A risk is the possibility of something negative occurring. In Information Technology security perspective, risks broadly comprises of;
Human error: The weakest point of any system is the user. The errors can be maliciously from an insider or negligence.
Technical failures: Most manufacturers of IT hardware and software provide updates for a period of time. Sometimes, the hardware reaches a point where it cannot support patches or software updates, therefore it is deemed unsecure. Continued use of the devices is a risk as it can crash or corrupt data.
System Downtime/System interruptions: This is a risk caused by infrastructure failures such as the loss of a network connection between systems or an overall loss of internet connection.
Third-Party Exposure: Poorly managed policies and SLAs between the organisation and third party vendors or contractors is a risk that can lead to exposure of user data or a breach to internal systems.
Disaster recovery risk: There should be a feasible data recovery and disaster management plan to mitigate this risk.
Regulatory risk: As partially explained in IT Risks Assessment, non compliance with local or internationally recognizable legislation and regulations creates a risk for the organisation. Some of the regulations are in our Resources Section.
Physical threats: These risks results from damage to IT related infrastructure and resources such as the network cables, personal computers and data centers. The threats can be floods, lightning, fire or theft of devices.
Electronic threats: These risks are unseen but occur more frequently than others. These are malicious damage or compromise to data with an objective to cause harm. Examples are malware attacks and threat actors.
According a guide by the National Institute of Standards and Technology, IT risks mitigation can be achieved through; accepting the potential risk and continue with operations but implementing controls to lower the risk to acceptable levels (risk assumption), avoiding the risk by eliminating the cause of the risk (risk avoidance), limiting the risks by implementing controls that minimize the impact (risk limitation), managing risk by developing a risk mitigation plan (risk planning) and transferring a risk by using other alternatives to compensate for any loss through acquiring insurance (risk transference).
Effective controls largely commands the effectiveness of mitigating the risks and such controls include identification, prevention, detection and recovering from a disaster when it happens.
Much of the information on IT risks is covered in IT Risks Assessment and The IT Risk Matrix articles.