RISKY ABOUT RISK 2

3. mája 2025

(and similar concepts)

Doc. Ing. Jaroslav Sivák, CSc., MBA

1. Introduction

This article continues the reflections on basic concepts used in the categories of "protection and security." As noted in the first article, "risky" applies here because the claims contained in this article may not appeal to academic workers, employees of security departments who created and use (or don't use) terminological dictionaries, and who create laws and other legal norms in the security field, and many others.


The fundamental security truth remains: RISK is the probability (or measure) that a THREAT will exploit a VULNERABILITY of an ASSET and cause an IMPACT on it.

2. Threat

Threat is defined in the Terminological Dictionary of Crisis Management published by the Government Office of the Slovak Republic in 2017 on page 11 as: "An objectively existing possibility whose fulfillment is capable of causing a negative consequence." It is necessary to distinguish between "threat" and "endangerment." Threat is a potential category. Endangerment refers to an immediate event, i.e., when a threat is actively occurring. In the aforementioned Terminological Dictionary on page 24, it states: "Endangerment is an activated threat in space and time."

Threats can be categorized according to their origin and are typically divided into:

1.      Anthropogenic threats - threats whose cause and primary stimulus is in humans and the social sphere.

2.      Natural threats - caused by manifestations of nature.

3.      Technological threats - caused by technological elements.

4.      Combined threats (simultaneous action of the above threats).

In current terminology, the concept of hybrid threat has appeared, which can be considered, in certain respects, a combined threat.


Naturally, there are officially approved and used classifications of threats and their sources. For example, ISO/IEC 27 000:20xx Information Technology – Security Techniques – Information SECURITY RISK Management, or materials issued by the Civil Protection Department of the Ministry of Interior. The Fire Brigade also has them well categorized, and others.


Threat analysis includes identifying and evaluating parameters according to well-measurable and poorly measurable manifestations (heuristic and expert estimates on a scale). Evaluation is usually performed by a defined metric - a measurement method or other threat quantification methodology. Among the identified parameters are: significance, threat accessibility to the asset, threat recognizability and identifiability.


Assessing the significance of a threat means predicting the impact. To evaluate how significantly a threat could disrupt, limit, or prevent the system from functioning within its designed parameters. Accessibility for a threat means how the asset is protected against a specific threat. Knowledge of the threat enables specific, targeted preventive measures.


Threat assessment is often heavily influenced by a parameter we call "impact on the population." Each threat can ultimately evoke a feeling of fear in the population. This factor can have an impact on the so-called domino effect, where rational (more often irrational) fear of people represents a separate threat.

3. Asset Vulnerability

The Terminological Dictionary of Crisis Management on page 32 states regarding the concept of vulnerability: "A complex property reflecting the weak points of a system, its reduced resistance to possible disruption of its function, damage, or destruction." The categorization of vulnerabilities is identical to that of threats, i.e., anthropological, natural, technological, and combined.


When assessing vulnerabilities, it is necessary to consider the probable attack scenario, the degree of protection, or the resilience of the vulnerability carrier. Vulnerability recognizability means whether we know about the vulnerability or if it is unrecognized, unknown. We often encounter ignoring the significance of vulnerability by trivializing the actual state. And we're not even talking about cases described by Nassim Nicholas Taleb in his book Black Swan. These are events whose probability of occurrence is extremely low and the impact extremely high (complete collapse of financial markets, WTC 2001, etc.).


We evaluate the degree of vulnerability on a scale (metric) considering the significance of the vulnerability, the attacker's access to the vulnerability, and its recognizability.

4. Asset

An asset is everything that an organization (system, process) values. What is important for an organization, system, or specific process, the damage or loss of which would mean deviation from the designed (intended, usual) parameters of functioning. The Terminological Dictionary defines an asset on page 7 as: "A value that needs to be protected."


Assets can be divided into tangible and intangible, or existing in the real or virtual world. We interpret the value of an asset as the measure of resource intensity (people, time, finances, and others) needed to replace the asset or restore it to its original state.

Note: "Restoration to the original state" is a misleading phrase. The reconstruction process must include measures that will be an effective response to the threats and vulnerabilities that precede reconstruction. It is therefore not possible to simply restore the original state; it is necessary to take measures beyond simple reconstruction.

