Skip to main content

Regardless of the industry an organization is in, or the information security management framework it uses, it is more than likely required to perform a risk assessment. This is often a major pain point and source of confusion for many organizations, since the term risk assessment can take on various meanings depending on the context. Even the word "risk" may mean different things to different people. This guide will provide clarification on these topics and much more.

What is risk?

In order to conduct a risk assessment, is it important to understand what the word "risk" is referring to within the context of information security. The words threat, vulnerability, and risk are often used interchangeably in everyday parlance, however within the context of information security these terms have distinct meaning. A vulnerability is a weakness to an organization's information security. A threat is a danger that may exploit a vulnerability. The parties that represent a threat, and carry out the exploitation of a vulnerability are commonly referred to as threat agents. Risk is the impact of a threat exploiting a vulnerability factoring in the probability of that event will happen. This can be expressed as:

Risk assessment versus risk analysis

The terms risk assessment and risk analysis describe related, but different activities. A risk assessment is the process of identifying all of the threats and vulnerabilities and their related impacts and probabilities. Essentially, this is the organization answering the question, "What can go wrong?" A risk analysis evaluates the findings uncovered during the risk assessment. Typical activities performed during a risk analysis include:

Identifying threats and vulnerabilities

There are numerous different types of threats as well as vulnerabilities that an organization must identify. While every organization exists in a unique threat environment, there are many common threats and vulnerabilities present to most organizations.

Threats

Threats may be human or non-human and may originate internally or externally. For example, some common threats/threat agents include, but are not limited to:

Vulnerabilities

As stated previously, vulnerabilities are weaknesses present within an organization that may be exploited. It is critical that vulnerabilities are properly identified, since vulnerability management is within the control of the organization, whereas it has little to no control over the threats that it faces. Common vulnerabilities include, but are not limited to:

Quantitative versus qualitative risk analysis

Two common approaches toward risk analysis are quantitative and qualitative. A quantitative risk analysis attempts to assign a monetary costs associated with a threat agent exploiting a vulnerability. A qualitative risk analysis uses descriptors to categorize risks. For example, a hierarchical scheme may be used such as high, medium, and low risks for prioritization.  Both methods have their benefits, so an organization must determine what method is appropriate for their unique situation.

Quantitative risk analysis

While there are a multiple ways of determining monetary values associated with risks, there exist some key concepts that are considered fundamental when performing a quantitative risk analysis. These key concepts are:

Qualitative risk analysis

This type of risk analysis is useful since it provides a high-level perspective of the risks an organization faces. While there are many different ways assign values to impact and probability, a common scheme is to apply high, medium, and low to each factor. These values can be used to construct a matrix that may look like this:

Methodologies

There are numerous methodologies published to help guide an organization through the risk assessment and risk analysis process that vary in terms of complexity and scope.

National Institute of Standards and Technology Special Publication 800-30

One of the most popular methodologies, this publication provides guidance for performing risk assessments of all scope sizes. From organizational wide assessments down to application specific assessments, this methodology outlines techniques for threat and vulnerability identification, control analysis, probability and impact determination, as well as requirements for reporting the results of risk assessments.

ISO/IEC 27005

This methodology is helpful when an organization has implemented an information security management system using the ISO/IEC 27001 standard. While it provides very similar guidance to the NIST publication, ISO/IEC 27005 has more of a focus on the softer side of information security, emphasizing the need for documentation, human resources, and training.

Conclusion

Risk assessment and risk analysis must be a continuous process since an organization's threat environment is constantly evolving. This will enable an organization to mitigate risks to an acceptable level by identifying additional controls that may need to be implemented, or determine other actions that the organization may be able to take to address risk. Risk assessment and risk analysis is critical to developing and maintaining a secure organization, since it forces organizations to recognize and address risks, as well as enables them to correctly allocate resources to most effectively reduce risk.