Risky about risk
27. marca 2025
(and similar concepts)
doc. Ing. Jaroslav Sivák, CSc., MBA
1. Introduction
This article deals with reflections on the basic concepts common in security practice. We consider "assets," "risk," "threat," "vulnerability," "resilience," and others as the basic concepts in security practice.
Why "risky" about risk and similar concepts? There are a large number of various academic works that deal with the definition of these concepts. Terminological dictionaries that have been approved by opposition councils are known, and the legal norms of the Slovak Republic also operate with these concepts. And yet, several binding sources differ. The European Union with its bodies has also contributed significantly to the definition of basic concepts in security management. Several directives use their own definitions of these concepts. These "European" concepts are often then implemented into our norms and into the vocabulary, especially of crisis managers.
"Risky" therefore because the claims contained in this article may not please my esteemed academic colleagues, workers especially from force departments who created and use (or don't use) terminological dictionaries and create laws and other legal norms in the field of security, and many others.
In an effort to express a certain reality as originally as possible, words such as "attack vector" enter the vocabulary of the security community. Certainly, if we try, we can find an analogy with the mathematical definition of "vector." But is it necessary...
It is not important whether a given concept is etymologically, grammatically, semantically, and otherwise, the most correct one. It is important that the community that works in security management understands each other and that under a given concept we can imagine as faithfully as possible what the author wanted to express by it and, ultimately, what it describes.
2. Basic Security Truth
The basic security truth, on which most stakeholders agree, is that RISK is the probability (or rate) that a THREAT will exploit a VULNERABILITY of an ASSET and cause an IMPACT on it.
This formulation expresses that we are trying to express a suitable interpretation of a measure that will most faithfully describe what can happen (and will happen) when the variables of this functional 1 reach certain values. Risk can be understood as a probability, or another value in the metric that we choose and that will correspond to objective reality and allow us to make judgments about the value - the extent of the impacts that threaten us.
The basic security truth includes both external and internal conditions for the occurrence of a security event. The external condition is THREAT. The internal condition is VULNERABILITY. The subject of the process is an ASSET that is exposed to a THREAT and is VULNERABLE. The result of a THREAT attack that exploited a VULNERABILITY and affects an ASSET is IMPACT. Upon closer examination of security event processes, we would come to other concepts, such as RESILIENCE.
Let's start from the concept of SECURITY. SECURITY is, quote: "A state of a social, natural, technical, technological system or other system that, in specific internal and external conditions, enables the fulfillment of specified functions and their development in the interest of man and society" 2 . Critical note: SECURITY cannot be a state! It is a dynamic process whose parameters are of a probabilistic nature. It is therefore a PROCESS. Security is a process that has certain boundaries of minimum and maximum realistically achievable security. This means that there is a non-zero tolerance for disruption of the nominal state. The system must be designed and constructed (arranged) so that it can function even when deviated from this equilibrium state within the range of the above min and max values. These factors can be referred to as RESILIENCE 3 .
In the following text, we will debate about the part of the basic security truth concerning the concept of RISK.
3. Risk
If we borrow the bon mot about what intelligence is, that it is what is measured by the intelligence quotient, then risk is what is determined by risk analysis.
Risk is, quote: "A measure of threat expressed by the probability of the occurrence of an undesirable phenomenon and its consequences" 4 . Another definition, quote: "By risk (we understand) the potential for loss or disruption due to a cyber security incident expressed as a combination of the extent of such loss or disruption and the probability of occurrence of a cyber security incident" 5 . In this sentence, only the "probability of occurrence..." is a measurable variable. The rest is immeasurable. How is it then possible to determine risk in the area of, for example, cyber security?
There are more daring definitions, which probably also give rise to the statement described above:
This article deals with reflections on the basic concepts common in security practice. We consider "assets," "risk," "threat," "vulnerability," "resilience," and others as the basic concepts in security practice.
