Practically every organization has internet connectivity and some form of IT infrastructure, which means nearly all organizations are at risk of a cyber attack. To understand how great this risk is and to be able to manage it, organizations need to complete a cybersecurity risk assessment, a process that identifies which assets are most vulnerable to the cyber risks the organization faces. This is a risk assessment that looks specifically at cyber threats, so risks such as fire and flooding which would be included in a general risk assessment are not in scope.
Mitigating the risks identified during the assessment will prevent and reduce costly security incidents and data breaches and avoid regulatory and compliance issues. The risk assessment process also obliges everyone within an organization to consider how cybersecurity risks can impact the organization's objectives, which helps to create a more risk-aware culture. So, what is at the heart of a cybersecurity risk assessment?
What does a cybersecurity risk assessment entail?
A cybersecurity risk assessment requires an organization to determine its key business objectives and identify the information technology assets that are essential to realizing those objectives. It's then a case of identifying cyber attacks that could adversely affect those assets, deciding on the likelihood of those attacks occurring, and the impact they may have; in sum, building a complete picture of the threat environment for particular business objectives. This allows stakeholders and security teams to make informed decisions about how and where to implement security controls to reduce the overall risk to one with which the organization is comfortable.
How to perform a cybersecurity risk assessment: 5 steps
A cybersecurity risk assessment can be split into many parts, but the five main steps are scoping, risk identification, risk analysis, risk evaluation and documentation.
This article is part of
The ultimate guide to cybersecurity planning for businesses
- Which also includes:
- 10 cybersecurity best practices and tips for businesses
- Cybersecurity budget breakdown and best practices
- Top 7 enterprise cybersecurity challenges in 2023
Step 1: Determine the scope of the risk assessment
A risk assessment starts by deciding what is in scope of the assessment. It could be the entire organization, but this is usually too big an undertaking, so it is more likely to be a business unit, location or a specific aspect of the business, such as payment processing or a web application. It is vital to have the full support of all stakeholders whose activities are within the scope of the assessment as their input will be essential to understanding which assets and processes are the most important, identifying risks, assessing impacts and defining risk tolerance levels. A third-party specializing in risk assessments may be needed to help them through what is a resource-intensive exercise.
Everyone involved should be familiar with the terminology used in a risk assessment such as likelihood and impact so that there is a common understanding of how the risk is framed. For those who are unfamiliar with cybersecurity concepts, ISO/IEC TS 27100 provides a useful overview. Prior to undertaking a risk assessment, it is well worth reviewing standards like ISO/IEC 27001 and frameworks such as NIST SP 800-37 and ISO/IEC TS 27110, which can help guide organizations on how to assess their information security risks in a structured manner and ensure mitigating controls are appropriate and effective.
Various standards and laws such as HIPAA, Sarbanes-Oxley, and PCI DSS require organizations to complete a formalized risk assessment and often provide guidelines and recommendations on how to complete them. However, avoid a compliance-oriented, checklist approach when undertaking an assessment, as simply fulfilling compliance requirements doesn't necessarily mean an organization is not exposed to any risks.
Step 2: How to identify cybersecurity risks
2.1 Identify assets
You can't protect what you don't know, so the next task is to identify and create an inventory of all physical and logical assets that are within the scope of the risk assessment. When identifying assets, it is important to not only establish those which are considered the organization's crown jewels -- assets critical to the business and probably the main target of attackers, but also assets attackers would want to take control over, such as an Active Directory server or picture archive and communications systems, to use as a pivot point to expand an attack. Creating a network architecture diagram from the asset inventory list is a great way to visualize the interconnectivity and communication paths between assets and processes as well as entry points into the network, making the next task of identifying threats easier.
2.2 Identify threats
Threats are the tactics, techniques, and methods used by threat actors that have the potential to cause harm to an organization's assets. To help identify potential threats to each asset use a threat library like the MITRE ATT&CK Knowledge Base and resources from the the Cyber Threat Alliance, which both provide high-quality, up-to-date cyber threat information. Security vendor reports and advisories from government agencies such as the Cybersecurity & Infrastructure Security Agency can be an excellent source of news on new threats surfacing in specific industries, verticals, and geographic regions or particular technologies.
Also consider where each asset sits in theLockheed Martin cyber kill chain, as this will help determine the types of protection they need. The cyber kill chain maps out the stages and objectives of a typical real-world attack.
2.3 Identify what could go wrong
This task involves specifying the consequences of an identified threat exploiting a vulnerability to attack an in-scope asset. For example:
Threat: An attacker performs an SQL injection on an
Asset: web server
Consequence: customers' private data stolen, resulting in regulatory fines and damage to reputation.
Summarizing this information in simple scenarios like this makes it easier for all stakeholders to understand the risks they face in relation to key business objectives and for security teams to identify appropriate measures and best practices to address the risk.
