Extended Slovník

Likelihood

In cybersecurity, likelihood refers to the estimated probability or frequency of a specific cyber event, such as a breach or attack, occurring within a defined timeframe. It's a key component of risk assessment, alongside impact.

Likelihood in cybersecurity is a measure of the expected frequency or probability of a particular threat event or vulnerability exploitation occurring. It considers various internal and external factors, including the presence and effectiveness of existing security controls, the attractiveness of the target to threat actors, historical incident data, the sophistication of potential attackers, and the inherent vulnerabilities within systems. Likelihood is typically assessed qualitatively (e.g., low, medium, high) or quantitatively (e.g., a specific percentage or number of occurrences per year) and is fundamental for calculating overall risk exposure and prioritizing risk mitigation strategies.

What is likelihood in cybersecurity?

In cybersecurity, likelihood refers to the estimated probability or expected frequency of a specific cyber event—such as a data breach, malware infection, or targeted attack—occurring within a defined timeframe. It is one of the two core components of risk assessment, alongside impact. Together, likelihood and impact determine the overall risk level associated with a given threat or vulnerability.

Likelihood can be expressed in two primary ways:

  • Qualitative assessment: Using descriptive scales such as low, medium, or high to categorize probability.
  • Quantitative assessment: Using numerical values, such as a percentage chance or an expected number of occurrences per year (annualized rate of occurrence).

Frameworks from organizations like the National Institute of Standards and Technology (NIST) and ISO/IEC 27005 provide structured methodologies for evaluating and documenting likelihood as part of comprehensive risk management programs.

Why is assessing likelihood important in cybersecurity?

Assessing likelihood is essential because it enables organizations to make informed, risk-based decisions about where to allocate limited security resources. Without a clear understanding of how probable a given threat is, organizations may either over-invest in defending against unlikely scenarios or dangerously under-invest in protecting against common attack vectors.

Key reasons likelihood assessment matters include:

  • Risk prioritization: By combining likelihood with impact, security teams can rank risks and focus on the threats that pose the greatest overall danger.
  • Resource optimization: It helps ensure budgets, personnel, and technology investments are directed toward the most probable and consequential threats.
  • Regulatory compliance: Standards and frameworks such as those from ISACA, NIST, and ISO require formal risk assessments that include likelihood evaluation.
  • Stakeholder communication: Likelihood provides a common language for communicating cyber risk to executives, boards, and non-technical stakeholders.

How to assess likelihood of a cyber attack?

Assessing the likelihood of a cyber attack involves a systematic evaluation of multiple factors. The NIST SP 800-30 framework outlines a widely adopted approach:

  1. Identify threat sources and events: Determine who or what could initiate an attack (e.g., cybercriminals, insiders, nation-states) and what methods they might use.
  2. Evaluate existing vulnerabilities: Assess technical and procedural weaknesses within your environment that could be exploited.
  3. Review historical data: Analyze past incidents, industry threat intelligence, and breach statistics to inform probability estimates.
  4. Assess current controls: Evaluate the effectiveness of existing security measures—firewalls, endpoint detection, access controls, employee training—in reducing the chance of exploitation.
  5. Assign a likelihood rating: Based on the above analysis, assign a qualitative or quantitative likelihood value.

For example:

  • High Likelihood, Low Impact: A company's internal file server has a known, unpatched vulnerability. While exploitation is highly likely, the server only contains publicly available marketing materials, so the impact would be low.
  • Low Likelihood, High Impact: A small business without a dedicated security team faces the possibility of a sophisticated nation-state attack. While the impact (complete operational shutdown, data theft) would be catastrophic, the likelihood of such a targeted attack on a small entity is very low.

When should likelihood be reassessed?

Likelihood is not a static value—it must be regularly reassessed to remain accurate and actionable. Organizations should reassess likelihood in the following circumstances:

  • After significant infrastructure changes: Deploying new systems, migrating to the cloud, or integrating third-party services alters the attack surface.
  • Following a security incident: Any breach or near-miss provides new data that should inform updated likelihood assessments.
  • When new vulnerabilities are disclosed: The discovery of critical vulnerabilities (e.g., zero-day exploits) can dramatically shift the probability of an attack.
  • In response to evolving threat intelligence: Changes in attacker tactics, techniques, and procedures (TTPs) reported by organizations like the SANS Institute or Center for Internet Security (CIS) necessitate reassessment.
  • On a regular schedule: Best practices recommend at least annual risk assessments, with more frequent reviews for high-risk environments.

Which factors most influence attack likelihood?

Multiple factors converge to determine how likely a cyber attack is to occur. The most influential include:

  • Vulnerability exposure: The number and severity of unpatched or misconfigured systems directly increase likelihood.
  • Threat actor motivation and capability: The attractiveness of an organization's assets (financial data, intellectual property, critical infrastructure) and the sophistication of adversaries targeting the sector.
  • Security control effectiveness: Well-implemented, layered defenses—including technical controls, policies, and employee awareness—significantly reduce likelihood.
  • Attack surface size: Organizations with extensive internet-facing assets, remote workforces, and complex supply chains present more opportunities for exploitation.
  • Industry and geopolitical context: Certain sectors (finance, healthcare, government) and geopolitical situations inherently attract more threat activity.
  • Historical incident patterns: Past attack frequency and types experienced by the organization or its peers serve as strong predictors of future likelihood.

By continuously evaluating these factors, organizations can maintain an accurate, dynamic understanding of their risk landscape and make better-informed decisions to protect their assets.

← Back to Glossary