Why "risky" about risk and similar concepts? There are a large number of various academic works that deal with the definition of these concepts. Terminological dictionaries that have been approved by opposition councils are known, and the legal norms of the Slovak Republic also operate with these concepts. And yet, several binding sources differ. The European Union with its bodies has also contributed significantly to the definition of basic concepts in security management. Several directives use their own definitions of these concepts. These "European" concepts are often then implemented into our norms and into the vocabulary, especially of crisis managers.
"Risky" therefore because the claims contained in this article may not please my esteemed academic colleagues, workers especially from force departments who created and use (or don't use) terminological dictionaries and create laws and other legal norms in the field of security, and many others.
In an effort to express a certain reality as originally as possible, words such as "attack vector" enter the vocabulary of the security community. Certainly, if we try, we can find an analogy with the mathematical definition of "vector." But is it necessary...
It is not important whether a given concept is etymologically, grammatically, semantically, and otherwise, the most correct one. It is important that the community that works in security management understands each other and that under a given concept we can imagine as faithfully as possible what the author wanted to express by it and, ultimately, what it describes.
2. Basic Security Truth
The basic security truth, on which most stakeholders agree, is that RISK is the probability (or rate) that a THREAT will exploit a VULNERABILITY of an ASSET and cause an IMPACT on it.
This formulation expresses that we are trying to express a suitable interpretation of a measure that will most faithfully describe what can happen (and will happen) when the variables of this functional 1 reach certain values. Risk can be understood as a probability, or another value in the metric that we choose and that will correspond to objective reality and allow us to make judgments about the value - the extent of the impacts that threaten us.
The basic security truth includes both external and internal conditions for the occurrence of a security event. The external condition is THREAT. The internal condition is VULNERABILITY. The subject of the process is an ASSET that is exposed to a THREAT and is VULNERABLE. The result of a THREAT attack that exploited a VULNERABILITY and affects an ASSET is IMPACT. Upon closer examination of security event processes, we would come to other concepts, such as RESILIENCE.
Let's start from the concept of SECURITY. SECURITY is, quote: "A state of a social, natural, technical, technological system or other system that, in specific internal and external conditions, enables the fulfillment of specified functions and their development in the interest of man and society" 2 . Critical note: SECURITY cannot be a state! It is a dynamic process whose parameters are of a probabilistic nature. It is therefore a PROCESS. Security is a process that has certain boundaries of minimum and maximum realistically achievable security. This means that there is a non-zero tolerance for disruption of the nominal state. The system must be designed and constructed (arranged) so that it can function even when deviated from this equilibrium state within the range of the above min and max values. These factors can be referred to as RESILIENCE 3 .
In the following text, we will debate about the part of the basic security truth concerning the concept of RISK.
3. Risk
If we borrow the bon mot about what intelligence is, that it is what is measured by the intelligence quotient, then risk is what is determined by risk analysis.
Risk is, quote: "A measure of threat expressed by the probability of the occurrence of an undesirable phenomenon and its consequences" 4 . Another definition, quote: "By risk (we understand) the potential for loss or disruption due to a cyber security incident expressed as a combination of the extent of such loss or disruption and the probability of occurrence of a cyber security incident" 5 . In this sentence, only the "probability of occurrence..." is a measurable variable. The rest is immeasurable. How is it then possible to determine risk in the area of, for example, cyber security?
There are more daring definitions, which probably also give rise to the statement described above:
[1]
Let's imagine an example according to relation [1]:
The probability that an airplane will "fall" is 1 fall per 2 to 3 million flights (regardless of distance) 6 . The probability of an accident per flight is therefore (let's calculate the variant that 2 million flights):
- R is risk,
- P is the probability that a security incident will occur,
- C is the measure of impact (often only "negative" is meant).
Let's imagine an example according to relation [1]:
The probability that an airplane will "fall" is 1 fall per 2 to 3 million flights (regardless of distance) 6 . The probability of an accident per flight is therefore (let's calculate the variant that 2 million flights):
[2]
If the total damage quantified in money (C) was, for example, 50 million of currency (large aircraft, many victims, loss of Goodwill of the airline...), then according to [1] we should not sit in any airplane.