Step 3: Analyze risks and determine potential impact
Now it is time to determine the likelihood of the risk scenarios documented in Step 2 actually occurring, and the impact on the organization if it did happen. In a cybersecurity risk assessment, risk likelihood -- the probability that a given threat is capable of exploiting a given vulnerability -- should be determined based on the discoverability, exploitability and reproducibility of threats and vulnerabilities rather than historical occurrences. This is because the dynamic nature of cybersecurity threats means likelihood is not so closely linked to the frequency of past occurrences like flooding and earthquakes are for example.
Ranking likelihood on a scale of 1: Rare to 5: "Highly Likely," and impact on a scale of 1: Negligible to 5: "Very Severe," makes it straightforward to create the risk matrix illustrated below in Step 4.
Impact refers to the magnitude of harm to the organization resulting from the consequences of a threat exploiting a vulnerability. The impact on confidentiality, integrity and availability should be assessed in each scenario with the highest impact used as the final score. This aspect of the assessment is subjective in nature, which is why input from stakeholders and security experts is so important. Taking the SQL injection above, the impact rating on confidentiality would probably be ranked as "Very Severe."
Step 4: Determine and prioritize risks
Using a risk matrix like the one below where the risk level is "Likelihood times Impact," each risk scenario can be classified. If the risk of a SQL injection attack were considered "Likely" or "Highly Likely" our example risk scenario would be classified as "Very High."
Any scenario that is above the agreed-upon tolerance level should be prioritized for treatment to bring it within the organization's risk tolerance level. There are three ways of doing this:
- Avoid. If the risk outweighs the benefits, discontinuing an activity may be the best course of action if it means no longer being exposed to it.
- Transfer. Share a portion of the risk with other parties through outsourcing certain operations to third parties such as DDoS mitigation, or purchasing cyber insurance. First-party coverage generally only covers the costs incurred due to a cyber event such as informing customers about a data breach, while third-party coverage would cover the cost of funding a settlement after a data breach along with penalties and fines. What it will not cover are the intangible costs of loss of intellectual property or damage to brand reputation.
- Mitigate. Deploy security controls and other measures to reduce the Likelihood and/or Impact and therefore the risk level to within the agreed risk tolerance level. Responsibility for implementing the measures to reduce unacceptably high risks should be assigned to the appropriate team. Dates for progress and completion reports should also be set to ensure that the owner of the risk and the treatment plan are kept up to date.
However, no system or environment can be made 100% secure, so there is always some risk left over. This is called residual risk and must be formally accepted by senior stakeholders as part of the organization's cybersecurity strategy.
Step 5: Document all risks
It's important to document all identified risk scenarios in a risk register. This should be regularly reviewed and updated to ensure that management always has an up-to-date account of its cybersecurity risks. It should include:
- Risk scenario
- Identification date
- Existing security controls
- Current risk level
- Treatment plan -- the planned activities and timeline to bring the risk within an acceptable risk tolerance level along with the commercial justification for the investment
- Progress status -- the status of implementing the treatment plan
- Residual risk -- the risk level after the treatment plan is implemented
- Risk owner -- the individual or group responsible for ensuring that the residual risks remain within the tolerance level
A cybersecurity risk assessment is a large and ongoing undertaking, so time and resources need to be made available if it is going to improve the future security of the organization. It will need to be repeated as new cyber threats arise, and new systems or activities are introduced, but done well first time around it will provide a repeatable process and template for future assessments, whilst reducing the chances of a cyber attack adversely affecting business objectives.
Phases of the Cybersecurity Lifecycle. As defined by the National Insitute of Standards and Technology (NIST), the Cybersecurity Framework's five Functions: Identify, Protect, Detect, Respond, and Recover, are built upon the components of the framework model.What are the 5 parts of threat assessment? ›
- The Security Threat and Risk Assessment. ...
- Active Threat Assessment. ...
- The Cyber-security Threat and Risk Assessment. ...
- Threat Assessment for Instrumental Violence. ...
- The Violence Threat Risk Assessment.
- Map Your Assets.
- Identify Security Threats & Vulnerabilities.
- Determine & Prioritize Risks.
- Analyze & Develop Security Controls.
- Document Results From Risk Assessment Report.
- Create A Remediation Plan To Reduce Risks.
- Implement Recommendations.
- Evaluate Effectiveness & Repeat.
Different Elements of Cybersecurity:
Information security. Disaster Recovery Planning. Network Security. End-user Security.
- Risk management regime. ...
- Secure configuration. ...
- Network security. ...
- Managing user privileges. ...
- User education and awareness. ...
- Incident management. ...
- Malware prevention. ...
Identify the hazards. Decide who might be harmed and how. Evaluate the risks and decide on control measures. Record your findings and implement them.Why are the 5 steps of risk assessment important? ›
A reliable health and safety risk assessment should identify health and safety hazards and put precautions in place to prevent accidents and work-related ill-health. A risk assessment will enable your organisation to protect people, employees, contractors and subcontractors.How do you perform a NIST risk assessment? ›
- Identify purpose for the assessment.
- Identify scope of the assessment.
- Identify assumptions and constraints to use.
- Identify sources of information (inputs).
- Identify risk model and analytic approach to use.
