This is one of the 52 terms in The Language of Cybersecurity published by XML Press in 2018 and the contributor for this term is Bob Trosper.

What is it?

A tool to capture and quantify information about the risks associated with a project or activity, including the potential impact, likelihood of occurrence, mitigation measures, responses, and response triggers.

Why is it important?

A risk register increases the chances of successful execution of a project or activity by helping managers identify and evaluate risks, assess their potential impact, and create contingency plans.

Why does a business professional need to know this?

Unmitigated or unaddressed realized risks can kill. A risk register enables you to create a score for any risk that quantifies the potential impact of that risk and the likelihood that it will occur. Use this formula to calculate the score: impact * likelihood of occurrence. Prioritize your efforts by focusing on risks with the highest score and create plans for how to reduce the possibility of those risks occurring (mitigation) and how to respond if mitigation fails (risk response).

It is important not to confuse mitigation and risk response. If mitigation succeeds, no one outside your team will ever know there was a risk. You can close the risk and move on. However, you must define a clear trigger that will trip if mitigation fails and the risk becomes realized. At that point you execute your risk response.

If you are buying or selling cybersecurity defenses, you can use the risk register to evaluate a tool or create one. To do this, you enter each security risk in the register, along with a description of what the product does to prevent that risk from materializing and what you should do if the mitigation fails.

The Good Enough Risk Register Template is a simple spreadsheet that implements a risk register. Enter the information in each field and the sheet will calculate a risk score for you.