Correctly, in relation [1] another dimension of considerations is missing, and that is time . The probability that a security incident will occur must be measured in time, i.e., if the probability that there will be a breach of, for example, the perimeter of the digital world (cyber security of the network) is e.g., 0.5, we rightfully ask: "Over what period?" Definitely, relation [1] is not the best. A somewhat better approach would be Bayesian statistics, where risk is defined as the expected value of the loss function. Then there is the area of finance, where Value at Risk (VaR) is often used, which gives the maximum expected loss at a given level of reliability.
In probability theory, we often rely on the so-called probability distribution of the occurrence of a value. In security applications, it is better to use Poisson distributions rather than Gaussian ones, because security processes are burdened with "noise," i.e., a larger number of factors that also have a probabilistic character are at play.
Let's use the Poisson approach (we're looking for the probability of an event over time):
If we assume that an event occurs randomly with an average intensity λ (number of events per unit of time), then the probability that the event will occur exactly k times during a time interval t is given by the Poisson distribution:
Correctly, in relation [1] another dimension of considerations is missing, and that is time . The probability that a security incident will occur must be measured in time, i.e., if the probability that there will be a breach of, for example, the perimeter of the digital world (cyber security of the network) is e.g., 0.5, we rightfully ask: "Over what period?" Definitely, relation [1] is not the best. A somewhat better approach would be Bayesian statistics, where risk is defined as the expected value of the loss function. Then there is the area of finance, where Value at Risk (VaR) is often used, which gives the maximum expected loss at a given level of reliability.
In probability theory, we often rely on the so-called probability distribution of the occurrence of a value. In security applications, it is better to use Poisson distributions rather than Gaussian ones, because security processes are burdened with "noise," i.e., a larger number of factors that also have a probabilistic character are at play.
Let's use the Poisson approach (we're looking for the probability of an event over time):
If we assume that an event occurs randomly with an average intensity λ (number of events per unit of time), then the probability that the event will occur exactly k times during a time interval t is given by the Poisson distribution:
[3]
Using this mathematical model and our example, we would calculate that the probability that no accident will occur is approximately ≈0.99995 and the probability that at least one will occur (complement to one) ≈0.00005.
With such mathematical instruments, we would be able to predict quite accurately with what probability and over what time period a security incident will occur (and how many times it will repeat in a given time interval). The question remains with what probability in a certain time interval this event will occur. First occurrence?
If we are interested in the probability that an event will not occur until time t, we use the exponential distribution, which models the time until the first event:
- k is the number of occurrences of the event in time t,
- λ is the average number of events per unit of time,
- t is the length of the time interval.
Using this mathematical model and our example, we would calculate that the probability that no accident will occur is approximately ≈0.99995 and the probability that at least one will occur (complement to one) ≈0.00005.
With such mathematical instruments, we would be able to predict quite accurately with what probability and over what time period a security incident will occur (and how many times it will repeat in a given time interval). The question remains with what probability in a certain time interval this event will occur. First occurrence?
If we are interested in the probability that an event will not occur until time t, we use the exponential distribution, which models the time until the first event:
[4]
If someone wanted to complete our example, then they would calculate that the probability that the event will occur within two years is ≈0.632.
4. Risk in Practice
We have shown that there are relatively precise, but also complex mathematical approaches to determining (calculating) the value of the RISK parameter. However, for common security practice, this approach is awkward, especially for objects with a lower degree of importance. For high-risk objects (e.g., nuclear industry objects), specific (often classified) methodologies are used.
