Make Security Decisions with Confidence using Risk Assessments

Information security risk assessment aids an organization’s ability to deal with security concerns effectively and efficiently. This helps organizations in examining their security architecture to identify the threats to their most valuable assets. The results of these assessments assist executives in making educated decisions about the organization’s security and improving the security posture of the organization.

What is a Risk Assessment?

Risk assessment is an ongoing process of identifying the primary threats and vulnerabilities to your information assets, as well as analyzing the risks and selecting cost-effective and responsive security controls.

When should a risk assessment be performed?

Due to the dynamic nature of security risks, it is critical to conduct risk assessments at frequent periods throughout the year or anytime a substantial business change (e.g., an acquisition, merger, or the implementation of new technology to execute business operations) occurs.

Who should you perform the risk assessment?

Ideally there can be a specialized team comprised of IT security professionals with a thorough grasp of your organization’s network infrastructure and employees from key departments dealing with information assets. The corporation, on the other hand, can choose to outsource risk assessment and hire third-party security specialists. In either case, the members of the risk assessment team should be objective and qualified to perform this duty.

The results of the risk assessment are presented to the executives in the form of a risk assessment report. The recommendations present in this report must be based on solid reasoning and facts. If your recommendations are backed by accurate facts and figures, it will make it more likely for them to apply your recommendations and invest resources towards improving the organization’s security.

Advantages of performing a Risk Assessment

The following are some of the primary benefits that risk assessment provides to an organization:

  • Prioritize the security assets for protection
  • Select the appropriate security controls
  • Efficiently utilize the company’s resources
  • Have in-depth look at its security posture
  • Protect against breaches
  • Create security awareness among its employees
  • Ensure compliance with security regulations
  • Reduce financial and reputational impact in adverse circumstances

Types of Risk Assessments

There are two main approaches to performing risk assessment i.e. Quantitative and Qualitative risk assessment. A quantitative risk assessment assigns monetary and numeric values to all the elements (i.e. asset value, threat frequency, the severity of the impact, cost of security controls, and probability items) of the risk assessment. This type of risk assessment uses equations and calculations to quantify the level of potential losses and the probability of occurrence of each threat.

A qualitative risk assessment doesn’t assign monetary or numeric values but assigns ratings to the risks such as Low medium or high. This risk assessment is a scenario and opinion based approach to assign a risk rating to relay the criticality of each risk.

It is better to utilize both approaches when carrying out a risk assessment in your organization. The risk analysis team, management, and culture of your company dictate which approach to use for evaluating the risk.

Risk assessment Steps

The main steps involved in conducting the risk assessment are as follows:

1. Identification of assets and their value to the organization:

Assets are valuable resources of the company that needs protection. Assets can be people, facilities, equipment, reputation, and information/data in any form. The purpose of this step is to identify the assets included in the scope of your assessment and determine their value.

The asset’s value is determined by its importance to the organization and includes costs of acquiring/developing, maintaining, and protecting the asset, as well as the cost of replacing it if it is lost or damaged. This step helps security professionals suggest appropriate security controls in line with the asset’s value.

2. Identification of threats and vulnerabilities to these assets:

A threat is a potential cause of an unwanted incident that can cause harm to your asset. A threat can be natural such as earthquakes, fires, floods, hurricanes, etc., or man-made such as human errors, hackers, malware, etc.

A vulnerability is a security weakness that facilitates a threat agent to cause potential harm to the system. A vulnerability can be software security patches that haven’t been installed, lack of fire extinguishers in a building, lack of anti-virus software, weak authentication mechanisms, etc.

The goal of this stage is to identify any potential security threats and weaknesses in your information systems. Threats in your environment can be detected by considering all of the many entities that can affect your systems. Vulnerabilities in your environment can be discovered using a variety of techniques, including audits and monitoring to identify human errors or data misuse, penetration testing and vulnerability scanning to identify software security vulnerabilities, and reviewing your facilities to identify physical flaws, among others.

