Analyzing the Cybersecurity Risk Formula to Calculate Risk

May 18, 2025 (updated May 18, 2025) Published by Maximillian G. Kon

The generic risk formula is:

R = P x I.

Where R (Risk) is directly proportional to the probability P, and directly proportional to the impact of the consequence. Industrial organizations create a risk matrix to frame the risk and to make mitigation decisions.

Cyber Risk Formula:

When we want to apply industrial cyber risk assessment, we use another risk formula that is more representative of the new discipline. Most organizations agree that this is the correct risk formula to use even though each organization has a different method of calculating it. In conclusion, there is a lot of confusion in the market regarding what is the most appropriate way to assess risk and make decisions.

Risk = Threat x Vulnerability x Impact

If we take a moment to analyze each of the methods that are used by the different actors to assess cyber risk, we can classify them into three different types. These are based on statistics, vulnerabilities, and consequences. There are even methods that combine these three types or try to do so.

Statistical or Predictive methods. The calculation base uses data that is obtained by processing data from the past. Based on the observation of the past, an attempt is made to predict the future. Data collection is required for a certain period. There are simple methods that perform calculations by averaging the results with subclassification, etc. There are more sophisticated predictive methods. These predictive methods are widely used and originate in information security or classic cybersecurity.

Statistical methods generally focus on threats and attack methods.

It requires the collection of statistical data from the past that is generally not easy to obtain. Not all countries have this capacity, in fact, there are very few that have this capacity. It requires very strong laws and regulations, and that the entire industry complies with these regulations. Even for the most developed countries, this is difficult and highly costly. Even if the resources are provided by the government, these initiatives and regulations are supported by taxes. Most people prefer to believe this is free of charge. It is not free. It requires a huge number of resources.

Whenever a new threat is discovered, the market must respond by protecting itself against that threat in a reactive manner. People would prefer to think that they are being proactive in their response before the threat arrives at their specific company, but the market responds reactively to the threat. Companies have the feeling that they are unprotected. The risk increases with each new threat. Threats appear very frequently.

Security is perceived when protection for that new threat is implemented. This is more a short-term mitigation solution. There is a short time for new threats to appear. These are generally developed by malicious actors, although sometimes they are developed by actors considered ethically correct.

Risk is a race against time. It’s a speed race to see who gets to the cyber asset first. (a) The malicious hacker to cause damage, (b) the security managers applying the antidote. It’s always a new sprint. Usually good guys win, but sooner or later a sprint is lost. When the sprint is lost the undesired consequence of the plant may end up occurring. Think about the Colonial Pipeline incident. This is the focus of IT, to prevent the occurrence of cyber incidents, without knowledge about the potential realistic consequences. It requires permanent spending and budget drainage. The main strategy is to prevent cyber-incidents from happening.

Vulnerability mitigation methods. These methods require a vulnerability assessment. There are many methods to identify vulnerabilities. In fact, there are different types of vulnerabilities. Vulnerabilities are usually classified as administrative or procedural, cybernetic vulnerabilities typical of cybernetic devices, or also physical or mechanical. There are many different methods for identifying vulnerabilities. Typically, when these methods are used, a severity or score is assigned and then some type of calculation is performed to arrive at a result. Based on this result, decisions are made. These methods are widely used and originate from information security or classic cybersecurity.

There is an assumption that every vulnerability hides a risk, which in industrial cybersecurity is a wrong hypothesis of work. This creates lots of distractions prioritizing incorrectly and huge budget spending. It may be good for the cybersecurity industry but not for the plant.

These methods identify vulnerabilities and assign them a factor to end up in a risk outcome. Vulnerabilities can be procedural, cybernetic or physical.

Generally, the more vulnerabilities, the more risk. In the industrial field it is not necessarily correct. Every time a vulnerability is discovered, there is a feeling that the risk increases. The market must respond quickly towards the application of the patch. But a vulnerability which cannot lead to a consequence will have no risk.

The feeling of security is short-term. The time it takes for the market to discover new vulnerabilities. Vulnerabilities are usually discovered and published by ethical hackers. Malicious hackers don’t make them public; they keep them for their benefit, but they use public vulnerabilities to develop malicious code.

These methods are also reactive, first the vulnerability is discovered and then the patch is developed. Security depends on the patch application. This is permanent.