In practice, ready-made software tools for risk assessment, of which there are many, can be used. It is also possible to use your own risk analysis model, then it is necessary to consider especially:
Notes
Source: Sivák, Jaroslav. “RISKY ABOUT RISK.” Decent Cybersecurity, March 16, 2025. https://decentcybersecurity.eu/risk-interpretation-in-security/#324c01ae-6125-4551-9e96-2365485be6a2-link. Accessed: 27. 3. 2025
4. Risk in Practice
We have shown that there are relatively precise, but also complex mathematical approaches to determining (calculating) the value of the RISK parameter. However, for common security practice, this approach is awkward, especially for objects with a lower degree of importance. For high-risk objects (e.g., nuclear industry objects), specific (often classified) methodologies are used.
In practice, ready-made software tools for risk assessment, of which there are many, can be used. It is also possible to use your own risk analysis model, then it is necessary to consider especially:
- The significance of the organization/system, its attractiveness to the attacker. However, it is necessary to strictly consider the possibility that the organization/system will be used only as the first link in the attack, or as a maneuver to divert attention.
- Set the values of impacts that are acceptable for the organization (it can cover them with its resource capacity) and unacceptable. It is appropriate to develop a differentiated structure of impacts.
- Determine other parameters (assets, threats, vulnerabilities) according to the security analysis.
- Establish a scale for risk assessment (numerical or descriptive). Calculate or determine the risk values on this scale.
- The most important step is the interpretation of the risk value from which the level of acceptable risk will result.
- Establish risk management for risks that are unacceptable and need to be covered by defensive measures.
Notes
- A functional is a mathematical concept – it is a function that takes a function as input and returns a number.
- Terminological dictionary of crisis management. Security Council of the Slovak Republic. Bratislava 2017. p.8
- Ibid. p.24
- Ibid. p.26
- Act 366/2024 Coll. on cyber security. Collection of laws of the Slovak Republic §3, letter i)
- https://asn.flightsafety.org/
Source: Sivák, Jaroslav. “RISKY ABOUT RISK.” Decent Cybersecurity, March 16, 2025. https://decentcybersecurity.eu/risk-interpretation-in-security/#324c01ae-6125-4551-9e96-2365485be6a2-link. Accessed: 27. 3. 2025
A large-scale power outage is no longer a hypothetical scenario. Recent months have brought a series of incidents showing that the stability of Europe's electricity systems is exposed to a combination of threats on a scale we have not previously encountered. The discussion of blackouts is therefore shifting from technical circles into the broader strategic framework of critical infrastructure protection.
Rozsiahly výpadok elektriny prestáva byť hypotetickým scenárom. Posledné mesiace priniesli sériu incidentov, ktoré ukazujú, že stabilita elektrizačných sústav v Európe je vystavená kombinácii hrozieb, akú sme v takomto rozsahu doteraz nepoznali. Diskusia o blackoute sa tak presúva z technických kruhov do širšieho strategického rámca ochrany kritickej infraštruktúry.
Artificial intelligence is changing the rules of the game in critical infrastructure protection. It is no longer merely an aid in defence — it is also becoming a weapon in the hands of attackers. The question is no longer whether AI will enter the critical infrastructure environment, but how quickly we can prepare for this change.
Umelá inteligencia mení pravidlá hry v ochrane kritickej infraštruktúry. Už nie je len pomocníkom pri obrane, stáva sa aj zbraňou v rukách útočníkov. Otázka už neznie, či sa AI dostane do prostredia kritickej infraštruktúry, ale ako rýchlo sa na túto zmenu dokážeme pripraviť.
Oblasť kritickej infraštruktúry v Slovenskej republike upravuje zákon č. 367/2024 Z. z. o kritickej infraštruktúre a o zmene a doplnení noektorých zákonov, ktorý definuje jednotlivé sektory, podsektory a základné služby nevyhnutné pre fungovanie štátu.
The area of critical infrastructure in the Slovak Republic is regulated by Act No. 367/2024 Coll. on Critical Infrastructure and on Amendments and Supplements to Certain Acts, which defines individual sectors, subsectors, and essential services necessary for the functioning of the state.
