FAQ

What is the difference between upside risk and positive risk?

Even though upside risk and positive risk sound similar, they are actually very different. Within risk, there is either a positive or negative outcome, and within the negative outcomes, there is either an upside or a downside.

Positive risk is the potential gain of assets, knowledge, improvements, or data. For example, you implement patch management and a process to remove vulnerabilities quickly, such as within one week. Over the course of the next year, you have no security incidents.

Upside risk is exposure to loss while in pursuit of a gain. For example, the business deploys a new application, and you implement patch management and a process to remove vulnerabilities quickly, such as within one week. The exposure to loss (the period of time when you remove vulnerabilities) is in pursuit of a gain (a more secure application), so this is considered an upside risk. You can increase the upside risk by changing the process to remove vulnerabilities to one day, or decrease the upside risk by changing the period to one month. Basically, upside risk is the uncertain possibility of gain while trying to minimize a loss.

Why is it important to include positive risk within cybersecurity?

Integrating positive risks within cybersecurity risk assessments and conversations helps promote the value of cybersecurity to the business. For more information, see Benefits of positive risk.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Next steps

Resources