Cybersecurity is all about understanding, managing, controlling and mitigating risk to your organization’s critical assets. Whether you like it or not, if you work in security, you are in the risk management business. Show
What is a security risk assessment?Cybersecurity risk assessment is the process of identifying and evaluating risks for assets that could be affected by cyberattacks. Basically, you identify both internal and external threats; evaluate their potential impact on things like data availability, confidentiality and integrity; and estimate the costs of suffering a cybersecurity incident. With this information, you can tailor your cybersecurity and data protection controls to match your organization’s actual level of risk tolerance. To get started with IT security risk assessment, you need to answer three important questions:
Once you know what you need to protect, you can begin developing strategies. However, before you spend a dollar of your budget or an hour of your time implementing a solution to reduce risk, be sure to consider which risk you are addressing, how high its priority is, and whether you are approaching it in the most cost-effective way. Importance of regular IT security assessmentsConducting a thorough IT security assessment on a regular basis helps organizations develop a solid foundation for ensuring business success. In particular, it enables them to:
What is a cyber risk (IT risk) definitionThe Institute of Risk Management defines a cyber risk as “any risk of financial loss, disruption or damage to the reputation of an organization from some sort of failure of its information technology systems”. Gartner gives a more general definition: “the potential for an unplanned, negative business outcome involving the failure or misuse of IT.” Examples of cyber risk include:
When taking stock of cyber risks, it’s important to detail the specific financial damage they could do to the organization, such as legal fees, operational downtime and related profit loss, and lost business due to customer distrust. IT risk assessment components and formulaThe four key componentsAn IT risk assessment involves four key components. We’ll discuss how to assess each one in a moment, but here’s a brief definition of each:
The risk equationWe can understand risk using the following equation
Although risk is represented here as a mathematical formula, it is not about numbers; it is a logical construct. For example, suppose you want to assess the risk associated with the threat of hackers compromising a particular system. If your network is very vulnerable (perhaps because you have no firewall and no antivirus solution), and the asset is critical, your risk is high. However, if you have good perimeter defenses and your vulnerability is low, and even though the asset is still critical, your risk will be medium. This isn’t strictly a mathematical formula; it’s a model for understanding the relationships among the components that feed into determining risk:
The risk assessment factors in the relationship between the three elements. For example, suppose you want to assess the risk associated with the threat of hackers compromising a particular system. If your network is very vulnerable (perhaps because you have no firewall and no antivirus solution) and the asset is critical, your risk is high. However, if you have robust perimeter defenses that make your vulnerability low, your risk will be medium, even though the asset is still critical. Note that all three elements need to be present in order for there to be risk — since anything times zero equals zero, if one of the elements in the equation is not present, then there is no risk, even if the other two elements are high or critical. Who should perform the IT security risk assessmentA comprehensive approach is essential for identifying all areas of cyber vulnerability. Instead of relying on a few IT team members, a thorough risk assessment should involve representatives across all departments where vulnerabilities can be identified and contained. Look for individuals who know how data is used within the company. Depending on the size of your organization, assembling a complete IT risk assessment team may be a difficult task. While larger organizations might want to have their internal IT teams lead the effort, businesses that lack an IT department might need to outsource the task to a company specializing in IT risk assessment. How to perform a security risk assessmentNow let’s walk through the IT risk assessment procedure. Step #1: Identify and Prioritize AssetsAssets include servers, client contact information, sensitive partner documents, trade secrets and so on. Remember, what you as a technician think is valuable might not be what is actually most valuable for the business. Therefore, you need to work with business users and management to create a list of all valuable assets. For each asset, gather the following information, as applicable:
Because most organizations have a limited budget for risk assessment, you will likely have to limit the scope of the remaining steps to mission-critical assets. Accordingly, you need to define a standard for determining the importance of each asset. Common criteria include the asset’s monetary value, legal standing and importance to the organization. Once the standard has been approved by management and formally incorporated into the risk assessment security policy, use it to classify each asset as critical, major or minor. Step #2: Identify ThreatsA threat is anything that could cause harm to your organization. While hackers and malware probably leap to mind, there are many other types of threats:
Step #3: Identify VulnerabilitiesA vulnerability is a weakness that could enable a threat to harm your organization. Vulnerabilities can be identified through analysis, audit reports, the NIST vulnerability database, vendor data, information security test and evaluation (ST&E) procedures, penetration testing, and automated vulnerability scanning tools. Don’t limit your thinking to software vulnerabilities; there are also physical and human vulnerabilities. For example, having your server room in the basement increases your vulnerability to the threat of flooding, and failure to educate your employees about the danger of clicking on email links increases your vulnerability to the threat of malware. Step #4: Analyze ControlsAnalyze the controls that are either in place or in the planning stage to minimize or eliminate the probability that a threat will exploit a vulnerability. Technical controls include encryption, intrusion detection mechanisms, and identification and authentication solutions. Nontechnical controls include security policies, administrative actions, and physical and environmental mechanisms. Both technical and nontechnical controls can further be classified as preventive or detective. As the name implies, preventive controls attempt to anticipate and stop attacks; examples include encryption and authentication devices. Detective controls are used to discover threats that have occurred or are in process; they include audit trails and intrusion detection systems. Step #5: Determine the Likelihood of an IncidentAssess the probability that a vulnerability might actually be exploited, taking into account the type of vulnerability, the capability and motivation of the threat source, and the existence and effectiveness of your controls. Rather than a numerical score, many organizations use the categories high, medium and low to assess the likelihood of an attack or other adverse event. Step #6: Assess the Impact a Threat Could HaveAnalyze the impact that an incident would have on the asset that is lost or damaged, including the following factors:
To get this information, start with a business impact analysis (BIA) or mission impact analysis report. This document uses either quantitative or qualitative means to determine the impact of harm to the organization’s information assets, such as loss of confidentiality, integrity and availability. The impact on the system can be qualitatively assessed as high, medium or low. Step #7: Prioritize the Information Security RisksFor each threat/vulnerability pair, determine the level of risk to the IT system, based on the following:
A useful tool for estimating risk in this manner is the risk-level matrix. A high likelihood that the threat will occur is given a value of 1.0; a medium likelihood is assigned a value of 0.5; and a low likelihood of occurrence is given a rating of 0.1. Similarly, a high impact level is assigned a value of 100, a medium impact level 50, and a low impact level 10. Risk is calculated by multiplying the threat likelihood value by the impact value, and the risks are categorized as high, medium or low based on the result. Step #8: Recommend ControlsUsing the risk level as a basis, determine the actions needed to mitigate the risk. Here are some general guidelines for each level of risk:
As you evaluate controls to mitigate each risk, be sure to consider:
Step #9: Document the ResultsThe final step in the risk assessment process is to develop a risk assessment report to support management in making appropriate decisions on budget, policies, procedures and so on. For each threat, the report should describe the corresponding vulnerabilities, the assets at risk, the impact to your IT infrastructure, the likelihood of occurrence and the control recommendations.