The Critical Infrastructure Association of the Slovak Republic has entered into negotiations on international cooperation with the Republic of India in the field of critical infrastructure protection and the development of post-quantum cryptography. This step reflects the growing importance of technological security and the need to prepare for the advent of quantum technologies, which will fundamentally impact current cryptographic standards. In this context, a significant meeting took place at the Embassy of the Republic of India in Slovakia, attended by H.E. Apoorva Srivastava, Ambassador of the Republic of India to the Slovak Republic, Rastislav Chovanec, State Secretary of the Ministry of Foreign and European Affairs of the Slovak Republic, and Tibor Straka, President of The Critical Infrastructure Association of the Slovak Republic. The delegation also included the Chairman of its Supervisory Board and a representative of member company Decent Cybersecurity s. r. o., Matej Michalko. The discussion focused primarily on opportunities for the development of bilateral cooperation in the areas of critical infrastructure, cybersecurity, and the implementation of post-quantum cryptographic solutions. India is among the countries that systematically invest in the development of cryptography and quantum technologies. This is evidenced by its strategic initiative, the National Quantum Mission, which aims to build a comprehensive national quantum technology ecosystem. It is precisely in this area that The Critical Infrastructure Association of the Slovak Republic sees significant potential for cooperation and the involvement of Slovak technology entities. One such entity is Decent Cybersecurity s. r. o., a company with a long-standing focus on research and implementation of solutions for critical infrastructure, defence systems, and telecommunications networks. The company specialises primarily in the practical implementation of new cryptographic algorithms into modern hardware and software architectures, which makes it well-suited for participation in international post-quantum security projects. From the perspective of the Slovak Republic, cooperation with India represents a significant opportunity for the development of technological diplomacy and the strengthening of strategic partnerships. As one of the fastest-growing digital economies in the world, India plans extensive investments in quantum research and technological infrastructure. The involvement of Slovak companies in these initiatives could substantially support the export of innovative solutions and strengthen technological ties between the two countries. The aim of this initiative is to establish a stable technological partnership between Slovak and Indian institutions, overseen by The Critical Infrastructure Association of the Slovak Republic. An important role is also played by the diplomatic support of the Ministry of Foreign and European Affairs of the Slovak Republic, which can significantly facilitate the establishment of contacts with relevant partners in India. This initiative also fits within the broader context of strengthening technological relations between the European Union and India. Slovakia's active involvement in this process could contribute to reinforcing its position within the European technology ecosystem and increasing its international competitiveness. At the meeting, both sides expressed a clear interest in developing mutual cooperation and identified significant potential for future joint projects. The partners agreed that the combination of expert capacities, technological innovation, and diplomatic support creates a solid foundation for a long-term strategic partnership that can deliver tangible results in the areas of security, innovative development, and economic cooperation. Both sides will continue their expert-level communication, aimed at building a stable platform for a long-term and functional partnership between India and Slovakia in the fields of critical infrastructure and post-quantum cryptography.
