IT Risk

Most IT risk discussions focus narrowly on security, yet modern business processes depend entirely on IT. When risk assessment is incomplete — overweighting security threats while ignoring operational failures, compliance gaps, or strategic misalignment — organisations invest in the wrong controls and remain exposed where it matters most.

The Full Scope of IT Risk

IT risk is not synonymous with security risk. Five categories cover the territory — each with different drivers, different stakeholders, and different controls. Security architecture must account for all of them.

Security Risk

Loss of confidentiality, integrity, or availability through deliberate attack or exploitation of vulnerabilities.

Examples: Data breach, ransomware, credential compromise, supply chain attack

Operational Risk

Disruption to business processes caused by system failures, misconfigurations, or inadequate procedures.

Examples: Botched patch causing outage, cloud provider failure, capacity exhaustion, backup restoration failure

Compliance Risk

Failure to meet regulatory, legal, or contractual obligations resulting in fines, sanctions, or loss of licence.

Examples: GDPR breach notification failure, PCI DSS non-compliance, audit finding, data residency violation

Project Risk

Risk that IT initiatives fail to deliver intended outcomes on time, on budget, or to the required quality.

Examples: Migration failure, integration defects, scope creep, vendor lock-in, technical debt accumulation

Strategic Risk

Risk that technology decisions misalign with business strategy, reducing competitiveness or creating long-term exposure.

Examples: Obsolete platform investment, missed market window, inability to scale, key-person dependency

Consider a system patch causing employee productivity loss — a self-inflicted denial of service often more likely than an external attack. Or a cloud provider outage taking down multiple services simultaneously — a concentration risk that traditional threat models underweight. Human errors and misconfigurations typically cause more IT business interruptions than malicious attacks, yet security risks remain disproportionately assessed relative to operational risks.

Why We Get Risk Wrong

Risk perception is subject to well-documented cognitive biases. Security architects must recognise these biases in themselves and in the stakeholders whose input drives risk registers. Based on Bruce Schneier’s analysis of security decision-making.

Intentional vs. accidental

We over-react to deliberate attacks and under-react to accidents and systemic failures — yet misconfigurations cause more outages than adversaries.

Availability bias

We overweight risks that are recent, vivid, or heavily reported. A headline breach dominates the risk register while silent technical debt accumulates.

Gradual change blindness

We under-react to risks that develop slowly. Normalisation of deviance and drifting into failure are invisible until a trigger event exposes the gap.

Moral framing

We frame some risks as moral offences rather than business decisions, leading to disproportionate investment relative to actual exposure.

Immediacy bias

Immediate, tangible threats receive more attention than long-term or probabilistic ones — even when the latter carry greater expected loss.

How Leading Organisations Define IT Risk

Each framework emphasises a different dimension — some focus on threat-vulnerability pairing, others on financial quantification or business context. Together they reveal why a narrow definition leads to narrow protection.

ISO Threat-vulnerability pairing

The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. Measured in terms of a combination of the likelihood of an event and its consequence.

ISO 27005:2022

NIST Mission impact & probability

The net mission impact considering (1) the probability that a particular threat source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and (2) the resulting impact if this should occur.

NIST SP 800-30 Rev 1

FAIR Quantitative & financial

Risk is the probable frequency and probable magnitude of future loss. FAIR provides a quantitative model for understanding, analysing, and measuring information risk in financial terms.

Factor Analysis of Information Risk

ISACA Business risk context

The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. IT risk is a component of the overall business risk environment.

COBIT 2019 / Risk IT

OSA Quality attributes & full scope

The potential for loss across any of the five quality attributes — confidentiality, integrity, availability, accountability, and assurance — weighted by likelihood and business impact. IT risk extends beyond security to encompass operational, project, and compliance dimensions that are often under-assessed.

Open Security Architecture

What This Means for Security Architecture

Security architecture that only addresses security risk is incomplete. The discipline must ensure that controls are proportionate to the full risk picture — including operational resilience, compliance obligations, and strategic alignment.

The OSA Approach to Risk

OSA patterns map controls to specific threats, making the risk rationale for each control explicit and traceable. The OSA Capability Model provides a structure for assessing security maturity across the full scope of IT risk — not just the threats that make headlines.

IT Security Architecture → Capability Model → Security Patterns →

Security Architecture

The enterprise discipline