3. Determine the risk based on the probability of occurrence and magnitude of the impact:

Risk is defined as the likelihood of a threat agent exploiting a vulnerability and inflicting damage to the asset, as well as the extent of the impact. The purpose of this step is to determine the risk posed by different threats to the information assets. For this purpose a quantitative or qualitative risk analysis can be performed.

  • Quantitative risk assessment steps:

While performing quantitative risk assessment calculations, we make use of the equations to calculate the financial losses due to the risk. The two main terms used are single loss expectancy (SLE) and annual loss expectancy (ALE).

Single Loss expectancy is the financial loss incurred by a single event if a certain threat materializes. The formula to calculate SLE is as follows:

SLE = Asset value (AV) x Exposure Factor (EF)

The exposure factor is the percentage of damage sustained by the asset if a certain threat is realized. For example, let us imagine that our company’s facility Asset Value is estimated to be $150,000. In case of a hurricane, if half of your facility is damaged, the Exposure factor will be 0.5. Thus the SLE, in this case, will be:

$150,000x0.5 = $75000

This tells us that our company could lose 75000$ if a hurricane damages the facility. But this value is not very useful if it is to be incorporated into our annual security budget calculations. So we need to calculate Annual loss expectancy (ALE). Annual loss expectancy is the financial loss incurred due to a particular risk over a single year. The formula to calculate ALE is as follows:

ALE = Single loss expectancy (SLE) x Annualized Rate of Occurrence (ARO)

Annualized Rate of Occurrence is the frequency of occurrence of a particular threat over a 12-month timeframe. So using the above example, let’s say if the chances of a hurricane damaging your facility are once every ten years, then ARO will be 0.1. Thus ALE in this case will be:

$75000x0.1= $7500

One of the main advantages of performing these calculations is that the company can decide the amount of money that can be spent to safeguard against a particular threat. Again using the above scenario, the company can spend $7500 or less each year in protecting its facility against hurricanes. It would make no sense for the company to spend more than $7500 each year to protect itself against this threat. Thus the company’s resources can be efficiently utilized to provide countermeasures to deal with threats.

The values to be used in performing calculations in quantitative risk analysis should be derived from the company’s historical data and the experience of the professionals from the key departments of the company.

  • Qualitative risk assessment steps:

Qualitative risk analysis doesn’t assign numbers or monetary values to risk. Instead, this approach involves using the expertise of people from different departments and their opinion to assign risk ratings. The methods used to gather data for performing qualitative risk assessment include brainstorming, the Delphi technique, questionnaires, checklists, one-on-one meetings, and interviews.

The risk assessment team gathers personnel from different departments to explore various threat scenarios. Each selected expert who is most familiar with the threat reviews the scenario and ranks the possibility of the threat occurring and its impact.

The relationship that is mostly used to determine the risk is:

Risk = Likelihood x Impact

A risk assessment matrix is utilized in this step to map the likelihood of a risk occurring against the impact of the risk. The risk is classified as high medium or low by using an arbitrary rating scale, such as 1-5 or 1-10, with 1 representing the lowest probability/impact and 5 indicating the highest probability/impact.

4. Rank and Prioritize the risks:

After assigning a rating to the risks, the risks are ranked depending on their level of severity. This step will help identify the risks that warrant immediate action. The organization can thus choose how to handle each level of risk depending upon its risk appetite and resources. For example, the management decides to handle all the high-level risks immediately, plans to address the medium risk over a certain time period, and accepts all the low-level risks.

5. Review the security controls:

The purpose of this step is to review the existing security controls that are in place to deal with the risk and recommend new security controls. When selecting a security control, the analyst must perform its cost-benefit analysis and review its effectiveness and functionality.

A cost-benefit analysis determines if the total cost of implementing the countermeasure doesn’t exceed the financial loss incurred due to the risk. The total cost of safeguard implementation mainly includes the production costs, implementation costs, testing costs, operational costs, and maintenance costs.

The purpose of this stage is to determine if the existing security controls are providing the required level of protection and identify the areas that need additional security controls.

6. Document the results:

In this stage, the risk analysts prepare the final report for stakeholders’ review. The purpose of this report is to present the executives with risk handling recommendations that are in line with the company’s resources and overall goals.

