Likelihood in cybersecurity is a measure of the expected frequency or probability of a particular threat event or vulnerability exploitation occurring. It considers various internal and external factors, including the presence and effectiveness of existing security controls, the attractiveness of the target to threat actors, historical incident data, the sophistication of potential attackers, and the inherent vulnerabilities within systems.

Likelihood is typically assessed qualitatively (e.g., low, medium, high) or quantitatively (e.g., a specific percentage or number of occurrences per year) and is fundamental for calculating the overall risk exposure and prioritizing risk mitigation strategies.

Why Is Assessing Likelihood Important in Cybersecurity?

Understanding the likelihood of potential cyber threats is crucial for several reasons:

• Resource Allocation: Organizations have limited budgets and personnel. By accurately assessing likelihood, security teams can focus resources on the most probable threats rather than spreading efforts too thin.
• Risk Prioritization: Combined with impact assessment, likelihood helps organizations prioritize which risks require immediate attention and which can be accepted or monitored.
• Informed Decision-Making: Executives and stakeholders can make better strategic decisions when they understand not just what could happen, but how likely it is to occur.
• Regulatory Compliance: Many frameworks, including those from NIST and ISO/IEC 27005, require organizations to conduct risk assessments that include likelihood evaluation.

How to Assess Likelihood of a Cyber Attack

Assessing likelihood involves a systematic evaluation of multiple factors. Organizations typically use one of two approaches:

Qualitative Assessment

This approach uses descriptive categories such as:

• Low: The event is unlikely to occur (e.g., once every 5+ years)
• Medium: The event may occur occasionally (e.g., once per year)
• High: The event is expected to occur frequently (e.g., multiple times per year)

Quantitative Assessment

This method assigns numerical values, such as:

• Specific percentages (e.g., 15% probability within 12 months)
• Annualized Rate of Occurrence (ARO)
• Statistical modeling based on historical data

According to NIST SP 800-30, organizations should consider threat source characteristics, vulnerability severity, and the effectiveness of current controls when determining likelihood.

Which Factors Most Influence Attack Likelihood?

Several key factors significantly impact the likelihood of a cyber attack:

• Vulnerability Presence: Unpatched systems and known vulnerabilities dramatically increase likelihood
• Threat Actor Motivation: High-value targets (financial institutions, healthcare) face higher likelihood of targeted attacks
• Security Control Effectiveness: Robust security measures reduce the likelihood of successful exploitation
• Attack Surface: Organizations with larger digital footprints present more opportunities for attackers
• Industry Sector: Certain industries are more frequently targeted based on data value and regulatory requirements
• Historical Incident Data: Past attack patterns can indicate future likelihood

Practical Examples

High Likelihood, Low Impact Scenario

A company's internal file server has a known, unpatched vulnerability. While exploitation is highly likely due to the publicly documented vulnerability, the server only contains publicly available marketing materials. Solution: Despite the low impact, patching should still be prioritized as the compromised server could serve as a pivot point for further attacks.

Low Likelihood, High Impact Scenario

A small business without a dedicated security team faces the possibility of a sophisticated nation-state attack. While the impact (complete operational shutdown, data theft) would be catastrophic, the likelihood of such a targeted attack on a small entity is very low. Solution: Focus resources on more probable threats while maintaining basic security hygiene that would also mitigate sophisticated attacks.

When Should Likelihood Be Reassessed?

Likelihood assessments are not static and should be reviewed:

• Regularly: At least annually as part of routine risk assessments
• After Security Incidents: Any breach or near-miss should trigger reassessment
• When Threat Landscapes Change: New vulnerabilities, attack techniques, or threat actors emerge
• During Infrastructure Changes: New systems, applications, or network configurations alter the attack surface
• Following Control Implementations: New security measures should reduce likelihood ratings

Organizations following frameworks from ISACA, SANS Institute, and the Center for Internet Security (CIS) will find likelihood assessment embedded throughout their recommended practices and controls.