Risk Assessment

Risk & Threat Definitions

Threat Assessment

  • Threat Agent / Source - the intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally exploit a vulnerability.

  • Threat Vector - the method or path a threat uses to access the target.

  • Threat Assessment - a structured process used to identify and evaluate various risks or threats that an organization might be exposed to.

Threat Assessment Types

  • Environmental - Natural Events

    • Examples: Weather, storms, flooding, earthquakes, fire, etc.

  • Manmade - Human Cause

  • Internal vs External

    • Origin of the threat source.

    • Is the threat agent inside your organization?

      • Employee, contractor, consultant, etc.

Risk Assessments

  • Also known as risk analysis or risk calculation.

  • Analyzing threats, vulnerabilities, and impacts of a loss of information-processing capabilities (systems) or a loss of information itself.

  • Process:

    • Identify assets.

    • Identify associated threats & vulnerabilities.

    • Determine likelihood of exploit or compromise.

    • Determine impact of exploit or compromise.

    • Prioritize risk activities / security controls.

NIST Risk Management Framework

Quantitative vs Qualitative Risk Analysis

  • Qualitative

    • Estimating risk values (likelihood & impact).

    • Normally using a scale (1-5)

    • Subjective and less accurate.

  • Quantitative

    • Using real values to calculate risk equation.

    • Numeric.

    • Return on Investment (ROI) / Return on Security Investment (ROSI)

    • SLE x ARO = ALE

Risk Calculation

  • SLE x ARO = ALE

  • ALE (Annual Loss Expectancy) Value: A monetary measure of how much loss you could expect in a year.

  • SLE (Single Loss Expectancy) Value: How much you could expect to lose at any one time.

    • SLE can be divided into two components:

      • AV (Asset Value): The value of an item.

      • EF (Exposure Factor): The percentage of loss.

  • ARO (Annualized Rate of Occurrence): The likelihood, often drawn from historical data, of an event occurring within a year.

Risk Calculation Example

  • 'You can reasonably expect that every SLE, which is equal to asset value (AV) times exposure factor (EF), will be the equivalent of $1000 and that there will be seven such occurrences a year (ARO), then the ALE is $7000.

  • Conversely, if there is only a 10% chance of an event occurring within a year time period (ARO = 0.1) then the ALE drops to $100.

Risk Response / Strategies

  • Avoidance - making the decision not to engage in the actions associated with that risk.

  • Transfer - sharing the burden of the risk with another party (insurance).

  • Mitigation - taking steps to reduce the likelihood or impact of a risk.

  • Acceptance - choosing to live with a risk. Must be a conscious choice by management.

Risk Register

  • Recording information about an identified risk.

  • Can be specialized software program, cloud service, or master document (spreadsheet).

  • Contains details about the risks, risk decisions, mitigating controls, risk owner, time frames, residual risk, etc.

  • Ensures organization is aligned.

Supply Chain Assessments

  • AKA Third-Party Assessments

  • Review vendor's security posture.

  • Any organization connected to yours (virtual or physical).

  • Often accomplished with checklists.

Change Management

  • Change (IT) - the addition, removal, or altering of information technology environment.

  • Change management process goal - to allow for change without disruption, or with only minimal disruption, to these systems and services.

  • Need to reassess security risks with any change.

    • The change itself.

    • The after-effects.


  • Part of the Risk Analysis process.

  • Provides visibility into the risk components.

  • Vulnerability assessments.

  • Penetration tests.

  • Table-top exercises.

Risk Management Methods

  • Acceptance - Deciding to bear the cost of a potential risk.

  • Avoidance - Deciding to no longer employ the actions associated with a particular risk.

  • Deterrence - Discouraging certain actions from being taken to protect against risk.

  • Mitigation - Taking steps to reduce risk.

  • Transference - Sharing the burden of a potential risk with another entity.