This report describes all the actions that were taken in performing the risk assessment, identifies security weaknesses, and proposes remediation steps. Risk analysts can suggest one of the four approaches to handling the risk:

  • Risk Acceptance: If after the cost-benefit analysis it is revealed that the cost of implementing a security control surpasses the financial loss due to the threat, the risk analysts can suggest that the company accept the risk.
  • Risk Mitigation: In this approach, the risk analysts suggest implementing appropriate security controls to reduce the risk to an acceptable level for the business.
  • Risk Avoidance: In this approach, the risk analysts suggest that the company may terminate some activity that introduces unwanted security risks to the company.
  • Risk Transfer: In this approach, the risk analysts suggest that the risk is too high for the business to handle and the company can transfer the risk to a third party. For example, a company can purchase insurance to transfer risk to the insurance company.

All the risks discovered, their rating and the proposed recommendation are arranged in the form of a table called the risk register. The risk register ranks all the threats according to the level of the severity and contains the treatment plan for each risk.

Common Risk Management Frameworks:

The process of establishing how a company’s risk assessment will be carried out is known as risk management. Risk assessment is a difficult undertaking that must be continued in order for an organization to deal with new risks. To assist with the procedures outlined in this article, it’s critical to choose a risk management framework that will guide your company’s risk assessment. The choice of a risk management framework is influenced by a number of factors. The industry in which your company operates, its culture, and its security/compliance requirements will all play a role in determining which risk management approach is best for you. Your company can select a risk framework and customize it to meet its specific needs. Some of the commonly used Risk Management frameworks are listed below:

Some of the commonly used Risk Management frameworks are listed below:

NIST SP 800-37:

This risk management framework adopts a system life cycle approach to ensure security and privacy. It provides a disciplined, structured, and flexible approach to managing security and privacy risk. US federal government agencies are required to implement the guidelines in this document. However many public and private sector companies have also adopted this framework for risk management. The main steps of NIST SP 800-37 RMF are:

  • Categorize information systems
  • Select security controls
  • Implement security controls
  • Assess security controls
  • Authorize information systems
  • Monitor security controls

ISO 27005:

This risk management framework provides guidelines for information security risk management in an organization and supports the information security standards in ISO 27000 series. The six main steps for performing risk assessment described in this document are:

  • Context Establishment
  • Risk Assessment
  • Risk Treatment
  • Risk Acceptance
  • Risk Communication and Consultation
  • Risk Monitoring and Review


This risk framework was developed by ISACA and aims to bridge the gap between IT risks and business risks. The main steps of Risk IT implementation are as follows:

  • Risk Governance
  • Risk Evaluation
  • Risk Response

COSO Enterprise Risk Management – Integrated Framework:

This framework allows the organizations to apply an enterprise-wide approach to risk management. It focuses on incorporating risk management in an organization’s decision-making process. The five main components of the COSO ERM framework are as follows:

  • Governance and culture
  • Strategy development
  • Business objective formulation
  • Implementation and performance
  • Enhanced Value

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation):

This risk assessment methodology was developed by Carnegie Mellon University. It stresses a self-directed team approach to dealing with security risks. People from different departments within the organization manage and direct the evaluation of security risks within the company. There are three main phases of OCTAVE risk framework Implementation:

  • Build asset-based threat profile
  • Identify Infrastructure vulnerabilities
  • Develop security strategy and plans

FAIR (Factor analysis of Information Risk):

This model identifies different factors that comprise the risk and how these factors affect each other. This framework is used to identify, analyze and measure information risk within your organization. This risk assessment methodology is used to assign monetary and numerical values to assets and different forms of risk.

One of the main advantages of using this framework is that it helps organizations make financially sound decisions regarding the implementation of cost-effective security controls. The main steps in performing a FAIR risk assessment are:

  • Identify scenario components
  • Evaluate Loss Event Frequency (LEF)
  • Evaluate Probable Loss Magnitude (PLM)
  • Derive and articulate risk

Interested in information security governance, risk and compliance? Enrol in MCSI’s MGRC - Certified GRC Expert.