5. Impact

Impact is the result of the action of previous factors and is most often perceived as harm, damage, loss, thus in a negative connotation. For a complete understanding of impact, it is necessary to admit the existence of such types of impact that may ultimately mean improvement. An example may be a captured attack on communication infrastructure that triggers positive changes in the opinion of those responsible for security and protection. Insuring property (a way of managing risk) that was destroyed by a natural disaster, in the second plane is not a negative impact. This does not refer to insurance fraud.


Assessing the level (size) of impact depends on the specific conditions and parameters of the protected system, organization, or process. For quantification, a rule is usually used where it is evaluated how many resources and their availability need to be expended to restore the functioning of the affected structure. This statement also fully answers the question of how much one byte of information costs. As much as the resources needed to restore or acquire it.


In addition to material elements of impact, it is necessary to include in considerations also intangible elements such as various forms of so-called reputational damage (loss of Goodwill).

6. Risk

After determining, measuring, or estimating all previous components, it remains to calculate, estimate, determine the value of risk. There are several mathematical models for calculating the resulting value of risk. However, it is important to interpret this value correctly. After considering all the specifics of the assessed organization, system, or process (risk analysis), it is necessary to establish pair categories: Risk Value – Impact Significance.


For example, stealing a certain amount of flammable material from a warehouse represents only a very small impact in a medium-secured warehouse. However, the risk of theft is relatively high. The carriers of such risk are usually employees (organizations strongly resist this fact). The risk value is high – the impact relatively low.


The risk that someone will set fire to a flammable material warehouse is relatively low (strict fire prevention measures, regularly instructed personnel, non-sparking tools, etc.). If this act were completed, the explosion (burning) of the warehouse represents a significantly negative impact. Risk value low – impact high.

7. Conclusion

Risk assessment is an extremely complex process. Using recommendations in the form of ISO procedures or specific standards is a good guide, but not an exhaustive answer. The risk determination model must therefore be developed for each use in an almost unique way with high respect for the specific conditions in which it is deployed.


The interpretation of risk determination results is crucial. Another key parameter is the dynamics of changes in the security environment. This parameter determines the frequency of repeating the processes of risk analysis.


The logical outcome of the described processes is determining how the identified and quantified risk will be managed. For this purpose, we know several procedures ranging from risk elimination, risk level reduction to transferring risk to other entities or processes.

When the Lights Go Out: Blackout as a Test of Modern Society's Resilience

8. apríla 2026
A large-scale power outage is no longer a hypothetical scenario. Recent months have brought a series of incidents showing that the stability of Europe's electricity systems is exposed to a combination of threats on a scale we have not previously encountered. The discussion of blackouts is therefore shifting from technical circles into the broader strategic framework of critical infrastructure protection.

Keď zhasne svetlo: blackout ako test odolnosti modernej spoločnosti

8. apríla 2026
Rozsiahly výpadok elektriny prestáva byť hypotetickým scenárom. Posledné mesiace priniesli sériu incidentov, ktoré ukazujú, že stabilita elektrizačných sústav v Európe je vystavená kombinácii hrozieb, akú sme v takomto rozsahu doteraz nepoznali. Diskusia o blackoute sa tak presúva z technických kruhov do širšieho strategického rámca ochrany kritickej infraštruktúry.

Artificial Intelligence and Critical Infrastructure: When a Tool Becomes a Threat

3. apríla 2026
Artificial intelligence is changing the rules of the game in critical infrastructure protection. It is no longer merely an aid in defence — it is also becoming a weapon in the hands of attackers. The question is no longer whether AI will enter the critical infrastructure environment, but how quickly we can prepare for this change.

Umelá inteligencia a kritická infraštruktúra: keď sa nástroj stane hrozbou

3. apríla 2026
Umelá inteligencia mení pravidlá hry v ochrane kritickej infraštruktúry. Už nie je len pomocníkom pri obrane, stáva sa aj zbraňou v rukách útočníkov. Otázka už neznie, či sa AI dostane do prostredia kritickej infraštruktúry, ale ako rýchlo sa na túto zmenu dokážeme pripraviť. 

Predstavujeme sektory kritickej infraštruktúry: Doprava

2. apríla 2026
Oblasť kritickej infraštruktúry v Slovenskej republike upravuje zákon č. 367/2024 Z. z. o kritickej infraštruktúre a o zmene a doplnení noektorých zákonov, ktorý definuje jednotlivé sektory, podsektory a základné služby nevyhnutné pre fungovanie štátu. 

