal," and the security controls required to address that risk will be relatively minor (e.g., company user ID and password used to access a piece of data that, if exposed, would not cause problems). The greater the likelihood of the risk occurring, and the greater the impact, the higher the risk rating, and therefore more stringent security controls will be applied.

One of the biggest areas that would benefit from a risk-based approach is patching. A check in early February showed the US National Vulnerability Database (NVD) has 112,573 vulnerabilities of varying severity (low, medium, high). Faced with this volume of vulnerabilities to investigate, enterprises feel as though they have a constantly mountainous challenge, working through scans of their environment to find out which apply to their organization and then to decide on an action plan. Such an action plan generally involves starting at the top of the list, addressing the most critical vulnerabilities according to the NVD. However, these may not be the most critical vulnerabilities for that particular organization.

If the enterprise had a risk-based approach to security, each vulnerability that applied to their environment could be risk-assessed to determine whether addressing a particular vulnerability on a specific IT asset should be prioritized. Naturally, this is not something that can be done manually, but instead enterprises can take advantage of automation to help with this prioritization in the context of their organization.

The benefits of deploying a risk-based approach to addressing security mean that scarce resources – people and money – can be used where needed most. Looking at the example of addressing vulnerabilities, the highest risk will be mitigated first, making it clear to resource-strapped teams where they should be focusing their efforts. The knock-on effect is that enterprises will be better protected against security incidents and breaches – the objective for every organization that takes cybersecurity seriously.

Straight Talk is a weekly briefing from the desk of the Chief Research Officer. To receive this newsletter by email, please contact us.

Recommended Articles


Have any questions? Speak to a Specialist

Europe, Middle East & Africa team: +44 7771 980316

Asia-Pacific team: +61 (0)3 960 16700

US team: +1 212-652-5335

Email us at

You can also contact your named/allocated Client Services Executive using their direct dial.
PR enquiries - Email us at

Contact marketing -

Already an Ovum client? Login to the Knowledge Center now