Risk assessment

1. The process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and safeguards that would mitigate this impact.

Source: Election Terminology Glossary - Draft, National Institute of Standards and Technology (NIST), https://pages.nist.gov/ElectionGlossary/; Glossary of terms database, U.S. Election Assistance Commission, https://www.eac.gov/glossary/

2. The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls that are planned or in place.

Source: The State and Local Election Cybersecurity Playbook, Defending Digital Democracy Project, Harvard Kennedy School Belfer Center for Science and International Affairs, https://www.belfercenter.org/sites/default/files/files/publication/StateLocalPlaybook%201.1.pdf

3. The appraisal of the risks facing an entity, asset, system, or network, organizational operations, individuals, geographic area, other organizations, or society, and includes determining the extent to which adverse circumstances or events could result in harmful consequences.

4. The product or process which collects information and assigns values to risks for the purpose of informing priorities, developing or comparing courses of action, and informing decision making.

Source: Explore Terms: A Glossary of Common Cybersecurity Terminology, National Initiative for Cybersecurity Careers and Studies (NICCS), https://niccs.us-cert.gov/about-niccs/glossary

5. A systematic examination of risk using disciplined processes, methods, and tools. A risk assessment provides an environment for decision makers to evaluate and prioritize risks continuously and to recommend strategies to remediate or mitigate those risks. (DoDD 3020.40, Critical Infrastructure, 14 Jan 2010).

6. The identification and assessment of hazards (first two steps of risk management process). (JP 1-02 & JP 3-07.2).

7. A process of evaluating the risks to information based on susceptibility to intelligence collection and the anticipated severity of loss. (DoD 5205.02-M, DoD OPSEC Program Manual, 3 Nov 2008).

8. A defined process used to fuse the procedures of analyzing threat, risks, and vulnerabilities, into a cohesive, actionable product. (DoD 5200.08-R, Physical Security Program, 9 Apr 2007).

9. The process of evaluating security risks based on analyses of threats, vulnerabilities, and probable adverse consequences to a facility, system, or operation. (IC Standard 700-1, 4 Apr 2008).

Terms & Definitions of Interest for DoD Counterintelligence Professionals, Office of the National Counterintelligence, https://www.dni.gov/files/NCSC/documents/ci/CI_Glossary.pdf