Risk is a race against time. It’s a speed race to see who gets to the cyber asset first. (a) The malicious hacker to cause damage, (b) the security managers applying the patch. It’s always a new sprint. Usually good guys win, but sooner or later a sprint is lost. That day the undesired consequence of the plant may end up occurring. This is the IT approach, to prevent the occurrence of cyber incidents. It requires permanent spending and budget drainage.

Consequence-based methods. These methods assess the risk on a calculation basis based on the consequences that are not tolerable by the plant. To do this, it is necessary to use the plant’s risk matrix and knowledge. Since risk framing differs from plant to plant or from organization to organization. What may be considered a risk to a particular plant may not be a risk to another plant. What is meant by consequence and impact of consequence? These methods originate from the ISA99 committee, responsible for the creation of the ISA/IEC-62443 series of standards. It is based on developing knowledge provided by the plant.

The recommendation by ISA/IEC-62443-3-2 is to identify all possible consequences for each zone and conduit, and influence the system and plant design to prevent the occurrence of the consequences even if the cyber incident eventually occurs.

The calculation of risk depends fundamentally on correctly identifying the realistic possible consequences instead of assuming a risk. If the plant stays the same with the same physical assets and the same cyber assets, the possible consequences won’t change, will remain the same, even if 20 years pass.

The risk mitigation method is longer-term. Durable overtime. It no longer depends on the vulnerability of the moment, nor on new threats of the moment. Vulnerabilities and new patches should be analyzed with a process and not based on the score given to the new vulnerability. A case-by-case study will be required.

Patches take time. Once a new vulnerability is discovered the vendors need time to release the patch after comprehensive heavy testing and QA process. Many industrial processes cannot stop and applying patches may be very costly or risky. Failure is not an option. On the other hand, due to the pressure coming from the IT industry many OT vendors are releasing patches without proper testing. Due to the tremendous number of patches that are being released, the risk and stress for the plants then increases.

It is known as a consequence-based risk mitigation method. Also called security by design. It is more durable and maintainable over time. Over time, it requires a lower budget. It requires investment at the beginning.

A robust plant and control system design is created in which the unintended consequence of the plant can no longer occur, even if the cyber incident eventually occurs. Long-term solution at the lowest possible budget. Without a doubt, this is the best Return On Investment.

This is where two principles collide. Information Security (IT), versus Industrial Security (IACS). IT approach intends to resolve the formula (R = T x V x I) from left to right. ISA/IACS approach the problem solving the formula from right to left. Information security prioritizes the protection of cyber assets preventing cyber-incident, while industrial security prioritizes the protection of physical assets preventing potential consequences by design. What is meant by consequence and impact?

For an industrial plant, the consequences can be: (a) Tank spill, (b) environmental damage, (c) boiler explosion, (d) death of one or more people, (d) plant shutdown, etc.

For information security, the priorities are to prevent the occurrence of the cyber incident, assuming that in this way we avoid the second (the consequence) which is generally incorrect or uncertain. A cyber incident is when one or more cyber assets are compromised in its confidentiality, availability, or integrity.

A cyber incident may or may not end in a consequence. This depends on the control system design and the plant layout. Also called “Plant Behavior.” We wrote about this in another article. This is typically ignored by most methods that are used today, which prioritize the security of cyber assets over the security of the physical asset.

What method for making good decisions is your organization using? Take your time to evaluate your vendors and consultants. They might be mitigating your budget a lot quicker than they are mitigating your risk.

Conclusion. Clearly, the best, most durable and most convenient method for the plant is one that meets the objectives and requirements of the ISA/IEC-62443-3-2 standard. There are several risk assessment methods that meet the requirements. The one explained with the ISA’s IC33 course is known as CPHA or Cyber PHA (Cyber Process Hazardous Analysis). There are other consequence-based methods, easier and also more sophisticated, that also meet the requirements of ISA/IEC-62443. Consequence-based risk assessment methods. Each of these methods has its particulars and care. Whatever, the methodology is decided to use, it must be implemented consistently during the assessment, design, implementation, operation and maintenance activities.

Taking good decisions during a risk assessment

January 9, 2025 (updated February 11, 2025) Published by Maximillian G. Kon

Many different methods are currently used to assess cyber risk in industrial systems. Only a few are a good decisions.

