Risk Management in the Digital World - A Chore or A Necessity?
Written by Ioannis Ntokos*
“Nothing in life is certain but death and taxes,” Benjamin Franklin (or someone before him) once said. But the phrase could well include another component, risk. “Death, taxes, and risk.” In the digital world, risks are a constant that we must take into account, whether as citizens, product or service providers, or as experts in the field of risk management. Let’s see how proper risk management can provide certainty and security in the digital space.
What does risk mean, and why does it deserve attention?
The digital world changes rapidly, every day. The concept of risk, however, is relatively static: every system, every program, every person using technology creates an “opening,” a vulnerability. These openings are not dangerous in themselves, but they are vulnerable to threats that can exploit them. Consider, for example, a flaw in a computer system at a nuclear power plant, a flawed process for accessing sensitive data, a bad setup of a network switch. The alarm bells are ringing.
The risk is there before you do anything, it is “inherent.” It is there by default, without any protective measures being taken. When you ride a bike, the very act of riding is a risk. In the digital world, the inherent risk arises from things like human carelessness, the complexity of systems, or the value of data shared with others. Risk itself is a certainty, a constant of life. That does not mean we ignore it.
So far, so good. The fact that I cross the threshold of my door every morning is a dangerous situation, theoretically. What is the point of action if the risk is there anyway? The next stage is to identify which risks require attention and action. This requires cold observation and logical thinking. Some risks are more significant than others, so they must go through the risk management "filter".
Calculating Risk
In its simplest form, risk (numerical or not) is simply a function of probability and impact. A given risk has (negative) consequences (impact) with some frequency (probability). Being able to quantify the variables of probability and impact in a quantitative way (using precise and detailed numbers, usually monetary for impact and annual occurrence units for probability) or qualitative way (using more arbitrary calculations, usually using a scale from 1 to 5) brings us closer to calculating risk.
In the example of cycling, a risk is my sudden encounter with a brown bear (and the unpleasant consequences that might follow). The likelihood of this happening varies depending on the situation - if I am riding my bike in an area of Korydallos, the chances of encountering a bear are close to zero. If I have gone cycling in the Pindos mountains, the situation changes dramatically. The impact of the encounter with the bear also changes. If I carry bear spray or have watched many videos on how to deal with a brown bear (the author of this article has watched quite a few such videos), I may escape with bruises and scratches (or a broken bicycle). If I lack knowledge and tools, things become more difficult.
Here the importance of protective measures and the transition from inherent to residual risk also becomes apparent. Through the protective measures at my disposal (spray), I can lower the impact of the encounter from certain death to admission to the hospital for stitches. Residual risk is the risk that remains after we take protective measures against it! Protective measures are an integral part of risk management.
Risk Management Methods
There are four appropriate ways to deal with a risk, once it has been perceived (and quantified or quantified). These options are: acceptance, transfer, reduction or elimination.
Acceptance means that you understand the risk and hold on to it, not passively or ignorantly, but rationally. Some risks are so small that it costs more to deal with them than to accept them. If I ride my bike downtown, I accept the infinitesimal chance (0.00001%) that a bear will attack me, and I enjoy my ride.
Transfer is the assignment of risk to someone else (usually through insurance). The risk does not disappear, it simply changes hands. The responsibility remains with the person subject to the risk, but there is coverage in case of damage due to the risk. In the bear scenario, I hope my insurance covers such attacks, or at least my family receives a lump sum (through my life insurance) in case the spray doesn’t help.
Speaking of spray, this is a risk reduction method! Reduction means that you limit the likelihood or impact, and it is the most common method of dealing with risks. This includes any form of preventive protection. Every protective measure I take aims to reduce the risk. If I’m out cycling in the Pindus Mountains with 10 other friends, the chances of the bear attacking me instead of one of them are drastically reduced!
Elimination is the most absolute option, as you move away from the risk and its source. Elimination is the final cleanup: the recognition that something is beyond “patching.” Are there many hungry bears on the mountain I’m planning to visit? I choose the sea instead of the mountain and I have peace of mind!