The OPSEC process includes the following five steps: (1) identify critical information, (2) identify the threat, (3) assess vulnerabilities, (4) analyze the risk, (5) develop and apply countermeasures.What are the four 4 main elements in the risk assessment process? ›
The risk assessment process consists of four parts: hazard identification, hazard characterization, exposure assessment, and risk characterization. Hazard identification aims to determine the qualitative nature of the adverse effects by a contaminant (genotoxicity, carcinogenicity, neurotoxicity etc.).
Application security risk assessment checklists can help organizations determine which areas of their application environment need additional protection or attention to ensure that their systems remain secure from malicious actors. Every application is unique and carries threat factors.What is the 1st step in a 5 step risk assessment plan? ›
The first step is to identify the hazards. A hazard is something with the potential to cause harm. There may be one hazard or multiple hazards involved with a task or activity. You don't have to identify every possible hazard, but you should aim to identify any significant hazards.What are the 5 pillars of NIST? ›
5 Domains of the NIST Security Framework. The five domains in the NIST framework are the pillars support the creation of a holistic and successful cybersecurity plan. They include identify, protect, detect, respond, and recover.What are the 5 functions described in the NIST framework Core? ›
Here, we'll dive into the Framework Core and the five core functions: Identify, Protect, Detect, Respond, and Recover. NIST defines the framework core on its official website as a set of cybersecurity activities, desired outcomes, and applicable informative references common across critical infrastructure sectors.What are the NIST RMF steps? ›
The NIST management framework is a culmination of multiple special publications (SP) produced by the National Institute for Standards and Technology (NIST) - as we'll see below, the NIST RMF 6 Step Process; Step 1: Categorize/ Identify, Step 2: Select, Step 3: Implement, Step 4: Assess, Step 5: Authorize and Step 6: ...What are the 6 steps of threat modeling? ›
- Define business objectives.
- Define the technical scope of assets and components.
- Application decomposition and identify application controls.
- Threat analysis based on threat intelligence.
- Vulnerability detection.
- Attack enumeration and modeling.
- Man-in-the-middle attack (MITM)
- Distributed Denial-of-Service (DDoS) attack.
- SQL injection.
- Zero-day exploit.
- DNS Tunnelling.
- Business Email Compromise (BEC)
Indicators of a potential insider threat can be broken into four categories--indicators of: recruitment, information collection, information transmittal and general suspicious behavior.What are the 4 C's in risk assessment? ›
Competence: Recruitment, training and advisory support. Control: Allocating responsibilities, securing commitment, instruction and supervision. Co-operation: Between individuals and groups. Communication: Spoken, written and visible.What is the order of the 5 factors in a risk formulation? ›
- Presenting problem. ...
- Predisposing factors. ...
- Precipitating factors. ...
- Perpetuating factors. ...
- Protective/positive factors.
A cybersecurity risk assessment is an assessment of an organization's ability to protect its information and information systems from cyber threats. The purpose of a cybersecurity risk assessment is to identify, assess, and prioritize risks to information and information systems.What is the first step in performing a security risk assessment? ›
The first step in performing risk assessment is to identify and evaluate the information assets across your organization. These include servers, client information, customer data and trade secrets.What are the types of security risk assessments? ›
- Facility physical vulnerability.
- Information systems vunerability.
- Physical Security for IT.
- Insider threat.
- Workplace violence threat.
- Proprietary information risk.
- Board level risk concerns.
- Critical process vulnerabilities.
A cybersecurity risk assessment evaluates the organization's vulnerabilities and threats to identify the risks it faces. It also includes recommendations for mitigating those risks. A risk estimation and evaluation are usually performed, followed by the selection of controls to treat the identified risks.What are three methods used for conducting risk assessments? ›
- Use a what-if analysis to identify threats and hazards. ...
- Use a checklist of known threats and hazards to identify. ...
- Use a combination of checklists and what-if analysis to. ...
- Use a hazard and operability study (HAZOP) to identify your.
There are five core steps within the risk identification and management process. These steps include risk identification, risk analysis, risk evaluation, risk treatment, and risk monitoring.What is a risk assessment checklist? ›
A risk assessment checklist ensures you've evaluated every area of your business when preparing to conduct a risk assessment. With a checklist, you can be sure you have considered risk from every direction and have all the information to allow your company to ultimately develop a risk management plan.What are the five 5 categories of risk? ›
There are five categories of operational risk: people risk, process risk, systems risk, external events risk, and legal and compliance risk.What are 8 steps of risk assessment? ›
- Implement a Risk Management Framework based on the Risk Policy. ...
- Establish the Context. ...
- Identify Risks. ...
- Analyze and Evaluate Risks. ...
- Treat and Manage Risks. ...
- Communicate and Consult. ...
- Monitor and Review. ...
The Quantitative Risk Assessment method is the best for evaluating several alternatives for risk reduction, through a comparative analysis of the risk before and after the implementation followed by a cost-benefit analysis.
The most common techniques are Brainstorming, Delphi, Scenario analysis, Structure What If (SWIFT), Hazard and Operability Studies (HAZOP), Business Impact Analysis, Bow Tie Analysis, etc.