RMS – Risk Assessment Package

January 6, 2025 (updated January 23, 2025) Published by Maximillian G. Kon

Generate, manage and access a collaborative environment for assessing the risk of industrial systems, by using a RAGAGEP methodology. Meet with all the requirements of the ISA/IEC-62443 series of standards, and complementary other popular regulations such as NIST and NERC. Analyze the risk of new future and/or existing systems while providing updated, accurate live information.

With RMS Assessment Package user can identify 100% of existing Cyber-Assets and clearly understand the Systems under Consideration (SuCs) by modeling the Zones and Conduit with ease. Analyze vulnerabilities and weaknesses in technology, processes, and physical security in all cyber-sensitive components.

Develop maturity studies, security audits, security breach assessments, and analyze your company’s practices against standards, global best practices, regulations, controls, requirements, laws, and compare the results with peers.

Develop the organization’s asset model, identify the potential consequences for each of all risk receivers based on the corporate industrial risk matrix, and perform high-level risk assessments to determine the initial and inherent risk associated to each node.

Develop detailed risk assessment optimally with RMS All-in-One without the need for additional tools, complying 100% with the requirements of the ISA/IEC-62443-3-2 series and determine the Security Level Target (SL-T). Make consistent and sound decisions that really mitigates the intolerable Industrial Cybersecurity Risk against all and any types of threats.

Automatic generation of all the required and necessary reports for compliance and certification and use the recommendations and results obtained by using a scientific Industrial Risk Assessment methodology to produce the requirements at the “DESIGN & IMPLEMENTATION” Phase with consistency and precision.

Take Better Decisions

Take better informed decision by using the sound RAGAGEP methodology, fully compliant with ISA/IEC-62443-3-2 standards. With the RMS system, you would be required to use your own Operational Risk Matrix to take decisions consistently with other industrial risk disciplines. Decisions are based on deep understanding and knowledge from the plant.

Reduce Time and Cost

The RMS system, the WBS methodology and the training courses creates a big impact to the user, by reducing the risk assessment evaluation time.

Enforce Compliance – Get Certified

The RMS system enforce the system users to follow the WBS methodology. Activities must be executed in a specific sequences. If preceding activities are not finished and certified, the following activities won’t be able to start. The RMS system collects hundreds to thousands of evidence, keep them secure and protected for compliance purposes. The reports were designed to comply with ISA/IEC-62443 series of standards and other popular regulations.

Reduce Overhead Cost

The RMS covers the Industrial Cybersecurity Risk Management Requirements, producing the entire evidence and governance with easy. This reduces overhead costs in more than 60%. Concentrate in creating Value Added by avoiding losing time on complex administrative activities.

The highest Return On Investment

Take the best durable, lowest cost, and longer-term decisions that will last during the lifecycle of the controls systems and the plant. The lowest cost, the most durable, ensure that best ROI. Avoid spending in tasks, and buying products, which does not contribute to the reduction of risk. Dedicate valuable plant resources on efficient, effective and sufficient countermeasures.

Fully Document Methodology

The WBS (Work Breakdown Structure) methodology is fully documented and supported by the best training courses. We have packed thousands of security requirements and best practices in one methodology that supports ISA/IEC-62443 series of standards and popular regulations, such as NIST, NERC, C2M2, TSA, INGAA, and many more.

The Best Training Courses

The training courses had been created to be understood by everyone. The worse thing that can happen to a project is when every participant has a different idea about what needs to be done and how to do it. The convenient, exceptional training courses reduce the risk of project failures and reduce time.

Would you like to know more? – Contact Us

Our security strategy ensures the protection of your most valuable assets. It shields all risk recipients by preventing cyber incidents. This is aimed at eliminating any possible impact on them. The result is a robust infrastructure that can withstand various threats. It’s designed to resist attacks that could compromise one or more cyber-assets.

Tag: RMS

Analyzing the Cybersecurity Risk Formula to Calculate Risk

Taking good decisions during a risk assessment

RMS – Risk Assessment Package

Take Better Decisions

Reduce Time and Cost

Enforce Compliance – Get Certified

Reduce Overhead Cost

The highest Return On Investment

Fully Document Methodology

The Best Training Courses

Would you like to know more? – Contact Us

Latest News

Upcoming Events

Contact Us

Price Lists

Training & Certification

OTC News