The risk assessment report can identify key remediation steps that will reduce multiple risks. For example, ensuring backups are taken regularly and stored offsite will mitigate both the risk of accidental file deletion and the risk from flooding. Each step should detail the associated cost and the business reasons for making the investment. As you work through this process, you will get a better idea of how the company and its infrastructure operates and how it can operate better. Then you can create a risk assessment policy that defines what the organization must do periodically (annually in many cases), how risk is to be addressed and mitigated (for example, a minimum acceptable vulnerability window), and how the organization must carry out subsequent enterprise risk assessments for its IT infrastructure components and other assets. Always keep in mind that the information security risk assessment and enterprise risk management processes are the heart of the cybersecurity. These processes establish the foundation of the entire information security management strategy, providing answers to what threats and vulnerabilities can cause financial harm to the business and how they should be mitigated. FAQWhat is a risk assessment? A cyber security risk assessment is the process of identifying and analyzing information assets, threats, vulnerabilities and incident impact in order to guide security strategy. What is the first step in performing risk assessment? The first step in performing risk assessment is to identify and evaluate the information assets across your organization. These include servers, client information, customer data and trade secrets. What is the final step in the risk assessment process? The final step in the process is documenting the results to support informed decisions about budgets, policies and procedures. The risk assessment report should describe each threat and its related vulnerabilities and costs. It should also make recommendations for how to mitigate risk. What is a threat/vulnerability pair? A threat/vulnerability pair is a specific threat using a particular vulnerability, such as a hacker (threat) exploiting an unpatched system (vulnerability). Not all threats pair with a given vulnerability. For example, the threat of flooding pairs with the vulnerability of a lower-level server room, but not with unpatched systems. What is a threat action? A threat action is the consequence of a threat/vulnerability pair — the result of the identified threat leveraging the vulnerability to which it has been matched. For example, if the threat is hacking and the vulnerability is lack of system patching, the threat action might be a hacker exploiting the unpatched system to gain unauthorized access to the system. How do you conduct risk assessment? To conduct a cybersecurity risk assessment, you need to identify the elements of the risk equation and then use your knowledge of those elements to determine risk. That means:
Once you collect this data, the next step is to create a cybersecurity risk management plan that details both the risks and strategies for mitigating them. When should risk assessment be carried out? Risk assessment should be a recurring event. You should periodically review your risk mitigation strategy as your IT assets change and new threats and vulnerabilities emerge. Transparency is critical to success. All stakeholders in the data security process should have access to information and be able to provide input for the assessment. What should risk analysis include? Cyber security risk analysis should include:
Who should perform the risk assessment? If your organization is large enough to have a dedicated IT staff, assign them to develop a thorough understanding of your data infrastructure and work in tandem with team members who know how information flows throughout your organization. If your organization is a small business without its own IT department, you may need to outsource the task to a dedicated risk assessment company. Security Strategist & VP of User Experience at Netwrix. Ilia is responsible for technical enablement, UX design, and product vision and strategy. He is a recognized expert in information security and an official member of Forbes Technology Council. Ilia has over 20 years of experience in the IT management software market. In the Netwrix blog, Ilia focuses on cybersecurity trends, strategies and risk assessment.
What are the general steps for a security risk assessment?How is an IT Risk Assessment Done?. Identify and catalog your information assets. ... . Identify threats. ... . Identify vulnerabilities. ... . Analyze internal controls. ... . Determine the likelihood that an incident will occur. ... . Assess the impact a threat would have. ... . Prioritize the risks to your information security. ... . Design controls.. What are the seven steps of a standard security risk assessment model?Risk assessments can be daunting, but we've simplified the ISO 27001 risk assessment process into seven steps:. Define your risk assessment methodology. ... . Compile a list of your information assets. ... . Identify threats and vulnerabilities. ... . Evaluate risks. ... . Mitigate the risks. ... . Compile risk reports. ... . Review, monitor and audit.. What is a security vulnerability assessment?A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed.
|