Risk, probability and impact in risk management

Why effective risk management requires different perspectives

Imagine two people walking in opposite directions on a circular track. Eventually, they’ll meet—because no matter where they start, the path leads to the same point.

This metaphor fits perfectly when we talk about cybersecurity in IT and OT environments. At first glance, these two worlds seem to have very different priorities and approaches. But when it comes to cybersecurity, they’re aiming for the same thing: effective cyber risk management.

What makes all the difference is how risks are assessed and prioritized in each domain.

Same formula – different variables

Riskmatrix with heat map

Simplified risk matrix for presenting cyber risks in the context of a risk assessment.

Whether in IT or OT:
Risk is often calculated using the formula

Risk = Impact × Likelihood

But here’s the catch: The way we evaluate impact and likelihood in IT environments differs significantly from OT systems.

OT: Physical processes, long lifecycles, high availability

In OT environments (Operational Technology), cyber risk assessment must consider unique factors:

Impact in OT

  • Physical safety & process continuity
    Security incidents can directly affect physical processes—leading to production downtimes or even endangering lives.

  • Critical systems
    The failure of essential components can cause massive financial, environmental, or infrastructural damage.

  • Legacy technologies
    Long lifecycles in OT mean outdated systems that are harder to patch and more vulnerable.

  • IT/OT convergence
    The merging of IT and OT increases the attack surface and complexity.

  • Vulnerable industrial protocols
    Many widely used protocols (like Modbus) lack encryption or authentication, making them easy targets.

IT: Data protection, reputation, and compliance

In IT environments, the focus shifts significantly:

Impact in IT

  • Financial losses
    Data breaches and ransomware attacks can result in direct and indirect costs.

  • Reputational damage
    Loss of trust among customers and partners can impact long-term brand value.

  • Regulatory consequences
    Non-compliance with GDPR or NIS2 may lead to severe penalties.

  • Operational disruption
    Downtime due to malware or DDoS attacks hampers productivity.

  • Data loss
    Losing sensitive data can cripple operations and erode customer trust.

Likelihood in OT

  • Network exposure & digitization

    Connecting OT systems to Ethernet, the internet, or 5G raises the likelihood of cyberattacks.

  • Lack of segmentation
    Without proper network separation, attackers can easily move laterally across systems.

  • Unsecured remote access
    Remote access points are often inadequately protected.

  • Insider threats
    Extended supply chains increase the risk of internal sabotage or unintentional compromise.

  • Phishing & social engineering
    Maintenance staff and technicians are common targets of targeted attacks.

Likelihood in IT

  • Threat frequency
    The volume of attacks—phishing, malware, etc.—helps estimate risk probability.

  • Vulnerability management

    The more unresolved vulnerabilities, the higher the risk of successful exploitation.

  • Security awareness
    Well-trained staff can significantly reduce risk exposure.

  • Security architecture
    Modern, updated systems are less prone to compromise.

  • External threats
    Cybercrime trends, geopolitical tensions, or natural disasters all influence IT risk assessments.

Conclusion:

One formula, two realities
The challenge isn’t the risk formula itself—it’s interpreting it differently for each environment.
While OT focuses on availability and physical consequences, IT is driven by data protection, compliance, and reputational concerns.
Bridging the two worlds requires a shared language for risk—without losing the necessary nuance.

IT and OT – Two worlds, one solution
Effective cyber risk management needs to be understandable across departments and disciplines.

With Risk By Context™, asvin offers a shared platform that brings clarity to risk prioritization in IT and OT environments—so that security decisions are always based on what matters most.