Risk Assessment

Risk & Threat Definitions

Threat Assessment

  • Threat Agent / Source - the intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally exploit a vulnerability.
  • Threat Vector - the method or path a threat uses to access the target.
  • Threat Assessment - a structured process used to identify and evaluate various risks or threats that an organization might be exposed to.

Threat Assessment Types

  • Environmental - Natural Events
    • Examples: Weather, storms, flooding, earthquakes, fire, etc.
  • Manmade - Human Cause
  • Internal vs External
    • Origin of the threat source.
    • Is the threat agent inside your organization?
      • Employee, contractor, consultant, etc.

Risk Assessments

  • Also known as risk analysis or risk calculation.
  • Analyzing threats, vulnerabilities, and impacts of a loss of information-processing capabilities (systems) or a loss of information itself.
  • Process:
    • Identify assets.
    • Identify associated threats & vulnerabilities.
    • Determine likelihood of exploit or compromise.
    • Determine impact of exploit or compromise.
    • Prioritize risk activities / security controls.

NIST Risk Management Framework

Quantitative vs Qualitative Risk Analysis

  • Qualitative
    • Estimating risk values (likelihood & impact).
    • Normally using a scale (1-5)
    • Subjective and less accurate.
  • Quantitative
    • Using real values to calculate risk equation.
    • Numeric.
    • Return on Investment (ROI) / Return on Security Investment (ROSI)
    • SLE x ARO = ALE

Risk Calculation

  • SLE x ARO = ALE
  • ALE (Annual Loss Expectancy) Value: A monetary measure of how much loss you could expect in a year.
  • SLE (Single Loss Expectancy) Value: How much you could expect to lose at any one time.
    • SLE can be divided into two components:
      • AV (Asset Value): The value of an item.
      • EF (Exposure Factor): The percentage of loss.
  • ARO (Annualized Rate of Occurrence): The likelihood, often drawn from historical data, of an event occurring within a year.

Risk Calculation Example

  • 'You can reasonably expect that every SLE, which is equal to asset value (AV) times exposure factor (EF), will be the equivalent of $1000 and that there will be seven such occurrences a year (ARO), then the ALE is $7000.
  • Conversely, if there is only a 10% chance of an event occurring within a year time period (ARO = 0.1) then the ALE drops to $100.

Risk Response / Strategies

  • Avoidance - making the decision not to engage in the actions associated with that risk.
  • Transfer - sharing the burden of the risk with another party (insurance).
  • Mitigation - taking steps to reduce the likelihood or impact of a risk.
  • Acceptance - choosing to live with a risk. Must be a conscious choice by management.

Risk Register

  • Recording information about an identified risk.
  • Can be specialized software program, cloud service, or master document (spreadsheet).
  • Contains details about the risks, risk decisions, mitigating controls, risk owner, time frames, residual risk, etc.
  • Ensures organization is aligned.

Supply Chain Assessments

  • AKA Third-Party Assessments
  • Review vendor's security posture.
  • Any organization connected to yours (virtual or physical).
  • Often accomplished with checklists.

Change Management

  • Change (IT) - the addition, removal, or altering of information technology environment.
  • Change management process goal - to allow for change without disruption, or with only minimal disruption, to these systems and services.
  • Need to reassess security risks with any change.
    • The change itself.
    • The after-effects.

Testing

  • Part of the Risk Analysis process.
  • Provides visibility into the risk components.
  • Vulnerability assessments.
  • Penetration tests.
  • Table-top exercises.

Risk Management Methods

  • Acceptance - Deciding to bear the cost of a potential risk.
  • Avoidance - Deciding to no longer employ the actions associated with a particular risk.
  • Deterrence - Discouraging certain actions from being taken to protect against risk.
  • Mitigation - Taking steps to reduce risk.
  • Transference - Sharing the burden of a potential risk with another entity.
Copy link
On this page
Risk & Threat Definitions
Threat Assessment
Threat Assessment Types
Risk Assessments
NIST Risk Management Framework
Quantitative vs Qualitative Risk Analysis
Risk Calculation
Risk Calculation Example
Risk Response / Strategies
Risk Register
Supply Chain Assessments
Change Management
Testing
Risk Management Methods