Risk is the probability of a damaging event occurring. Such a damaging event can occur in IT technology as a result of certain vulnerabilities in the systems, components, communication networks or software that are exploited accidentally or intentionally.
For the security of IT systems, this means that security is directly dependent on the risk: The higher the risk, the lower the available security, and vice versa. Risk begins where security ends. The higher the security is estimated to be, the lower the risk is. A distinction is made between residual risk, tolerable risk and EUC risk for equipment under control (EUC).
If the risk-related weak points are determined by methodical procedures, this is referred to as risk analysis. In such an analysis, technical and human vulnerabilities are explored so that the frequency and length of damage events can be limited and reduced. The results of the risk analysis and the key risk indicators are incorporated into risk management.
Risks can be classified according to the objects, the activities, the originators and the cause, the frequency and the amount of damage.