Asociácia kritickej infraštruktúry Slovenskej republiky vstúpila do rokovaní o medzinárodnej spolupráci s Indickou republikou v oblasti ochrany kritickej infraštruktúry a rozvoja postkvantovej kryptografie. Tento krok reflektuje rastúci význam technologickej bezpečnosti a potrebu pripraviť sa na nástup kvantových technológií, ktoré zásadne ovplyvnia súčasné kryptografické štandardy. V tejto súvislosti sa na pôde Veľvyslanectva Indickej republiky na Slovensku uskutočnilo významné stretnutie za účasti J.E. Apoorva Srivastava, veľvyslankyne Indickej republiky v Slovenskej republike, štátneho tajomníka Ministerstva zahraničných vecí a európskych záležitostí Slovenskej republiky Rastislava Chovanca a prezidenta Asociácie kritickej infraštruktúry Slovenskej republiky Tibora Straku . Súčasťou delegácie AKI SR bol aj predseda jej dozornej rady a zástupca členskej spoločnosti Decent Cybersecurity s. r. o. Matej Michalko. Diskusia sa zamerala najmä na možnosti rozvoja bilaterálnej spolupráce v oblasti kritickej infraštruktúry, kybernetickej bezpečnosti a implementácie postkvantových kryptografických riešení. India patrí medzi krajiny, ktoré systematicky investujú do rozvoja kryptografie a kvantových technológií. Dôkazom je aj jej strategická iniciatíva National Quantum Mission, ktorej cieľom je vybudovať komplexný národný ekosystém kvantových technológií. Práve v tejto oblasti vidí AKI SR významný priestor pre spoluprácu a zapojenie slovenských technologických subjektov. Jedným z nich je spoločnosť Decent Cybersecurity s. r. o. , ktorá sa dlhodobo venuje výskumu a implementácii riešení pre kritickú infraštruktúru, obranné systémy a telekomunikačné siete. Spoločnosť sa špecializuje najmä na praktickú implementáciu nových kryptografických algoritmov do moderných hardvérových a softvérových architektúr, čo ju predurčuje na zapojenie do medzinárodných projektov v oblasti postkvantovej bezpečnosti. Z pohľadu Slovenskej republiky predstavuje spolupráca s Indiou významnú príležitosť pre rozvoj technologickej diplomacie a posilnenie strategických partnerstiev. India ako jedna z najrýchlejšie rastúcich digitálnych ekonomík sveta plánuje rozsiahle investície do kvantového výskumu a technologickej infraštruktúry. Zapojenie slovenských spoločností do týchto iniciatív by mohlo výrazne podporiť export inovatívnych riešení a posilniť technologické väzby medzi oboma krajinami. Cieľom iniciatívy je vytvorenie stabilného technologického partnerstva medzi slovenskými a indickými inštitúciami, ktoré bude zastrešovať Asociácia kritickej infraštruktúry Slovenskej republiky. Dôležitú úlohu pritom zohráva aj diplomatická podpora Ministerstva zahraničných vecí a európskych záležitostí SR, ktorá môže výrazne napomôcť pri nadväzovaní kontaktov s relevantnými partnermi v Indii. Táto iniciatíva zároveň zapadá do širšieho kontextu posilňovania technologických vzťahov medzi Európskou úniou a Indiou. Aktívne zapojenie Slovenska do tohto procesu by mohlo prispieť k posilneniu jeho pozície v rámci európskeho technologického ekosystému a zvýšiť jeho medzinárodnú konkurencieschopnosť. Na stretnutí obe strany vyjadrili jasný záujem o rozvoj vzájomnej spolupráce a identifikovali významný potenciál pre budúce spoločné projekty. Partneri sa zhodli, že prepojenie odborných kapacít, technologických inovácií a diplomatickej podpory vytvára pevný základ pre dlhodobé strategické partnerstvo, ktoré môže priniesť konkrétne výsledky v oblasti bezpečnosti, inovatívneho rozvoja a ekonomickej spolupráce. Obe strany budú pokračovať v odbornej komunikácii, smerujúcej k vybudovaniu stabilnej platformy pre dlhodobé a funkčné partnerstvo Indie a Slovenska v oblasti kritickej infraštruktúry a postkvantovej kryptografie.
For most people, GPS (Global Positioning System) is synonymous with car or smartphone navigation. It helps us find our way, avoid traffic jams, and discover new places. However, very few realise that the Global Positioning System provides precise time and location data upon which the functioning of modern society depends.
Pre väčšinu ľudí je GPS (Global Positioning System) synonymom navigácie v aute alebo v mobile. Pomáha nám nájsť cestu, vyhnúť sa zápcham či objaviť nové miesta. Len málokto si však uvedomuje, že globálny satelitný systém určovania polohy (GPS) poskytuje údaje o presnom čase a presnej polohe, na ktorých stojí fungovanie modernej spoločnosti.