Risk Thinking (Likelihood × Impact)
Big idea
Security work is about risk decisions. You cannot fix everything at once, so you choose what matters most.
Simple model
Risk = Likelihood × Impact
- Likelihood: How probable is it?
- Impact: If it happens, how bad is it?
Why this helps
Two problems can feel scary, but one might be far more likely—or far more damaging.
Practice (10 minutes)
Rate each scenario using:
- Likelihood: Low / Medium / High
- Impact: Low / Medium / High
Then decide which you would handle first.
- Backups exist, but nobody has tested restoring them.
- Staff reuse passwords across multiple accounts.
- A public website is missing updates and patches.
Write:
- Scenario with highest priority:
- One control that reduces likelihood:
- One control that reduces impact: