What is Risk Assessment?

June 22, 2020


Technology permeates professional and personal life in every way possible. Business infrastructure is supported by a framework of interconnected information systems that ensure the wellbeing, safety, and efficiency of operations, assets, people, organizations, and more.

The value placed on information technology is more than the ability to send an email. It's livelihoods. It's prosperity. It's of the utmost importance in a digitally connected world.

If that perspective resonates with you, then here's another:

Threats to information systems are threats to our personal, financial, and organizational outcomes.

Protecting information systems and technology is a proactive safety precaution. It's rarely retroactive. The man in charge of safety for NASA in the 1970s had a good thought on this subject.

"Risk management is a more realistic term than safety. It implies that hazards are ever-present, that they must be identified, analyzed, evaluated and controlled or rationally accepted," Aviation Safety Pioneer Jerome F. Lederer said.

Where Do Cyber Security Risks Appear?

Risk exists everywhere. It's just a fact of life. It's in project management, investment, budgets, legal liability, inventory, supply chains, and, yes, cyber security risks. The damage to information systems, both innovative and legacy, can come from a variety of factors — like purposeful attacks, environmental disruptions, and human error, to name a few. With all the risk opportunity it's critical to have the best cyber security services on your side.

The U.S. Department of Commerce's National Institute of Standards and Technology (NIST) gives background for a risk assessment fairly succinctly in Special Publication 800-30:

"The purpose of risk assessments is to inform decision makers and support risk responses by identifying: (i) relevant threats to organizations or threats directed through organizations against other organizations; (ii) vulnerabilities both internal and external to organizations; (iii) impact (i.e., harm) to organizations that may occur given the potential for threats exploiting vulnerabilities; and (iv) likelihood that harm will occur.

"The end result is a determination of risk (i.e., typically a function of the degree of harm and likelihood of harm occurring). "

Risk, per the NIST, is a function of the likelihood of an event happening and the negative effects once it does.

How Does A Risk Assessment Help?

A risk assessment will address and mitigate negative contingencies that may impact business functions, processes, segments, support services, and/or information systems. These elements of organizational life will evolve over time, which reinforces how necessary and valid risk assessments are over time.

According to the NIST, a risk assessment can support…

  • The development of an information security architecture
  • The interconnection of information systems as they relate to business functions and infrastructure
  • How security solutions are designed for business operations, including information technology products, suppliers, and contractors
  • Authorization to operate information systems or to use security controls in those systems
  • Modification of business function or processes permanently or temporarily
  • Which security solutions are appropriate for the individual organization
  • Monitoring and maintaining security systems

There are often four aspects to the risk assessment process: preparing for the assessment, conducting the assessment, communicating the results of the assessment, and maintaining the assessment.

Preparing for an assessment includes identifying the purpose, scope, assumptions, constraints, sources of information, and the risk model to be used for the assessment.

Conducting an assessment will follow a risk model, including, in chronological order, identification of threat sources and events, identification of vulnerabilities and predisposing conditions, determination of the likelihood of occurrence, determining the magnitude of impact, and a final determination of risk.

Different Types of Risk Assessment

There are different approaches to a risk assessment, three typically. They'll provide the final grade on your risk assessment report card.

A quantitative assessment will have a set of numerical methods, principles, or rules to judge risk. This will often be used in cost-benefit analyses. The issue is that the meaning of the quantitative results that grade different criteria, which feed into an overall risk score, can be unclear to decision makers and stakeholders.

"For example, organizations may typically ask if the numbers or results obtained in the risk assessments are reliable or if the differences in the obtained values are meaningful or insignificant. Additionally, the rigor of quantification is significantly lessened when subjective determinations are buried within the quantitative assessments, or when significant uncertainty surrounds the determination of values," according to the NIST.

A qualitative assessment will differ in that it's non-numerical. The relative risk is graded by categories or levels — low, moderate, high — and is useful for communicating relative risk to decision makers, albeit the results of the process can be less precise and will rely on the judgment and experience of individual risk assessment experts, which will naturally vary.

Finally, there's a hybrid approach, the semi-quantitative assessment. This uses bins (0-15, 16-35, 36-70, 71-85, 86-10) or scales (1-10) to indicate the relative risk stemming from a given assessment. These translate more easily to stakeholders than a purely numerical approach in that they provide some easily interpreted approximation of relative risk.

Bottom line, a risk assessment will take stakeholders through a detailed process of identifying threats and events, their source, their likelihood of happening, and the adverse effects stemming from them. The assessment will yield an understanding of risk, whether qualitative or quantitative, that can subsequently lead to organizational solutions, preparations, or reparations.

It goes without saying that there is more to the principles of risk assessment, so we welcome discussion. Give us a call at 1.888.262.6925 and see how we can help connect your organization with personalized insight. If you have a concern about potential security holes, look no further for your best-in-class managed security service provider (MSSP)