Introducing Critical Infrastructure Sectors: Transport

2. apríla 2026
The area of critical infrastructure in the Slovak Republic is regulated by Act No. 367/2024 Coll. on Critical Infrastructure and on Amendments and Supplements to Certain Acts, which defines individual sectors, subsectors, and essential services necessary for the functioning of the state.

Ambassador of India and the Diplomatic Sector Support Partnership in Critical Infrastructure and Quantum Technologies

30. marca 2026
The Critical Infrastructure Association of the Slovak Republic has entered into negotiations on international cooperation with the Republic of India in the field of critical infrastructure protection and the development of post-quantum cryptography. This step reflects the growing importance of technological security and the need to prepare for the advent of quantum technologies, which will fundamentally impact current cryptographic standards. In this context, a significant meeting took place at the Embassy of the Republic of India in Slovakia, attended by H.E. Apoorva Srivastava, Ambassador of the Republic of India to the Slovak Republic, Rastislav Chovanec, State Secretary of the Ministry of Foreign and European Affairs of the Slovak Republic, and Tibor Straka, President of The Critical Infrastructure Association of the Slovak Republic. The delegation also included the Chairman of its Supervisory Board and a representative of member company Decent Cybersecurity s. r. o., Matej Michalko. The discussion focused primarily on opportunities for the development of bilateral cooperation in the areas of critical infrastructure, cybersecurity, and the implementation of post-quantum cryptographic solutions. India is among the countries that systematically invest in the development of cryptography and quantum technologies. This is evidenced by its strategic initiative, the National Quantum Mission, which aims to build a comprehensive national quantum technology ecosystem. It is precisely in this area that The Critical Infrastructure Association of the Slovak Republic sees significant potential for cooperation and the involvement of Slovak technology entities. One such entity is Decent Cybersecurity s. r. o., a company with a long-standing focus on research and implementation of solutions for critical infrastructure, defence systems, and telecommunications networks. The company specialises primarily in the practical implementation of new cryptographic algorithms into modern hardware and software architectures, which makes it well-suited for participation in international post-quantum security projects. From the perspective of the Slovak Republic, cooperation with India represents a significant opportunity for the development of technological diplomacy and the strengthening of strategic partnerships. As one of the fastest-growing digital economies in the world, India plans extensive investments in quantum research and technological infrastructure. The involvement of Slovak companies in these initiatives could substantially support the export of innovative solutions and strengthen technological ties between the two countries. The aim of this initiative is to establish a stable technological partnership between Slovak and Indian institutions, overseen by The Critical Infrastructure Association of the Slovak Republic. An important role is also played by the diplomatic support of the Ministry of Foreign and European Affairs of the Slovak Republic, which can significantly facilitate the establishment of contacts with relevant partners in India. This initiative also fits within the broader context of strengthening technological relations between the European Union and India. Slovakia's active involvement in this process could contribute to reinforcing its position within the European technology ecosystem and increasing its international competitiveness. At the meeting, both sides expressed a clear interest in developing mutual cooperation and identified significant potential for future joint projects. The partners agreed that the combination of expert capacities, technological innovation, and diplomatic support creates a solid foundation for a long-term strategic partnership that can deliver tangible results in the areas of security, innovative development, and economic cooperation. Both sides will continue their expert-level communication, aimed at building a stable platform for a long-term and functional partnership between India and Slovakia in the fields of critical infrastructure and post-quantum cryptography.

Veľvyslankyňa Indie a rezort diplomacie podporujú partnerstvo v oblasti kritickej infraštruktúry a kvantových technológií