While the above ways of dealing with risk are all tried and tested, there is one reaction that is not legitimate - risk ignorance. Knowing the risk and consciously choosing to ignore it will inevitably lead to negative results!
Dealing with risk in the digital world
Risks similar to a random bear encounter exist in the digital and online space, only instead of hungry four-legged friends, we encounter hackers, abused platforms, the use of artificial intelligence that violates human rights and defective hardware. And with the same logic as our trip to the forest, these risks require special treatment, taking into account the following basic principles:
- Risk management is not a single event, but a cycle. You identify, assess, act, and regularly review. The digital world is constantly changing, which means that the risk landscape is also changing. What was secure in the morning may be vulnerable by evening. Technology waits for no one - and the associated risks must be constantly recorded and addressed.
- A holistic approach to risk is crucial. One gap is enough to cause radical damage to citizens, users, and businesses. Partial protection creates a false sense of security. In the digital space, the weak point is often not the most obvious. It can be the forgotten file, the inadequate password, the external partner using a fragile application. Therefore, a holistic view is required.
- It is also necessary to understand that risk is not only technical, but also organizational, human, or procedural. In practice, most damage results from mistakes, omissions, or misunderstandings. Technology simply exacerbates the consequences. Therefore, it is necessary to address it from many different angles.
- Awareness and education on information and data protection issues are key to reducing risks. No matter how organized you are, there will always be someone who will write their passwords in plain sight, open the wrong file, or accidentally press “delete.” The human element cannot be eliminated.
- Prevention is always cheaper than recovery. For the average user, risk management may seem like a chore, but the reality is that the world of technology has grown so much that ignorance of risk is costly. Just as no one waits to install an alarm system after a break-in, risk management works best before bad things happen.
The essence of risk management is targeted clarity: although absolute security is not possible, we strive for stability while trying to avoid major mistakes. When you understand this, risk management ceases to be a burden. It becomes an organized and coordinated effort, and then a habit. A kind of mental exercise where you ask: “What could go wrong? How much do I care? What do I do about it?” Not as an exercise in fear, but as an exercise in pure reasoning and protection. Risk will always be there. Managing it is a conscious choice, and awareness is a tool.
*Ioannis Ntokos is an IT risk management, information security and third party risk management specialist, with expertise in data protection. He specializes in ISO27001, NIST, NIS2 and the General Data Protection Regulation (GDPR). In his spare time, he offers career advice on IT governance, risk and compliance through his YouTube channel
Our GAIN event with the supervisory authorities of Article 77 of the AI Act was successfully concluded
Yesterday’s event, which we co-organized with the civil society network Greek AI Network – GAIN at the offices of network member WHEN Hub, was successfully completed.
The event opened with a welcoming address by our Co-founder and Treasurer of the Board, Konstantinos Kakavoulis. This was followed by educational presentations from representatives of two fundamental rights authorities under Article 77 of the AI Act, namely Dr. Efrosyni Siougle from the Hellenic Data Protection Authority and Dr. Christos Tsevas from the Greek National Commission for Human Rights.
Finally, during the Members in the Spotlight Session, our member and DPO Executive / GDPR Expert, Dimos Kostoulas, delivered an educational presentation on the processing of personal data in the healthcare sector and the use of Artificial Intelligence systems in this field.
We warmly thank the speakers, the members of the GAIN network, and the members of Homo Digitalis who joined us both online and in person, as well as the other organizations that honored us with their presence.
The event was held within the framework of the GAIN program, with the support of the European AI & Society Fund.
We presented our Study on the Digital Omnibus package at the Privacy & Data Protection Conference
Last Friday, Homo Digitalis was invited to the Privacy & Data Protection Conference, organized by BOUSSIAS.
There, our Executive Director, Eleftherios Chelioudakis, presented our Study on the Digital Omnibus reform packages, highlighting the challenges that the proposed changes pose to our rights in the contemporary digital era.
