[Assets, Vulnerabilities, Threats, Risks](Assets,%20Vulnerabilities,%20Threats,%20Risks.md)
[Vulnerability 1](Vulnerability%201.md)
[Information security concepts MoC](../Information%20security%20concepts%20MoC.md)
[Assets, Vulnerabilities, Threats, Risks](../📚️%20Literature%20notes/Assets,%20Vulnerabilities,%20Threats,%20Risks.md)


See also slide decks made for workshop sessions. Those for Kaliber, Nedap and Networking4AL are the most recent.

See also [Risk appetite 1](Risk%20appetite%201.md)
See also [Classificatie van risico's obv Oorzaken](Classificatie%20van%20risico's%20obv%20Oorzaken.md)

## Definitions
[Source](http://cybersecurity-materiality.com/)

A **weakness** is a deficiency in controls where it is probable that reasonable threats will not be prevented or detected in a timely manner that directly, or indirectly, affects assurance that the organization can adhere to its stated risk tolerance.

A **risk** is a situation where someone or something valued is exposed to danger, harm or loss.

A **threat** is a person or thing likely to cause damage or danger.

An **incident** is an occurrence that actually or potentially jeopardizes the Confidentiality, Integrity, Availability or Safety (CIAS) of a system, application, service or the data that it processes, stores and/or transmits
### Material risks
A weakness, risk, threat or incident is considered 'material' if the potential financial impact exceeds one of the following thresholds[^1]:

- ≥ 5% of pre-tax profit;
- ≥ 5% of revenue;
- ≥ 1% of total equity; and/or
- ≥ 0.5% of total assets.

[Source](http://cybersecurity-materiality.com/)

[^1]: SEC, Generally Accepted Accounting Principles (**GAAP**) and International Financial Reporting Standards (**IFRS**)


**The official ISO definition of risk** is "the effect of uncertainty on objectives," meaning any circumstance, event, or issue that could impede or alter the achievement of an organization's goals, whether those effects are positive or negative deviations from what was expected. This definition is used within key standards like ISO 31000, ISO 27001, and ISO 9001, emphasizing that risk encompasses any factor that threatens or impacts an organization's ability to reach its intended outcomes.