30. marca 2026
Asociácia kritickej infraštruktúry Slovenskej republiky vstúpila do rokovaní o medzinárodnej spolupráci s Indickou republikou v oblasti ochrany kritickej infraštruktúry a rozvoja postkvantovej kryptografie. Tento krok reflektuje rastúci význam technologickej bezpečnosti a potrebu pripraviť sa na nástup kvantových technológií, ktoré zásadne ovplyvnia súčasné kryptografické štandardy. V tejto súvislosti sa na pôde Veľvyslanectva Indickej republiky na Slovensku uskutočnilo významné stretnutie za účasti J.E. Apoorva Srivastava, veľvyslankyne Indickej republiky v Slovenskej republike, štátneho tajomníka Ministerstva zahraničných vecí a európskych záležitostí Slovenskej republiky Rastislava Chovanca a prezidenta Asociácie kritickej infraštruktúry Slovenskej republiky Tibora Straku . Súčasťou delegácie AKI SR bol aj predseda jej dozornej rady a zástupca členskej spoločnosti Decent Cybersecurity s. r. o. Matej Michalko. Diskusia sa zamerala najmä na možnosti rozvoja bilaterálnej spolupráce v oblasti kritickej infraštruktúry, kybernetickej bezpečnosti a implementácie postkvantových kryptografických riešení. India patrí medzi krajiny, ktoré systematicky investujú do rozvoja kryptografie a kvantových technológií. Dôkazom je aj jej strategická iniciatíva National Quantum Mission, ktorej cieľom je vybudovať komplexný národný ekosystém kvantových technológií. Práve v tejto oblasti vidí AKI SR významný priestor pre spoluprácu a zapojenie slovenských technologických subjektov. Jedným z nich je spoločnosť Decent Cybersecurity s. r. o. , ktorá sa dlhodobo venuje výskumu a implementácii riešení pre kritickú infraštruktúru, obranné systémy a telekomunikačné siete. Spoločnosť sa špecializuje najmä na praktickú implementáciu nových kryptografických algoritmov do moderných hardvérových a softvérových architektúr, čo ju predurčuje na zapojenie do medzinárodných projektov v oblasti postkvantovej bezpečnosti. Z pohľadu Slovenskej republiky predstavuje spolupráca s Indiou významnú príležitosť pre rozvoj technologickej diplomacie a posilnenie strategických partnerstiev. India ako jedna z najrýchlejšie rastúcich digitálnych ekonomík sveta plánuje rozsiahle investície do kvantového výskumu a technologickej infraštruktúry. Zapojenie slovenských spoločností do týchto iniciatív by mohlo výrazne podporiť export inovatívnych riešení a posilniť technologické väzby medzi oboma krajinami. Cieľom iniciatívy je vytvorenie stabilného technologického partnerstva medzi slovenskými a indickými inštitúciami, ktoré bude zastrešovať Asociácia kritickej infraštruktúry Slovenskej republiky. Dôležitú úlohu pritom zohráva aj diplomatická podpora Ministerstva zahraničných vecí a európskych záležitostí SR, ktorá môže výrazne napomôcť pri nadväzovaní kontaktov s relevantnými partnermi v Indii. Táto iniciatíva zároveň zapadá do širšieho kontextu posilňovania technologických vzťahov medzi Európskou úniou a Indiou. Aktívne zapojenie Slovenska do tohto procesu by mohlo prispieť k posilneniu jeho pozície v rámci európskeho technologického ekosystému a zvýšiť jeho medzinárodnú konkurencieschopnosť. Na stretnutí obe strany vyjadrili jasný záujem o rozvoj vzájomnej spolupráce a identifikovali významný potenciál pre budúce spoločné projekty. Partneri sa zhodli, že prepojenie odborných kapacít, technologických inovácií a diplomatickej podpory vytvára pevný základ pre dlhodobé strategické partnerstvo, ktoré môže priniesť konkrétne výsledky v oblasti bezpečnosti, inovatívneho rozvoja a ekonomickej spolupráce. Obe strany budú pokračovať v odbornej komunikácii, smerujúcej k vybudovaniu stabilnej platformy pre dlhodobé a funkčné partnerstvo Indie a Slovenska v oblasti kritickej infraštruktúry a postkvantovej kryptografie.

Critical Infrastructure and GPS: It’s Not Just About Navigation

25. marca 2026
For most people, GPS (Global Positioning System) is synonymous with car or smartphone navigation. It helps us find our way, avoid traffic jams, and discover new places. However, very few realise that the Global Positioning System provides precise time and location data upon which the functioning of modern society depends.

Kritická infraštruktúra a GPS: nejde len o navigáciu

25. marca 2026
Pre väčšinu ľudí je GPS (Global Positioning System) synonymom navigácie v aute alebo v mobile. Pomáha nám nájsť cestu, vyhnúť sa zápcham či objaviť nové miesta. Len málokto si však uvedomuje, že globálny satelitný systém určovania polohy (GPS) poskytuje údaje o presnom čase a presnej polohe, na ktorých stojí fungovanie modernej spoločnosti.