You can read our Study here.
We would like to warmly thank the conference organizers, and especially Alexandra Varla, for the very honorable invitation. Congratulations as well to all the speakers for their insightful contributions.
.
Our NGI TALER workshop at Journals n’ Spirits 2025 was successfully completed
On November 13, we represented NGI TALER at Journals n’ Spirits 2025, which was organized by omniatv together with the initiatives Vlavi (magazine), Copwatch GR, FactReview, Femicide.gr, Homo Digitalis, INFOWAR, inside story., Jacobin Greece, KRAX Radio, The Manifold, Reporters United, Solomon, The Untold, Vouliwatch, and YUSRA (magazine/publications), at the Kypseli Municipal Market.
More specifically, Eleftherios Chelioudakis from our team presented the GNU TALER digital payments tool, which functions like digital cash and radically reshapes the ecosystem of electronic micropayments. It is based on the principles of free/libre software and strict respect for privacy, offering a new way to conduct online financial transactions while ensuring full accountability.
We also spoke about the funding opportunities provided by NGI TALER for everyone who can contribute to our important mission. Do you have relevant ideas? Submit your application by February 1, 2026, here.
Homo Digitalis & EDRi speak to inside story on the proposed Digital Omnibus regulations
Ιs Europe moving away from the protection of our digital rights?
inside story. and journalist Eliza Triantafyllou published an in-depth article on Monday, December 1, examining the European Commission’s Digital Omnibus proposals. European Digital Rights (EDRi) and Homo Digitalis had the honor of contributing comments and arguments, represented by their members Blue Duangdjai Tiyavorabun, Ella Jakubowska (she/her), Itxaso Domínguez de Olazábal, PhD, and Eleftherios Chelioudakis.
Is the EU giving in to pressure from Trump and major technology companies to deregulate rules protecting Europeans’ personal data and privacy, rebranding it as “simplification”? What exactly do the two recent proposals include? Read the article here.
We warmly thank the journalist for her interest in our arguments.
Participation of Homo Digitalis in a Conference on Spyware
On Friday, November 21, Homo Digitalis was represented by our member and Lawyer admitted to the Supreme Court, Melina Skondra, who delivered an outstanding contribution in the third panel of the conference “The Rule of Law Today in Greece and Europe,” on the topic: Spyware, surveillance, and human rights.
We had the honor of sharing the panel with Thanasis Koukakis, journalist and victim of surveillance, and Maria Alexandri, Lawyer admitted to the Supreme Court and member of the Research Group on Information Law at the University of Macedonia.
The conference was organized by DEMOTRUST with the support of the Friedrich-Ebert-Stiftung, under the auspices of the Centre for European Constitutional Law and syntagmawatch.gr, with ROSA MEDIA as the media sponsor.
We thank the organizers for their kind and honorable invitation!
We are co-organizing Journals n’ Spirits 2025 and we look forward to seeing you there!
Join us at Journals n’ Spirits 2025, organized by omniatv at the Kypseli Municipal Market, on November 13 & 14!
Sixteen independent journalism, research, and print media initiatives—including Homo Digitalis—will host workshops, discussions, and live broadcasts. All of this while enjoying our favorite drinks, and, in collaboration with the Skrip Bookstore, publications by members of the participating initiatives will also be available throughout the two-day event.
We will be speaking on November 13 at 14:00 about digital payments and the GNU Taler tool (NGI TALER | Taler Systems S.A.), which is based on the principles of free/libre software and is reshaping the model of electronic micropayments with respect for privacy.
Learn more about the workshops, broadcasts, photo exhibition, and documentary screening in the detailed two-day program available here.
Participating initiatives (in alphabetical order):
Vlavi (magazine), Copwatch GR, FactReview, Femicide.gr, Homo Digitalis, INFOWAR, inside story., Jacobin Greece, KRAX Radio, The Manifold, OmniaTV, Reporters United, Solomon, The Untold, Vouliwatch, YUSRA (magazine/publications).